Komp mi sie muli.
Czasami staje np na 20s nic nie da sie zrobic jakby sie zawiesil ale zaraz wraaca do normy. Gry mi skacza i internet jakos wolniej chodzi. Pzelecialem ad–awaem spybotem activescanem i mcafee mam firewalla(mcafee). Z activescan wyskoczylo mi to:
Adware:Adware/FunWeb Nie wyleczalny C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8–2.inf
Adware:Adware/CWS.Searchmeup Nie wyleczalny C:\WINDOWS\system32\audissrp.exe
Spyware:Spyware/FastSearchWeb Nie wyleczalny C:\WINDOWS\system32\docntrop.dll
Adware:Adware/Findspy Nie wyleczalny C:\WINDOWS\system32\fixmapirs.exe
Grzebalem troche w logu ale nic ciekawego nie bylo:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe
C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O3 – Toolbar: McAfee VirusScan – {BA52B914–B692–46c4–B683–905236F6F655} – c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 – HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 – HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 – HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 – HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 – HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 – HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C5} (GameDesire Snooker) – http://67.15.101.3/g_bin/pl/snooker_2_0_0_22.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{154BC95B–DA53–4827–ACBF–BA870380D1D7}: NameServer = 69.50.184.86,85.255.112.9
O17 – HKLM\System\CCS\Services\Tcpip\..\{D7636265–EC7D–4B9D–B318–07F835D02DD2}: NameServer = 194.204.152.34 217.98.63.164
O17 – HKLM\System\CS1\Services\Tcpip\..\{154BC95B–DA53–4827–ACBF–BA870380D1D7}: NameServer = 69.50.184.86,85.255.112.9
O17 – HKLM\System\CS2\Services\Tcpip\..\{154BC95B–DA53–4827–ACBF–BA870380D1D7}: NameServer = 69.50.184.86,85.255.112.9
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: McAfee.com McShield (McShield) – Unknown owner – c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 – Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) – McAfee, Inc – C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 – Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) – McAfee, Inc – c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 – Service: McAfee Personal Firewall Service (MpfService) – McAfee Corporation – C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
I jeszcze wyskakuje mi dymek o natepujacej tresci:
"Spyware activity detected"
Adware:Adware/FunWeb Nie wyleczalny C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8–2.inf
Adware:Adware/CWS.Searchmeup Nie wyleczalny C:\WINDOWS\system32\audissrp.exe
Spyware:Spyware/FastSearchWeb Nie wyleczalny C:\WINDOWS\system32\docntrop.dll
Adware:Adware/Findspy Nie wyleczalny C:\WINDOWS\system32\fixmapirs.exe
Grzebalem troche w logu ale nic ciekawego nie bylo:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe
C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O3 – Toolbar: McAfee VirusScan – {BA52B914–B692–46c4–B683–905236F6F655} – c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 – HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 – HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 – HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 – HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 – HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 – HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C5} (GameDesire Snooker) – http://67.15.101.3/g_bin/pl/snooker_2_0_0_22.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{154BC95B–DA53–4827–ACBF–BA870380D1D7}: NameServer = 69.50.184.86,85.255.112.9
O17 – HKLM\System\CCS\Services\Tcpip\..\{D7636265–EC7D–4B9D–B318–07F835D02DD2}: NameServer = 194.204.152.34 217.98.63.164
O17 – HKLM\System\CS1\Services\Tcpip\..\{154BC95B–DA53–4827–ACBF–BA870380D1D7}: NameServer = 69.50.184.86,85.255.112.9
O17 – HKLM\System\CS2\Services\Tcpip\..\{154BC95B–DA53–4827–ACBF–BA870380D1D7}: NameServer = 69.50.184.86,85.255.112.9
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: McAfee.com McShield (McShield) – Unknown owner – c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 – Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) – McAfee, Inc – C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 – Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) – McAfee, Inc – c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 – Service: McAfee Personal Firewall Service (MpfService) – McAfee Corporation – C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
I jeszcze wyskakuje mi dymek o natepujacej tresci:
"Spyware activity detected"
Odpowiedzi: 5
To:
Wygląda na matke tych wszystkich szkodliwych procesów, odpowiada prawdopodobnie za rotacje nazw plików, ich odtwarzanie etc.
To podejrzewam ze dzieci:
Cackać się nie będziemy.
Uruchamiasz konsole odzyskiwania i wpisujesz.:
sc C:\Windows\system32
attrib –r –s –h csdmk.exe
attrib –r –s –h hclean32.exe
attrib –r –s –h dmssn.exe
attrib –r –s –h dmzen.exe
del csdmk.exe
del hclean32.exe
del dmssn.exe
del dmzen.exe
Uruchamiasz system normalnie, otwierasz notatnik i wklejasz do niego:
Oczywiscie zapisujesz to z rozszerzeniem reg i dodajesz do rejestru.
Nie zwlekaj a gdyby znów była jakaś rotacja nazwy to wiesz co robic, bij hurtowo nie na raty.
Update: Adresy DNSów nalezą do Flusha.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csdmk.exe" [null data]
Wygląda na matke tych wszystkich szkodliwych procesów, odpowiada prawdopodobnie za rotacje nazw plików, ich odtwarzanie etc.
To podejrzewam ze dzieci:
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"dmssn.exe" = "C:\WINDOWS\System32\dmssn.exe" [null data]
"dmzen.exe" = "C:\WINDOWS\System32\dmzen.exe" [null data]
Cackać się nie będziemy.
Uruchamiasz konsole odzyskiwania i wpisujesz.:
sc C:\Windows\system32
attrib –r –s –h csdmk.exe
attrib –r –s –h hclean32.exe
attrib –r –s –h dmssn.exe
attrib –r –s –h dmzen.exe
del csdmk.exe
del hclean32.exe
del dmssn.exe
del dmzen.exe
Uruchamiasz system normalnie, otwierasz notatnik i wklejasz do niego:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hclean32.exe"=–
"dmssn.exe"=–
"dmzen.exe"=–
Oczywiscie zapisujesz to z rozszerzeniem reg i dodajesz do rejestru.
Nie zwlekaj a gdyby znów była jakaś rotacja nazwy to wiesz co robic, bij hurtowo nie na raty.
Update: Adresy DNSów nalezą do Flusha.
Bardzo dziwna sprawa. Nie widze tych plikow rowniez w trybie awaryjnym w rejestrze tez ich nie ma mowiles ze silnet nie skonczyl swojej roboty rozumiem ze trzeba troszeczke dluzej poczekac. Tak zrobilem i zobaczylem cos ciekawego a mianowicie drugi plik co mi kazales wyrzucic zmienil nazwe na dmssn.exe. Wklejam ponownie log:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [null data]
"Steam" = (empty string)
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Tlcom R&D"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"McRegWiz" = "C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun" [empty string]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"dmssn.exe" = "C:\WINDOWS\System32\dmssn.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csdmk.exe" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Daniel\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"McAfee.com Update Check (CELEROND–Daniel)" –> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914–B692–46C4–B683–905236F6F655}" = "McAfee VirusScan"
–> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{01002DB2–8170–4D9B–A8B1–DDC9DD114E03}\ = "Volet Wanadoo"
Implemented Categories\{00021494–0000–0000–C000–000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{3BAF4A27–C764–4E1A–A6F4–62F7A7E5E51C}\ = "ToolBand Class"
Implemented Categories\{00021494–0000–0000–C000–000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{5BF498C0–931E–4A4F–B33F–456D07137EAA}\ = "Volet Wanadoo"
Implemented Categories\{00021494–0000–0000–C000–000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [null data]
"Steam" = (empty string)
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Tlcom R&D"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"McRegWiz" = "C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun" [empty string]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"dmssn.exe" = "C:\WINDOWS\System32\dmssn.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csdmk.exe" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Daniel\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"McAfee.com Update Check (CELEROND–Daniel)" –> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914–B692–46C4–B683–905236F6F655}" = "McAfee VirusScan"
–> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{01002DB2–8170–4D9B–A8B1–DDC9DD114E03}\ = "Volet Wanadoo"
Implemented Categories\{00021494–0000–0000–C000–000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{3BAF4A27–C764–4E1A–A6F4–62F7A7E5E51C}\ = "ToolBand Class"
Implemented Categories\{00021494–0000–0000–C000–000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{5BF498C0–931E–4A4F–B33F–456D07137EAA}\ = "Volet Wanadoo"
Implemented Categories\{00021494–0000–0000–C000–000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
Silent nie skonczyl swojej roboty, ale juz widac co Cie moze gnebic.
Pliki z dysku usun, wpisy z klucza
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tez.
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"dmzen.exe" = "C:\WINDOWS\System32\dmzen.exe" [null data]
Pliki z dysku usun, wpisy z klucza
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tez.
Niby wszystko sie usunelo ale np w nfsu dalej komp skacze. Warto jeszcze dodac ze nie skacze odrazu tylko po jakis 3 min stopniowo. Wklejam log z Silent Runners
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [null data]
"Steam" = (empty string)
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Tlcom R&D"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"McRegWiz" = "C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun" [empty string]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"dmzen.exe" = "C:\WINDOWS\System32\dmzen.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [null data]
"Steam" = (empty string)
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Tlcom R&D"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"McRegWiz" = "C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun" [empty string]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"dmzen.exe" = "C:\WINDOWS\System32\dmzen.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
Log rzeczywiście czysty. Plików, które skaner znalazł nie moźesz usunac ręcznie np. w trybie awaryjnym ?
Co do tego balonika, sprawdź:
http://www.sophos.com/virusinfo/analyses/trojspydldra.html
http://www.sophos.com/virusinfo/analyses/trojdloadermk.html
Co do tego balonika, sprawdź:
http://www.sophos.com/virusinfo/analyses/trojspydldra.html
http://www.sophos.com/virusinfo/analyses/trojdloadermk.html
Strona 1 / 1