prosba o dalsze instrukcje postepowania :D
pisze tu dlatego iz mam problem. Jakis smiec na kompie jest (tak uwazam). wyskakujace komunikaty...
tralala pierwsze okno:
tralala drugie okno:
hijack thiss log:
skanowany komputer byl przez: Kaspersky, symantec online itp.
tralala pierwsze okno:
tralala drugie okno:
hijack thiss log:
Logfile of HijackThis v1.99.1
Scan saved at 20:31:41, on 2005–09–13
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\WINDOWS\system32\svchost.exe
D:\Programy\Gadu–Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\FoLdEr MaTwIeJa\Programy\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 – HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\kav.exe" –run –n PersonalPro –v 5.0.0.0
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {2BC66F54–93A8–11D3–BEB6–00105AA9B6AE} (Symantec AntiVirus scanner) – http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 – DPF: {644E432F–49D3–41A1–8DD5–E099162EEEC5} (Symantec RuFSI Utility Class) – http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{6262829E–325F–4229–8DCF–C65065B3258F}: NameServer = 195.95.218.4 85.255.112.9
O23 – Service: KLBLMain – Unknown owner – C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\kavmm.exe" –run bl –n PersonalPro –v 5.0.0.0 –ttsr 10000000 (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
skanowany komputer byl przez: Kaspersky, symantec online itp.
Odpowiedzi: 8
zaznaczylem, usunalem, uruchomilem ponownie kompa i zadnych DNS'ow wpisywqac nie musialem (bo chyba same sie pojawily, wpis w HJT tez sie pojawil) no to zobaczymy czy jakies komunikaty beda sie jeszcze wyswietlac :P
UPDATE:
nic sie nie pojawa :P jak narazie ;) thx wielkie i pozdro
UPDATE 2:
Ehh nadal pokazuja sie te komunikaty :( na wszelki wypadek daje jeszcze raz logi :!:
UPDATE:
nic sie nie pojawa :P jak narazie ;) thx wielkie i pozdro
UPDATE 2:
Ehh nadal pokazuja sie te komunikaty :( na wszelki wypadek daje jeszcze raz logi :!:
Logfile of HijackThis v1.99.1
Scan saved at 14:11:44, on 2005–09–16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\WINDOWS\explorer.exe
D:\Programy\Gadu–Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\FoLdEr MaTwIeJa\Programy\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 – Hosts: localhost 127.0.0.1
O4 – HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\kav.exe" –run –n PersonalPro –v 5.0.0.0
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {2BC66F54–93A8–11D3–BEB6–00105AA9B6AE} (Symantec AntiVirus scanner) – http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 – DPF: {644E432F–49D3–41A1–8DD5–E099162EEEC5} (Symantec RuFSI Utility Class) – http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{6262829E–325F–4229–8DCF–C65065B3258F}: NameServer = 195.95.218.4 85.255.112.9
O23 – Service: KLBLMain – Unknown owner – C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\kavmm.exe" –run bl –n PersonalPro –v 5.0.0.0 –ttsr 10000000 (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"Cmaudio" = "RunDll32 cmicnfg.dll,CMICtrlWnd" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"KAV50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\kav.exe" –run –n PersonalPro –v 5.0.0.0" ["Kaspersky Lab"]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csova.exe" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti–Virus\(Default) = "{DD230880–495A–11D1–B064–008048EC2FC5}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti–Virus\(Default) = "{DD230880–495A–11D1–B064–008048EC2FC5}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\MaTj\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "MaTj" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe /W" [empty string]
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
HOSTS file
––––––––––
C:\WINDOWS\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 64 seconds, including 14 seconds for message boxes)
Dobra nie będziesz się bawił w rejestrze więc zaznacz i usuń ten wpis 017 w HJT. Jesli będzie taka koniecznosć wpisz pózniej odpowienie numery DNSów Neostrady.
Skoro pliku nie ma to jeszcze lepiej.
Skoro pliku nie ma to jeszcze lepiej.
zostaly te DNS'y :D (a tego pliku naprawde nie ma :D) luknalem w "opisik" ktory podales ale nie rozumiem zbytnio ang. (tylko nie mowcie zebym slownik do reki wzial) wiec prosilbym o jakas wersje skrocona po Polsku jak ktos moglby przetlumaczyc :P tak jak dziecku 5–letniemu :P
Zapewne plik jest , ale moźe byc normalnie nie widoczny. Sciągnij więc Pocket Killbox, zaznacz "Delete on reboot", wklej w puste pole scieźkę: C:\WINDOWS\system32\csmrz.exe potwierdź i zresetuj system.
W rejestrze usuwasz z podanego klucza tylko wart. NoBandCustomize, miałeś ją wyboldowaną.
Co do serwerów DNS to zaewne masz neostradę wiec wiesz jakie tam są numery, na stonie Symanteca masz opis odświerzenia tych adresów, inne smieci jakie zostawia ten trojan równieź są.
W rejestrze usuwasz z podanego klucza tylko wart. NoBandCustomize, miałeś ją wyboldowaną.
Co do serwerów DNS to zaewne masz neostradę wiec wiesz jakie tam są numery, na stonie Symanteca masz opis odświerzenia tych adresów, inne smieci jakie zostawia ten trojan równieź są.
zrobionePrzejdz do podanego klucza i wyczyść do zera wart. SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmrz.exe" [null data]
nie bylo go, uzylem opcji szukaj i przeszukalem caly komp. Nic nie znalazlo.Pogrubiony plik znika z dysku.
nie bardzo rozumiem o co tu chodzi :? mam usunac caly ten rejestr "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" :?: i te DNS'y, tez prosilbym o wyjasnienie :D a ten pogrubiony? o dokladne informacje bardzo bym prosil jesli mozna :PHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
Tą restrykcję teź usuń. DNSy tnij tak samo, opisik:
No i jest to co sie miało pojawić:
Przejdz do podanego klucza i wyczyść do zera wart. System
Pogrubiony plik znika z dysku.
Tą restrykcję teź usuń. DNSy tnij tak samo, opisik: http://securityresponse.symantec.com/avcenter/venc/data/trojan.flush.e.html
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmrz.exe" [null data]
Przejdz do podanego klucza i wyczyść do zera wart. System
Pogrubiony plik znika z dysku.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
Tą restrykcję teź usuń. DNSy tnij tak samo, opisik: http://securityresponse.symantec.com/avcenter/venc/data/trojan.flush.e.html
w tym programie gdy wlaczylem wyskoczylo okienko z "yes" i "no" :D nie wiem juz co wybralem no ale mam:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"Cmaudio" = "RunDll32 cmicnfg.dll,CMICtrlWnd" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"KAV50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\kav.exe" –run –n PersonalPro –v 5.0.0.0" ["Kaspersky Lab"]
"DAEMON Tools–1033" = ""C:\Program Files\D–Tools\daemon.exe" –lang 1033" ["DAEMON'S HOME"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csmrz.exe" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti–Virus\(Default) = "{DD230880–495A–11D1–B064–008048EC2FC5}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti–Virus\(Default) = "{DD230880–495A–11D1–B064–008048EC2FC5}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal Pro 5\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies [Description] {enabled Group Policy setting}:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\MaTj\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "MaTj" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe /W" [empty string]
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Zdaje się źe DNSy masz podmienione przez Trojana Flush, pokaź jeszcze log z Silent Runners bo jest jeszcze ukryty regenerator.
Strona 1 / 1