
 
 
Oto logi z Hijacka i sillent runners
HiJackThis:
- Kod: Zaznacz wszystko
- Logfile of Trend Micro HijackThis v2.0.2
 Scan saved at 18:32:18, on 2007-09-21
 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
 MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 Boot mode: Normal
 Running processes:
 C:\WINDOWS\System32\smss.exe
 C:\WINDOWS\system32\winlogon.exe
 C:\WINDOWS\system32\services.exe
 C:\WINDOWS\system32\lsass.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\System32\svchost.exe
 C:\WINDOWS\Explorer.EXE
 C:\WINDOWS\system32\spoolsv.exe
 C:\WINDOWS\SOUNDMAN.EXE
 C:\WINDOWS\system32\nvraidservice.exe
 C:\WINDOWS\system32\ctfmon.exe
 D:\AVG\avgamsvr.exe
 D:\AVG\avgupsvc.exe
 D:\AVG\avgemc.exe
 C:\WINDOWS\system32\nvsvc32.exe
 C:\WINDOWS\system32\HPZipm12.exe
 C:\WINDOWS\system32\svchost.exe
 C:\WINDOWS\system32\wscntfy.exe
 C:\WINDOWS\system32\wbem\unsecapp.exe
 D:\AVG\avgcc.exe
 D:\Downloads\HiJackThis.exe
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\AR\Reader\ActiveX\AcroIEHelper.ocx
 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\DOWNLO~1\FlashGet\jccatch.dll
 O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\DOWNLO~1\FlashGet\fgiebar.dll
 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
 O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
 O4 - HKLM\..\Run: [AVG7_CC] D:\AVG\avgcc.exe /STARTUP
 O4 - HKLM\..\Run: [netddk.exe] C:\WINDOWS\system32\netddk.exe
 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
 O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\AVG\avgw.exe /RUNONCE (User 'USŁUGA LOKALNA')
 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
 O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
 O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
 O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm
 O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
 O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm
 O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm
 O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm
 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Downloads\FlashGet\jc_link.htm
 O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Downloads\FlashGet\jc_all.htm
 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
 O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\DOWNLO~1\FlashGet\flashget.exe
 O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\DOWNLO~1\FlashGet\flashget.exe
 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
 O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab
 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG\avgamsvr.exe
 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG\avgupsvc.exe
 O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\AVG\avgemc.exe
 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 --
 End of file - 5050 bytes
Sillent runners:
- Kod: Zaznacz wszystko
- "Silent Runners.vbs", revision 52, http://www.silentrunners.org/
 Operating System: Windows XP SP2
 Output limited to non-default values, except where indicated by "{++}"
 Startup items buried in registry:
 ---------------------------------
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
 "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
 "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
 "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
 "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
 "NVRaidService" = "C:\WINDOWS\system32\nvraidservice.exe" ["NVIDIA Corporation"]
 "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
 "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
 "AVG7_CC" = "D:\AVG\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
 "netddk.exe" = "C:\WINDOWS\system32\netddk.exe" [empty string]
 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
 {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "AcroIEHlprObj Class"
 \InProcServer32\(Default) = "d:\AR\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
 {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "SSVHelper Class"
 \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
 {A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
 -> {HKLM...CLSID} = "IeCatch2 Class"
 \InProcServer32\(Default) = "D:\DOWNLO~1\FlashGet\jccatch.dll" ["Amaze Soft"]
 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
 "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
 -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
 \InProcServer32\(Default) = "deskpan.dll" [file not found]
 "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
 -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
 \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
 "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
 -> {HKLM...CLSID} = "DesktopContext Class"
 \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
 "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
 -> {HKLM...CLSID} = "Desktop Explorer"
 \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
 "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
 -> {HKLM...CLSID} = (no title provided)
 \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
 "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
 -> {HKLM...CLSID} = "nView Desktop Context Menu"
 \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
 "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
 -> {HKLM...CLSID} = "WinRAR"
 \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
 "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
 -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
 \InProcServer32\(Default) = "D:\AVG\avgse.dll" ["GRISOFT, s.r.o."]
 "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
 -> {HKLM...CLSID} = "AVG7 Find Extension Class"
 \InProcServer32\(Default) = "D:\AVG\avgse.dll" ["GRISOFT, s.r.o."]
 "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
 -> {HKLM...CLSID} = (no title provided)
 \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
 "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
 -> {HKLM...CLSID} = "NVIDIA CPL Extension"
 \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
 HKLM\Software\Classes\PROTOCOLS\Filter\
 <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
 -> {HKLM...CLSID} = (no title provided)
 \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
 HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
 AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
 -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
 \InProcServer32\(Default) = "D:\AVG\avgse.dll" ["GRISOFT, s.r.o."]
 WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
 -> {HKLM...CLSID} = "WinRAR"
 \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
 HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
 WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
 -> {HKLM...CLSID} = "WinRAR"
 \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
 HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
 AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
 -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
 \InProcServer32\(Default) = "D:\AVG\avgse.dll" ["GRISOFT, s.r.o."]
 WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
 -> {HKLM...CLSID} = "WinRAR"
 \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
 Group Policies {GPedit.msc branch and setting}:
 -----------------------------------------------
 Note: detected settings may not have any effect.
 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
 "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
 Shutdown: Allow system to be shut down without having to log on}
 "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
 Devices: Allow undock without having to log on}
 Active Desktop and Wallpaper:
 -----------------------------
 Active Desktop may be disabled at this entry:
 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
 Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
 HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
 "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
 Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
 HKCU\Control Panel\Desktop\
 "Wallpaper" = "C:\Documents and Settings\FILIP\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
 Enabled Screen Saver:
 ---------------------
 HKCU\Control Panel\Desktop\
 "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
 Winsock2 Service Provider DLLs:
 -------------------------------
 Namespace Service Providers
 HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
 Transport Service Providers
 HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
 %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 12
 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
 Toolbars, Explorer Bars, Extensions:
 ------------------------------------
 Toolbars
 HKLM\Software\Microsoft\Internet Explorer\Toolbar\
 "{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"
 -> {HKLM...CLSID} = "FlashGet Bar"
 \InProcServer32\(Default) = "D:\DOWNLO~1\FlashGet\fgiebar.dll" ["Amaze Soft"]
 Explorer Bars
 HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
 HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
 Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
 InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
 Extensions (Tools menu items, main toolbar menu buttons)
 HKLM\Software\Microsoft\Internet Explorer\Extensions\
 {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
 "MenuText" = "Sun Java Console"
 "CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"
 -> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"
 \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
 -> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"
 \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]
 {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
 "ButtonText" = "Badanie"
 {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
 "ButtonText" = "FlashGet"
 "MenuText" = "&FlashGet"
 "Exec" = "D:\DOWNLO~1\FlashGet\flashget.exe" ["Amaze Soft"]
 {FB5F1910-F110-11D2-BB9E-00C04F795683}\
 "ButtonText" = "Messenger"
 "MenuText" = "Windows Messenger"
 "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
 Running Services (Display Name, Service Name, Path {Service DLL}):
 ------------------------------------------------------------------
 AVG E-mail Scanner, AVGEMS, "D:\AVG\avgemc.exe" ["GRISOFT, s.r.o."]
 AVG7 Alert Manager Server, Avg7Alrt, "D:\AVG\avgamsvr.exe" ["GRISOFT, s.r.o."]
 AVG7 Update Service, Avg7UpdSvc, "D:\AVG\avgupsvc.exe" ["GRISOFT, s.r.o."]
 NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
 Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
 Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
 Print Monitors:
 ---------------
 HKLM\System\CurrentControlSet\Control\Print\Monitors\
 HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
 hpzsnt12\Driver = "hpzsnt12.dll" ["HP"]
 Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
 Monitor języka BJ\Driver = "CNBJMON.DLL" [MS]
 ---------- (launch time: 2007-09-21 18:32:45)
 <<!>>: Suspicious data at a malware launch point.
 + This report excludes default entries except where indicated.
 + To see *everywhere* the script checks and *everything* it finds,
 launch it from a command prompt or a shortcut with the -all parameter.
 + The search for DESKTOP.INI DLL launch points on all local fixed drives
 took 67 seconds.
 ---------- (total run time: 124 seconds)
prosze powiedzieć co powinienem zrobić. może przy okazji jakieś inne śmieci usunę
 
PS nie wiem czy to pomoże, ale powiem że po jakimś czasie od startu systemu pokazuje wirusa w pliku qqq.exe znajdujacym sie w "Internet Tepmtionary Files"


 
	
 sciągnij
 sciągnij 

 
	
 i to w jakim tempie
 i to w jakim tempie  Jakby ktos miał problem polece wasze forum
 Jakby ktos miał problem polece wasze forum