O antywirus 2008 juz pojawil sie watek wiec mysle ze z tym powinienem sobie poradzic. Dla zdiagnozowania innych problemow - zablokowanego menadzera zadan i regedita [nawet plikow *.reg nie moge odpalac] wklejam logi z hijacka i silent runners.
Logfile of HijackThis v1.99.1 Scan saved at 15:17:40, on 2008-08-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe C:\Program Files\WapSter\AQQ\AQQ.exe C:\Program Files\TC PowerPack\totalcmd.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\Szogun\USTAWI~1\Temp\winnwrmtd.exe C:\DOCUME~1\Szogun\USTAWI~1\Temp\winejvyf.exe D:!progs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing O2 - BHO: (no name) - AutorunsDisabled - (no file) O4 - HKLM…\Run: [Lexmark 2200 Series] “C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - AutorunsDisabled - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O17 - HKLM\System\CCS\Services\Tcpip…{E0D80A8C-81E6-437E-BD5C-06C44EBE886D}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “DriverLoad” = (empty string) “DriverCheck” = (empty string) “SystemDriverLoad” = (empty string) “Winhost” = (empty string) “Winhost1” = (empty string) “Winhost2” = (empty string) “Winhost3” = (empty string) “Winhost4” = (empty string) “SystemDriver” = (empty string) “FDriver” = (empty string) “ADriver” = (empty string) “CDriver” = (empty string) “DDriver” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Lexmark 2200 Series” = ““C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe”” [“Lexmark International, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll” [empty string] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{35786D3C-B075-49b9-88DD-029876E11C01}” = “Portable Devices” -> {HKLM…CLSID} = “Portable Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\wpdshext.dll” [MS] “{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}” = “Portable Devices Menu” -> {HKLM…CLSID} = “Portable Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\wpdshext.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] “{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}” = “VPCHostCopyHook” -> {HKCU…CLSID} = “VPCHostCopyHook” \InProcServer32(Default) = “C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL” [MS] “{10677009-C23C-4FC2-A62C-29323A2201F0}” = “AQQ File Transfer Shell Extension” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\WapSter\WAPSTE~1\System\AQQSHE~1.DLL” [file not found] “{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}” = “AQQ File Transfer Shell Extension” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AQQFileTransfer(Default) = “{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}” -> {HKLM…CLSID} = “AQQ File Transfer Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ HIJACK WARNING! “DisableRegistryTools”=dword:00000001 [prohibits launch of REGEDIT.EXE] {User Configuration|Administrative Templates|System|Prevent access to registry editing tools} Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\IrfanView\IrfanView_Wallpaper.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 5 domain names to IP addresses, 2 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 50 seconds, including 18 seconds for message boxes)
A i jeszcze cos - przy odpalaniu Deamon Toolsa wystakuje taki kumonikat : Initialization error7
This program requires at lesat Windows 200 with SPTD 1.43 or higher.
Kernel debugger must be deactivated.
Na kompie pracuje dwoch userow, mozliwe ze ten drugi nieudolnie probujac “naprawic” cos dodatkowo namieszal, chocby uzywajac msconfiga.
djarta
(djarta)
25 Sierpień 2008 13:22
#2
Te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked
Daj log z -----> ComboFix (niżej na stronie linku).
================
K.
djarta
(djarta)
25 Sierpień 2008 13:58
#4
Wklej do Notatnika :
File::
G:\pndex.exe
C:\pndex.exe
D:\pndex.exe
Driver::
dnlsvc
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a08e8a57-f693-11dc-bfe9-000e50af7f67}]
>>Plik>>Zapisz jako… >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
–>
Ma się rozpocząć usuwanie. (i powstanie log).Daj ten log, który powstanie w trakcie usuwania.
Jeśli pójdzie dobrze, to: Po restarcie usuń ręcznie folder C:* * Qoobox.**
===============
K.
Pobierz Combofix ale nie uruchamiaj wklej do notatnika:
Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe
Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.
Usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.
djarta
(djarta)
25 Sierpień 2008 15:55
#7
Ja nie widzę tu nic niepokojącego.
Usuń ręcznie folder C:* * Qoobox**,
Usuń instalkę ComboFix z dysku.
Wykonaj optymalizację autostartu
Przeczyść komputer Ccleanerem
Wyłącz i włącz przywracanie systemu na wszystkich dyskach.Instrukcja
Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html ( uruchom przez IE ) Daj raport z niego na forum.
lub
Dr.WEB CureIt! .
=====================
K.
Problem wrocil, tym razem wyskoczyl monit od tego “antywirusa”, zmienil mi tapete i zablokowal mozliwosc zmiany. W Hijacku wywalilem to czego bylem pewien, tu log:
Logfile of HijackThis v1.99.1 Scan saved at 19:10:05, on 2008-08-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\TC PowerPack\totalcmd.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\Szogun\USTAWI~1\Temp\wintoll.exe C:\DOCUME~1\Szogun\USTAWI~1\Temp\winhdevsh.exe D:!progs\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [Lexmark 2200 Series] “C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O17 - HKLM\System\CCS\Services\Tcpip…{E0D80A8C-81E6-437E-BD5C-06C44EBE886D}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Strona Caspersky`ego sie nie laduje, Dr.WEB - ani stronka, ani mirrory, a w necie nie moge nigdzie znalesc, a instalka CCleanera staje na
i w systrayu pokazala sie ikonka, po najechaniu na nia wyswietla “Yahoo! Toolbar - 86%” nie reaguje na dwuklik. Instalacji nie moge przerwac, w koncu menadzera zadan mam zablokowanego ;\
huber2t
(huber2t)
26 Sierpień 2008 04:28
#9
fix w hijackthis
Pobierz ComboFix , ale nie uruchamiaj
Otwórz notatnik i wklej do niego:
File::
C:\DOCUME~1\Szogun\USTAWI~1\Temp\wintoll.exe
C:\DOCUME~1\Szogun\USTAWI~1\Temp\winhdevsh.exe
Plik -> zapisz jako -> CFScript.txt . Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu-> Rozpocznie się usuwanie i powstanie log, który dasz na forum. Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link Jeśli tego nie będziesz mógł zrobić to wyjkonaj to tym narzędziem: Pobierz The Avenger wklej do niego ten tekst:
Files to delete:
C:\DOCUME~1\Szogun\USTAWI~1\Temp\wintoll.exe
C:\DOCUME~1\Szogun\USTAWI~1\Temp\winhdevsh.exe
kopiuj to i klikasz na Paste Script from Clipboard wybierasz Execute oraz Potwierdzasz i zgadzasz się na restart klikając OK.
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
Podany link do Avengera nie dziala, w necie nie moge znalesc ;\ Comboscript jakby nie chcial sie uruchomic - chwile jakby pracowal [pasek ladowania sie pojawia, ale nic pozatym], po czym nic sie nie dzieje. Czekalem pol godziny i nic.
huber2t
(huber2t)
26 Sierpień 2008 10:10
#11
U mnie link działa, spróbuj ponownie
Postanowilem jednak postawic system od nowa, tym razem na xp mini. Po zainstalowaniu sterownikow i szybkiej, oblednej konfiguracji, znow mi cos blokuje taskmgr i regedit.
Logfile of HijackThis v1.99.1 Scan saved at 15:31:05, on 2008-08-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\TC PowerPack\totalcmd.exe C:\Program Files\Mozilla Firefox\firefox.exe D:!progs\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip…{D8B4C397-FC56-4FC3-A24C-94A41FB5A0DD}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS2\Services\Tcpip…{513A6CE3-88CF-4C1E-BEF7-8954FF955B2F}: NameServer = 85.255.116.101,85.255.112.184 O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
ComboFix 08-08-25.01 - Gosc 2008-08-26 15:25:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.102 [GMT 2:00] Running from: D:!progs\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))) . 2008-08-26 15:21 . 2008-08-26 15:21 2008-08-26 15:19 . 2006-02-22 03:05 148,498 --a------ C:\WINDOWS\system32\atmplkxx.hlp 2008-08-26 15:19 . 2006-02-22 03:05 44,430 --a------ C:\WINDOWS\system32\attplkxx.hlp 2008-08-26 15:19 . 2006-02-22 03:05 26,138 --a------ C:\WINDOWS\system32\atfplkxx.hlp 2008-08-26 15:05 . 2008-08-26 15:05 2008-08-26 15:05 . 2008-08-26 15:05 2008-08-26 15:05 . 2003-12-08 12:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys 2008-08-26 15:05 . 2003-12-08 12:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys 2008-08-26 15:05 . 2003-12-08 12:53 5,606 --a------ C:\WINDOWS\system32\stci.dll 2008-08-26 15:05 . 2003-12-08 12:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys 2008-08-26 15:05 . 2003-12-08 12:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys 2008-08-26 13:29 . 2008-08-26 13:29 8,192 --a------ C:\WINDOWS\REGLOCS.OLD 2008-08-26 13:13 . 2008-08-26 13:13 2008-08-26 13:12 . 2008-08-26 13:12 2008-08-26 13:12 . 2008-08-26 15:26 2008-08-26 13:12 . 2008-08-26 13:12 2008-08-26 13:12 . 2008-08-26 14:48 2008-08-26 13:12 . 2008-08-26 14:56 2008-08-26 13:12 . 2008-08-26 14:48 2008-08-26 13:12 . 2008-08-26 14:48 2008-08-26 13:12 . 2008-08-26 15:18 2008-08-26 13:12 . 2008-08-26 14:59 2008-08-26 13:09 . 2008-08-26 13:09 2008-08-26 13:09 . 2008-08-26 13:09 2008-08-26 13:07 . 2008-08-26 15:05 2008-08-26 13:07 . 2008-08-26 13:09 2008-08-26 13:07 . 2007-12-05 04:48 9,535,488 --a------ C:\WINDOWS\system32\atioglx2.dll 2008-08-26 13:06 . 2008-08-26 13:06 2008-08-26 13:06 . 2008-08-26 13:06 472,576 --a------ C:\WINDOWS\Radeon Omega Drivers v4.8.442 Uninstall.exe 2008-08-26 12:58 . 2008-08-26 15:26 2008-08-26 12:58 . 2008-08-26 12:58 2008-08-26 12:58 . 2008-08-26 14:48 2008-08-26 12:58 . 2008-08-26 14:48 2008-08-26 12:58 . 2008-08-26 14:48 2008-08-26 12:58 . 2008-08-26 14:48 2008-08-26 12:58 . 2008-08-26 14:48 2008-08-26 12:58 . 2008-08-26 13:12 2008-08-26 12:54 . 2008-08-26 15:26 2008-08-26 12:54 . 2008-08-26 12:54 2008-08-26 12:54 . 2008-08-26 12:54 2008-08-26 12:54 . 2008-08-26 15:26 2008-08-26 12:54 . 2008-08-26 12:54 2008-08-26 12:54 . 2008-08-26 12:54 2008-08-26 12:53 . 2008-08-26 15:26 2008-08-26 12:53 . 2008-08-26 14:48 2008-08-26 12:53 . 2008-08-26 14:48 2008-08-26 12:53 . 2008-08-26 14:48 2008-08-26 12:53 . 2008-08-26 14:48 2008-08-26 12:53 . 2008-08-26 14:48 2008-08-26 12:53 . 2008-08-26 14:48 2008-08-26 12:53 . 2008-08-26 12:53 2008-08-26 12:53 . 2008-08-26 12:53 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb 2008-08-26 12:53 . 2008-08-26 12:53 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb 2008-08-26 12:53 . 2008-08-26 12:53 2,596 --a------ C:\WINDOWS\system32\CONFIG.NT 2008-08-26 12:53 . 2008-08-26 12:53 0 --a------ C:\WINDOWS\control.ini 2008-08-26 12:51 . 2008-08-26 12:52 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-26 12:56 --------- d-----w C:\Program Files\TC PowerPack 2008-08-26 12:56 --------- d-----w C:\Documents and Settings\Gosc\Dane aplikacji\TC PowerPack 2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ------- Sigcheck ------- 2006-06-26 14:59 578560 6a93565be9b8422eb7538c66ac732d76 C:\WINDOWS\system32\user32.dll 2006-06-26 15:01 666112 d11493e5ac4ab399bcd28130e158a56b C:\WINDOWS\system32\wininet.dll 2006-06-26 15:02 360576 c7be59b07c6eb74bea6fd67c1b164015 C:\WINDOWS\system32\drivers\tcpip.sys 2006-06-26 15:07 2058240 35d11fdc381536ab95e3005489131f44 C:\WINDOWS\system32\ntkrnlpa.exe 2006-06-26 14:59 2180864 dba3e4215279c8012b37d2135b531258 C:\WINDOWS\system32\ntoskrnl.exe 2006-06-26 14:59 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\system32\spoolsv.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “DisableStatusMessages”= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoDesktopCleanupWizard”= 1 (0x1) “ForceClassicControlPanel”= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) “NoInstrumentation”= 1 (0x1) “NoStartMenuMFUprogramsList”= 1 (0x1) “NoResolveTrack”= 1 (0x1) “NoResolveSearch”= 1 (0x1) “NoSMMyDocs”= 1 (0x1) “NoSMMyPictures”= 1 (0x1) “NoStartMenuPinnedList”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoInternetIcon”= 1 (0x1) “NoSMHelp”= 1 (0x1) “NoInstrumentation”= 1 (0x1) “NoStartMenuMFUprogramsList”= 1 (0x1) “NoResolveTrack”= 1 (0x1) “NoResolveSearch”= 1 (0x1) “NoSMMyDocs”= 1 (0x1) “NoSMMyPictures”= 1 (0x1) “NoStartMenuPinnedList”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders schannel.dll, digest.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmiRemoveDir] --a------ 2003-07-22 11:15 225280 C:\WINDOWS\CMIRMR~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange] --a------ 2007-12-05 04:55 26112 C:\WINDOWS\system32\Ati2mdxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] --a------ 2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “ATI Smart”=2 (0x2) “Ati HotKey Poller”=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusOverride”=dword:00000001 “AntiVirusDisableNotify”=dword:00000001 “FirewallOverride”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 “UacDisableNotify”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] “AntiVirusOverride”=dword:00000001 “AntiVirusDisableNotify”=dword:00000001 “FirewallDisableNotify”=dword:00000001 “FirewallOverride”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 “UacDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) “DisableUnicastResponsesToMulticastBroadcast”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “D:\!progs\HijackThis.exe”= “C:\WINDOWS\system32\CF1023.exe”= R3 dac970nt;dac970nt;C:\WINDOWS\system32\drivers\lrjqgn.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] DcomLaunch REG_MULTI_SZ DcomLaunch *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 *Newly Created Service* - RASAUTO *Newly Created Service* - RASMAN . - - - - ORPHANS REMOVED - - - - HKLM-Run-Cmaudio - cmicnfg.cpl . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Gosc\Dane aplikacji\Mozilla\Firefox\Profiles\qmnk2gpv.default\ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 15:26:49 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-26 15:27:29 ComboFix-quarantined-files.txt 2008-08-26 13:27:27 Pre-Run: 9,677,725,696 bajtów wolnych Post-Run: 9,684,594,688 bajtów wolnych 170 Wpis w hijacku “O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1” wydaje sie byc nieusuwalny - co chwile znow sie pojawia.
Leon1
(Leon$)
26 Sierpień 2008 18:59
#14
Pobierz HijackThis 2.02 http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654
wpisy
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O17 - HKLM\System\CS2\Services\Tcpip…{513A6CE3-88CF-4C1E-BEF7-8954FF955B2F}: NameServer = 85.255.116.101,85.255.112.184
usuń HijackThisem >> Fix checked
start >> uruchom >> cmd
sc stop dac970nt >> Enter
sc delete dac970nt >> Enter
Otwórz notatnik i wklej
zapisz jako plik.reg >> wszystkie pliki >> scal z rejestrem >> restart
powstanie plik o takiej ikonie
w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart
Pobierz System Repair Engineer
http://www.cybertrash.pl/images/tata/System%20Repair/System%20Repair%20Engineer.html
przeskanuj daj log