Dziwne zachowywanie się systemu

daho · 1 Lipiec 2007 14:19

niedawno zauważyłem że mój komputer dziwnie się zachowuje tzn.nie chce instalowac żadnych poprawek(błąd 1305),oraz jak uruchomię internet explorera uruchamia po pewnym czasie dwie strony(broadcaster,errorsafe)

tu jest log z hijack this:

Logfile of HijackThis v1.99.1

Scan saved at 16:07:59, on 2007-07-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)


Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

E:\WINDOWS\Explorer.EXE

E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

E:\WINDOWS\system32\nvsvc32.exe

E:\WINDOWS\system32\tcpsvcs.exe

E:\WINDOWS\system32\tlntsvr.exe

E:\WINDOWS\system32\RunDll32.exe

E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

E:\Program Files\D-Tools\daemon.exe

E:\WINDOWS\system32\RunDLL32.exe

E:\Program Files\Winamp2.95\Winampa.exe

E:\WINDOWS\system32\ctfmon.exe

E:\Programs\free ram\FreeRAM.exe

E:\Program Files\Gadu-Gadu\gg.exe

E:\Program Files\Skype\Phone\Skype.exe

E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

E:\Program Files\Hack-It\HackIt.exe

E:\Program Files\OpenOffice.org 2.2\program\soffice.exe

E:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

E:\WINDOWS\system32\wscntfy.exe

E:\WINDOWS\system32\wuauclt.exe

E:\Program Files\Skype\Plugin Manager\skypePM.exe

E:\Program Files\Internet Explorer\iexplore.exe

E:\WINDOWS\system32\msiexec.exe

E:\WINDOWS\system32\wuauclt.exe

E:\Programs\winrar3.61\WinRAR.exe

E:\Program Files\Winamp2.95\Skins\hijackthis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp2.95\Winampa.exe"

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "E:\WINDOWS\system32\tglhoddk.dll",realset

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [BySoft FreeRAM] E:\Programs\free ram\FreeRAM.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: Hack-It.lnk = E:\Program Files\Hack-It\HackIt.exe

O4 - Startup: OpenOffice.org 2.2.lnk = E:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Global Startup: DSLMON.lnk = E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: Download all links using BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.magiccam.pl/wideokonferencje/AXWebMonProj1.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180633188515

O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/pl/darts_2_0_0_38.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_30.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F52EF324-B2FB-44FC-A3C0-3C715B79158C}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: CA Personal Firewall ASEM - Unknown owner - E:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

A tutaj z silent runners

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "E:\WINDOWS\system32\ctfmon.exe" [MS]

"BySoft FreeRAM" = "E:\Programs\free ram\FreeRAM.exe" ["BySoft"]

"Gadu-Gadu" = ""E:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"Skype" = ""E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"NvCplDaemon" = "RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"SunJavaUpdateSched" = ""E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"DAEMON Tools-1033" = ""E:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]

"WinampAgent" = ""E:\Program Files\Winamp2.95\Winampa.exe"" [null data]

"GPLv3" = "rundll32.exe "E:\WINDOWS\system32\tglhoddk.dll",realset" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"

  -> {HKLM...CLSID} = "Skype add-on (mastermind)"

                   \InProcServer32\(Default) = "E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{360489F8-3E19-414D-B934-E4BAA2A1B10E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\sstqo.dll" [null data]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

  -> {HKLM...CLSID} = "BitComet Helper"

                   \InProcServer32\(Default) = "E:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll" ["BitComet"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\iqtjxigx.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

{8A61098D-612B-4EF2-943D-64E920684061}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nnnonkl.dll" [null data]

{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}\(Default) = "Kwyshell MidpX BHO"

  -> {HKLM...CLSID} = "Kwyshell MidpX"

                   \InProcServer32\(Default) = "E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll" ["Kwyshell G.Corp"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programs\winrar3.61\rarext.dll" [null data]

"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpoweramp Music Converter"

  -> {HKLM...CLSID} = "dMCIShell Class"

                   \InProcServer32\(Default) = "E:\Program Files\Illustrate\dBpoweramp\dMCShell.dll" ["Illustrate"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{8A61098D-612B-4EF2-943D-64E920684061}" = "*_" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\nnnonkl.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> nnnonkl\DLLName = "nnnonkl.dll" [null data]

<> sstqo\DLLName = "E:\WINDOWS\system32\sstqo.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpoweramp Column Handler"

  -> {HKLM...CLSID} = "dBpShell Class"

                   \InProcServer32\(Default) = "E:\Program Files\Illustrate\dBpoweramp\dBShell.dll" ["Illustrate"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

VIDEOTRANS\(Default) = "{548773BA-874E-4C02-9DC7-B7A096772C7D}"

  -> {HKLM...CLSID} = "CountLines Class"

                   \InProcServer32\(Default) = "E:\Program Files\MP3 Player Utilities 3.57\AMVTools\SrcCount.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programs\winrar3.61\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programs\winrar3.61\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programs\winrar3.61\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "E:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "E:\Documents and Settings\Win\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "E:\WINDOWS\System32\POLKOM~2.SCR" (PolKompLa.scr) [null data]



Startup items in "Win" & "All Users" startup folders:

-----------------------------------------------------


E:\Documents and Settings\Win\Menu Start\Programy\Autostart

"Hack-It" -> shortcut to: "E:\Program Files\Hack-It\HackIt.exe" [empty string]

"OpenOffice.org 2.2" -> shortcut to: "E:\Program Files\OpenOffice.org 2.2\program\quickstart.exe" [null data]


E:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"DSLMON" -> shortcut to: "E:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]



Enabled Scheduled Tasks:

------------------------


"XoftSpySE 2" -> launches: "E:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders" ["ParetoLogic"]

"XoftSpySE" -> launches: "E:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}"

  -> {HKLM...CLSID} = "Kwyshell MidpX"

                   \InProcServer32\(Default) = "E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll" ["Kwyshell G.Corp"]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}"

  -> {HKLM...CLSID} = "Kwyshell MidpX"

                   \InProcServer32\(Default) = "E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll" ["Kwyshell G.Corp"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}" = "Kwyshell MidpX"

  -> {HKLM...CLSID} = "Kwyshell MidpX"

                   \InProcServer32\(Default) = "E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll" ["Kwyshell G.Corp"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


{77BF5300-1474-4EC7-9980-D32B190E9B07}\

"ButtonText" = "Skype"

"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"

  -> {HKLM...CLSID} = "Skype add-on (button)"

                   \InProcServer32\(Default) = "E:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]

Ad-Aware 2007 Service, aawservice, ""E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]

NVIDIA Display Driver Service, NVSvc, "E:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Usługi Simple TCP/IP, SimpTcp, "E:\WINDOWS\system32\tcpsvcs.exe" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 52 seconds)

adam9870 · 1 Lipiec 2007 18:50

Złapałeś trojana Vundo:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “GPLv3” = “rundll32.exe “E:\WINDOWS\system32\tglhoddk.dll”,realset” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {360489F8-3E19-414D-B934-E4BAA2A1B10E}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\WINDOWS\system32\sstqo.dll” [null data] {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\WINDOWS\system32\iqtjxigx.dll” [null data] {8A61098D-612B-4EF2-943D-64E920684061}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\WINDOWS\system32\nnnonkl.dll” [null data] <> “{8A61098D-612B-4EF2-943D-64E920684061}” = “*_” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\WINDOWS\system32\nnnonkl.dll” [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> nnnonkl\DLLName = “nnnonkl.dll” [null data] <> sstqo\DLLName = “E:\WINDOWS\system32\sstqo.dll” [null data]

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Po wykonaniu wklej log z ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.

BTW.

To Twoje?

daho · 2 Lipiec 2007 03:41

tak to ja to zainstalowałem(hack-it)

tutaj log z combofix

adam9870 · 2 Lipiec 2007 08:20

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Przejdź do trybu awaryjnego i uruchom utworzone pliki.

Po wykonaniu wklej nowy log z ComboFix.

daho · 2 Lipiec 2007 12:10

oto nowy log z combofix

adam9870 · 2 Lipiec 2007 12:18

Ściągnij program KillBox, zaznacz Delete on reboot , w polu full path of file wklej ścieżkę:

E:\WINDOWS\system32\qagytcge.exe

Kliknij czerwonego iksa i reset.

Po wykonaniu wklej nowy log z ComboFix.

daho · 2 Lipiec 2007 14:24

nowy log(po usunieciu pliku)

adam9870 · 2 Lipiec 2007 14:59

Log wygląda w porządku.

Proponuję zastanowić się nad zamianę programu XoftSpySE na jakiś inny tego typu cieszący się lepszą opinią wśród użytkowników. Bowiem wspomniany XoftSpySE jest uważany za program wątpliwej reputacji. W przypadku tego typu programów może zdarzać się nawet, że przedstawiane wyniki skanować są ‘fikcyjne’ bądź, że program sam ściąga syf, by go potem móc wykryć. Osobiście polecam zamiast niego AVG Anti-Spyware bądź SUPERAntiSpyware.

Kosmetyka:

Panel sterowania => Java Plug-in => Update => odznacz opcję Check for updates automatically.

Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.

Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.

W opcjach komunikatorów możesz wyłączyć uruchamianie przy starcie systemu jeśli nie są Ci potrzebne.

Ponadto proponuję zastanowić się nad usunięciem programu FreeRAM. Tego typu soft jest uważany za zbędny i padają nawet opinie, iż przynosi wręcz odwrotny skutek niż powinien - spowalnia zamiast przyśpieszać.