Fałszywy alert Windows security center

xjasiux · 12 Październik 2007 09:17

Nie mogę sobie poradzić z fałszywymi alertami windows security center. Pierwszy jest o trojanie looksky a drugi jakiś taki:

Są jeszcze w logu wpisy z bitdefendera, ale ja go już nie mam ale wpisy nie chca się usunąć.

Logfile of HijackThis v1.99.1 Scan saved at 10:51:30, on 2007-10-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5lid=2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: The netadv - {D1413F77-5B69-4562-84E1-78F997794E9D} - C:\WINDOWS\netadv.dll O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [bitComet - a BitTorrent Client] C:\Program Files\BitComet\BitComet.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - Startup: PowerReg Scheduler.exe O8 - Extra context menu item: Download with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:\WINDOWS\ftpsconfig.dll O21 - SSODL: sysdx - {181C44CF-A409-4C46-97AD-69A6F7DB4C24} - C:\WINDOWS\sysdx.dll O21 - SSODL: msmhost - {5A33F19F-55AC-4186-9351-1FFCD0ADFB52} - C:\WINDOWS\msmhost.dll (file missing) O21 - SSODL: msmdev - {5C6D63A1-2DD2-40F3-94BA-12B9D3328244} - C:\WINDOWS\msmdev.dll (file missing) O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) “Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{2CE92482-07DA-1045-1017-050529060030}” = ““C:\Program Files\Common Files{2CE92482-07DA-1045-1017-050529060030}\Update.exe” mc-110-12-0000272” [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “BitComet - a BitTorrent Client” = “C:\Program Files\BitComet\BitComet.exe” [“www.BitComet.com”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SmcService” = “C:\PROGRA~1\Sygate\SPF\smc.exe -startgui” [“Sygate Technologies, Inc.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” [“Eset “] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) - {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“FlashGet”] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” - {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll” [“BitComet”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” - {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” - {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” - {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” - {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” - {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” - {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] “{C1728FC8-0162-4827-85B0-8420B5B20263}” = “All Converter” - {HKLM…CLSID} = “All Converter” \InProcServer32(Default) = “C:\Program Files\Admiresoft\Super Mp3 Converter\CMExt.dll” [null data] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” - {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “sysdx” = “{181C44CF-A409-4C46-97AD-69A6F7DB4C24}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\sysdx.dll” [null data] “msmhost” = “{5A33F19F-55AC-4186-9351-1FFCD0ADFB52}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\msmhost.dll” [file not found] “msmdev” = “{5C6D63A1-2DD2-40F3-94BA-12B9D3328244}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\msmdev.dll” [file not found] HKLM\System\CurrentControlSet\Control\Session Manager\ “BootExecute” = “PDBoot.exe” [“Raxco Software, Inc.”]|“autocheck autochk *” HKLM\Software\Classes\PROTOCOLS\Filter\ text/html\CLSID = “{0EB00690-8FA1-11D3-96C7-829E3EA50C29}” - {HKLM…CLSID} = “MimeFilter” \InProcServer32(Default) = “C:\WINDOWS\ftpsconfig.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” - {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” - {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” - {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” - {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” - {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dziubki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “dziubki” “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\dziubki\Menu Start\Programy\Autostart “PowerReg Scheduler.exe” [empty string] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” - launches: “C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll [“Eset “], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” - {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{D1413F77-5B69-4562-84E1-78F997794E9D}” = (no title provided) - {HKLM…CLSID} = “The netadv” \InProcServer32(Default) = “C:\WINDOWS\netadv.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}(Default) = “BitComet Search” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll” [“BitComet”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {461CC20B-FB6E-4F16-8FE8-C29359DB100E}\ “ButtonText” = “BitComet Search” Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ “TuneUp” = “file://C|/Documents and Settings/All Users.WINDOWS/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] “Tabs” = “res://ieframe.dll/tabswelcome.htm” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ BitDefender Communicator, XCOMM, ““C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe” /service” [“Softwin”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” [“Eset “] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] PDAgent, PDAgent, ““C:\Program Files\Raxco\PerfectDisk\PDAgent.exe”” [“Raxco Software, Inc.”] PDEngine, PDEngine, ““C:\Program Files\Raxco\PerfectDisk\PDEngine.exe”” [“Raxco Software, Inc.”] PnkBstrA, PnkBstrA, “C:\WINDOWS\system32\PnkBstrA.exe” [null data] StarWind AE Service, StarWindServiceAE, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe” [“Rocket Division Software”] Sygate Personal Firewall, SmcService, “C:\Program Files\Sygate\SPF\smc.exe” [“Sygate Technologies, Inc.”] TuneUp Design Expansion, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- (launch time: 2007-10-12 10:52:50) : Suspicious data at a malware launch point. : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 221 seconds, including 6 seconds for message boxes) SmitFraudFix v2.240 Scan done at 11:12:53,76, 2007-10-12 Run from D:\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\netadv.dll FOUND ! C:\WINDOWS\sysdx.dll FOUND ! C:\WINDOWS\wsremover.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dziubki »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dziubki\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\dziubki\Ulubione C:\DOCUME~1\dziubki\Ulubione\Error Cleaner.url FOUND ! C:\DOCUME~1\dziubki\Ulubione\Privacy Protector.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\VideoAccessCodec\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“C:\Program Files\Windows NT\woroked.html” “SubscribedURL”=”” “FriendlyName”=”” [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] “Source”=“C:\Program Files\Outlook Express\tepehybex.html” “SubscribedURL”=”” “FriendlyName”="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“Moja bieľĄca strona g˘wna” »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 62.179.1.60 DNS Server Search Order: 62.179.1.61 HKLM\SYSTEM\CCS\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS1\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS2\Services\Tcpip…{0841E831-E8C5-44DF-8944-8E1B5D2FED27}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS3\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

jessica · 12 Październik 2007 09:41

Chyba użyłeś SmitfraudFix z opcji nr 1, więc teraz:

Użyj go z opcji “Clean”, czyli wpisz 2 i naciśnij ENTER.

Po jego użyciu może zajść potrzeba ustawiania od nowa tapety (czyli prawoklik na ekranie>>właściwości, itd. )

Daj z niego raport z C:\SmitfraudFix.txt.

Instrukcja obsługi: 1. Zastartuj komputer do trybu awaryjnego co jest opisane TUTAJ. (można spróbować najpierw usuwać w Trybie Normalnym -często to się udaje) 2.Uruchom SmitfraudFix.exe ( podwójnie go kliknij) 3. Zainicjuje się linia komend i dostaniesz pierwszy z ekranów z prośbą o “wciśniecie jakiegokolwiek klawisza by kontynuować” więc z klawiatury ENTER: 4. Dostaniesz menu wyboru opcji na niebieskim ekranie: wpisz 2 i naciśnij ENTER 5. Zostanie uruchomione czyszczenie właściwe rozpoczęte od zabicia procesu explorer.exe (zniknie Pulpit i pasek zadań). Następnie padnie pytanie Do you want to clean the registry? - wpisz z klawiatury Y i ENTER, co zainicjuje usuwania kluczyków i restrykcji tapetek. 6.W dalszej kolejności narzędzie sprawdzi czy plik wininet.dll jest zainfekowany a jeśli tak, to może paść pytanie o podmianę pliku, o ile czystą kopię znaleziono: Replace infected file? = Y i ENTER. Jeśli „wininet” nie jest zarażony, to to zostanie pominięte. 7.Finalnie może być wymagany reset komputera by ukończyć sprzątanie.

.

Potem:

Te w/w wpisy sfiksuj w Hijacku (jeśli jeszcze będą):

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Potem ściągnij -->ComboFix (na dole tej strony z linku).

Wklej do Notatnika :

File::

C:\WINDOWS\ftpsconfig.dll

C:\Documents and Settings\dziubki\Menu Start\Programy\Autostart\PowerReg Scheduler.exe

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj tu raport SmitfraudFixa i log z ComboFixa.

jessi

xjasiux · 12 Październik 2007 10:20

ComboFix 07-10-12.4 - dziubki 2007-10-12 12:09:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.546 [GMT 2:00] Running from: D:\ComboFix.exe Command switches used :: D:\CFScript.txt * Created a new restore point FILE:: C:\Documents and Settings\dziubki\Menu Start\Programy\Autostart\PowerReg Scheduler.exe C:\WINDOWS\ftpsconfig.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\dziubki\Ulubione\Error Cleaner.url C:\Documents and Settings\dziubki\Ulubione\Error Cleaner.url C:\Documents and Settings\dziubki\Ulubione\Error Cleaner.url C:\Documents and Settings\dziubki\Ulubione\Privacy Protector.url C:\Documents and Settings\dziubki\Ulubione\Privacy Protector.url C:\Documents and Settings\dziubki\Ulubione\Privacy Protector.url C:\Documents and Settings\dziubki\Ulubione\SpywareMalware Protection.url C:\Documents and Settings\dziubki\Ulubione\SpywareMalware Protection.url C:\Documents and Settings\dziubki\Ulubione\SpywareMalware Protection.url C:\Program Files\Common Files{2CE92~1 C:\Program Files\Common Files{3CE92~1 C:\Program Files\deskbar C:\Program Files\dobe~1 C:\Program Files\Outlook Express\tepehybex.html C:\WINDOWS\ftpsconfig.dll C:\WINDOWS\rs.txt C:\WINDOWS\system32\components C:\WINDOWS\system32\wnstssv.exe C:\WINDOWS\system32\wnstssv.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 ))))))))))))))))))))))))))))))) . 2007-10-12 12:08 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-12 11:13 1,498 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 10:24 2007-10-12 00:37 2007-10-11 21:13 2007-10-11 20:50 2007-10-11 17:45 2007-10-11 17:44 2007-10-10 15:10 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-08 19:45 2007-10-08 19:45 2007-10-07 16:51 2007-10-06 18:12 2007-10-06 18:12 2007-10-06 12:34 2007-10-06 07:05 2007-09-30 18:59 2007-09-20 18:39 37,760 --a------ C:\WINDOWS\system32\drivers\P2k.sys 2007-09-20 18:38 77,895 --a------ C:\WINDOWS\system32\unibus_tcutil.dll 2007-09-20 17:52 139,264 --a------ C:\WINDOWS\system32\WkWin32.dll 2007-09-20 17:52 67,072 --a------ C:\WINDOWS\system32\drivers\Wibukey.sys 2007-09-20 17:52 57,552 --a------ C:\WINDOWS\system32\WKDOS.EXE 2007-09-20 17:52 52,736 --a------ C:\WINDOWS\system\WkWin.dll 2007-09-20 17:52 29,696 --a------ C:\WINDOWS\system32\drivers\Wibukey2.sys 2007-09-20 17:51 2007-09-20 17:24 2007-09-20 16:25 2007-09-16 11:04 2007-09-15 00:56 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-12 09:23 --------- d-----w C:\Documents and Settings\dziubki\Dane aplikacji\The Bat! 2007-10-11 23:53 --------- d-----w C:\Program Files\FlashGet 2007-10-11 21:50 --------- d-----w C:\Documents and Settings\dziubki\Dane aplikacji\Xfire 2007-10-11 20:47 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-10-11 18:41 --------- d-----w C:\Program Files\Winamp 2007-10-09 19:49 --------- d-s—w C:\Program Files\Xfire 2007-10-07 14:48 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-10-07 08:13 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-05 18:05 --------- d-----w C:\Program Files\eMule 2007-09-20 14:25 --------- d-----w C:\Program Files\Last.fm 2007-09-16 09:01 --------- d-----w C:\Program Files\Lavalys 2007-09-15 07:58 42,944 ----a-w C:\Documents and Settings\dziubki\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-09-09 00:05 --------- d-----w C:\Documents and Settings\dziubki\Dane aplikacji\Skype 2007-09-01 09:28 --------- d-----w C:\Program Files\AGEIA Technologies 2007-09-01 09:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-09-01 08:47 --------- d-----w C:\Documents and Settings\dziubki\Dane aplikacji\InstallShield 2007-09-01 00:09 --------- d-----w C:\Documents and Settings\dziubki\Dane aplikacji\My Games 2007-08-26 13:46 --------- d-----w C:\Program Files\Zylom Games 2007-08-26 13:46 --------- d-----w C:\Program Files\UTCacheCleaner3 2007-08-22 13:17 0 —ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-08-22 13:17 0 —ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2007-08-04 23:13 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll 2006-11-07 18:45 14 ----a-w C:\Documents and Settings\dziubki\getfile.dat 2006-06-27 19:07 138 ----a-w C:\Program Files\INSTALL.LOG 2005-07-29 15:24:26 472 --sha-r C:\WINDOWS\c2t1cA\wZQYwE.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe” [2004-10-15 20:40] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2006-05-31 03:13] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-11 21:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “BitComet - a BitTorrent Client”=“C:\Program Files\BitComet\BitComet.exe” [2007-07-19 09:28] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2007-04-04 00:29] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\Windows NT\woroked.html FriendlyName= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” /tray “CTFMON.EXE”=C:\WINDOWS\system32\ctfmon.exe “Comrade.exe”=C:\Program Files\GameSpy\Comrade\Comrade.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “NeroFilterCheck”=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe “New.net Startup”=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s “NvMediaCenter”=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit “Device Detector”=DevDetect.exe -autorun “SunJavaUpdateSched”=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe “nwiz”=nwiz.exe /install “NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup “PWRISOVM.EXE”=C:\Program Files\PowerISO\PWRISOVM.EXE R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs S2 FILESpy;FILESpy;??\C:\Program Files\Softwin\BitDefender9\filespy.sys S2 REGSpy;REGSpy;??\C:\Program Files\Softwin\BitDefender9\regspy.sys S3 ldiskl;ldiskl;??\C:\DOCUME~1\dziubki\USTAWI~1\Temp\ldiskl.sys S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys S3 portio;portio;??\C:\Program Files\Zinf\portio.sys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{12170605-699c-11db-98b4-0011d896200a}] AutoRun\command - H:\datas\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e49a79bc-b3ca-11db-9940-0011d896200a}] AutoRun\command - G:\autorun.exe . Contents of the ‘Scheduled Tasks’ folder “2007-10-05 15:15:48 C:\WINDOWS\Tasks\1-Click Maintenance.job” . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-12 12:12:57 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-12 12:13:59 - machine was rebooted . — E O F — ■■■■■■■ log z simfraudix sobie skasowałem przez przypadek…Dam jeszcze raz skana z hijack this i simfraudfix. SmitFraudFix v2.240 Scan done at 12:19:26,07, 2007-10-12 Run from D:\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dziubki »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dziubki\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\dziubki\Ulubione »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“C:\Program Files\Windows NT\woroked.html” “SubscribedURL”="" “FriendlyName”="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“Moja bieľĄca strona g˘wna” »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 62.179.1.60 DNS Server Search Order: 62.179.1.61 HKLM\SYSTEM\CCS\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS1\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS2\Services\Tcpip…{0841E831-E8C5-44DF-8944-8E1B5D2FED27}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS3\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 12:20:23, on 2007-10-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\notepad.exe D:\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [bitComet - a BitTorrent Client] C:\Program Files\BitComet\BitComet.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O8 - Extra context menu item: Download with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) Ale chyba czysto już jest. Dzięki Bardzo