xjasiux
(Xjasiux)
12 Październik 2007 09:17
#1
Nie mogę sobie poradzić z fałszywymi alertami windows security center. Pierwszy jest o trojanie looksky a drugi jakiś taki:
Są jeszcze w logu wpisy z bitdefendera, ale ja go już nie mam ale wpisy nie chca się usunąć.
Logfile of HijackThis v1.99.1 Scan saved at 10:51:30, on 2007-10-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5lid=2 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: The netadv - {D1413F77-5B69-4562-84E1-78F997794E9D} - C:\WINDOWS\netadv.dll O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [bitComet - a BitTorrent Client] C:\Program Files\BitComet\BitComet.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - Startup: PowerReg Scheduler.exe O8 - Extra context menu item: Download with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:\WINDOWS\ftpsconfig.dll O21 - SSODL: sysdx - {181C44CF-A409-4C46-97AD-69A6F7DB4C24} - C:\WINDOWS\sysdx.dll O21 - SSODL: msmhost - {5A33F19F-55AC-4186-9351-1FFCD0ADFB52} - C:\WINDOWS\msmhost.dll (file missing) O21 - SSODL: msmdev - {5C6D63A1-2DD2-40F3-94BA-12B9D3328244} - C:\WINDOWS\msmdev.dll (file missing) O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) “Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{2CE92482-07DA-1045-1017-050529060030}” = ““C:\Program Files\Common Files{2CE92482-07DA-1045-1017-050529060030}\Update.exe” mc-110-12-0000272” [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “BitComet - a BitTorrent Client” = “C:\Program Files\BitComet\BitComet.exe” [“www.BitComet.com ”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SmcService” = “C:\PROGRA~1\Sygate\SPF\smc.exe -startgui” [“Sygate Technologies, Inc.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” [“Eset “] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) - {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“FlashGet”] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” - {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll” [“BitComet”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” - {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” - {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” - {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” - {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AxShlex.dll” [“Alcohol Soft Development Team”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” - {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” - {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] “{C1728FC8-0162-4827-85B0-8420B5B20263}” = “All Converter” - {HKLM…CLSID} = “All Converter” \InProcServer32(Default) = “C:\Program Files\Admiresoft\Super Mp3 Converter\CMExt.dll” [null data] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” - {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “sysdx” = “{181C44CF-A409-4C46-97AD-69A6F7DB4C24}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\sysdx.dll” [null data] “msmhost” = “{5A33F19F-55AC-4186-9351-1FFCD0ADFB52}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\msmhost.dll” [file not found] “msmdev” = “{5C6D63A1-2DD2-40F3-94BA-12B9D3328244}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\msmdev.dll” [file not found] HKLM\System\CurrentControlSet\Control\Session Manager\ “BootExecute” = “PDBoot.exe” [“Raxco Software, Inc.”]|“autocheck autochk *” HKLM\Software\Classes\PROTOCOLS\Filter\ text/html\CLSID = “{0EB00690-8FA1-11D3-96C7-829E3EA50C29}” - {HKLM…CLSID} = “MimeFilter” \InProcServer32(Default) = “C:\WINDOWS\ftpsconfig.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” - {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” - {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” - {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” - {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” - {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” - {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” - {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dziubki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “dziubki” “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\dziubki\Menu Start\Programy\Autostart “PowerReg Scheduler.exe” [empty string] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” - launches: “C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll [“Eset “], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” - {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{D1413F77-5B69-4562-84E1-78F997794E9D}” = (no title provided) - {HKLM…CLSID} = “The netadv” \InProcServer32(Default) = “C:\WINDOWS\netadv.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}(Default) = “BitComet Search” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll” [“BitComet”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {461CC20B-FB6E-4F16-8FE8-C29359DB100E}\ “ButtonText” = “BitComet Search” Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ “TuneUp” = “file://C|/Documents and Settings/All Users.WINDOWS/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] “Tabs” = “res://ieframe.dll/tabswelcome.htm” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ BitDefender Communicator, XCOMM, ““C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe” /service” [“Softwin”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” [“Eset “] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] PDAgent, PDAgent, ““C:\Program Files\Raxco\PerfectDisk\PDAgent.exe”” [“Raxco Software, Inc.”] PDEngine, PDEngine, ““C:\Program Files\Raxco\PerfectDisk\PDEngine.exe”” [“Raxco Software, Inc.”] PnkBstrA, PnkBstrA, “C:\WINDOWS\system32\PnkBstrA.exe” [null data] StarWind AE Service, StarWindServiceAE, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe” [“Rocket Division Software”] Sygate Personal Firewall, SmcService, “C:\Program Files\Sygate\SPF\smc.exe” [“Sygate Technologies, Inc.”] TuneUp Design Expansion, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- (launch time: 2007-10-12 10:52:50) : Suspicious data at a malware launch point. : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 221 seconds, including 6 seconds for message boxes) SmitFraudFix v2.240 Scan done at 11:12:53,76, 2007-10-12 Run from D:\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\netadv.dll FOUND ! C:\WINDOWS\sysdx.dll FOUND ! C:\WINDOWS\wsremover.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dziubki »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dziubki\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\dziubki\Ulubione C:\DOCUME~1\dziubki\Ulubione\Error Cleaner.url FOUND ! C:\DOCUME~1\dziubki\Ulubione\Privacy Protector.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\VideoAccessCodec\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“C:\Program Files\Windows NT\woroked.html” “SubscribedURL”=”” “FriendlyName”=”” [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] “Source”=“C:\Program Files\Outlook Express\tepehybex.html” “SubscribedURL”=”” “FriendlyName”="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“Moja bieľĄca strona g˘wna” »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 62.179.1.60 DNS Server Search Order: 62.179.1.61 HKLM\SYSTEM\CCS\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS1\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS2\Services\Tcpip…{0841E831-E8C5-44DF-8944-8E1B5D2FED27}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS3\Services\Tcpip…{544F3587-86FA-43FE-B3A1-F5A7FA5E52D1}: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.179.1.60 62.179.1.61 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
jessica
(jessica)
12 Październik 2007 09:41
#2
Chyba użyłeś SmitfraudFix z opcji nr 1, więc teraz:
Użyj go z opcji “Clean”, czyli wpisz 2 i naciśnij ENTER.
Po jego użyciu może zajść potrzeba ustawiania od nowa tapety (czyli prawoklik na ekranie>>właściwości, itd. )
Daj z niego raport z C:\SmitfraudFix.txt .
Instrukcja obsługi: 1. Zastartuj komputer do trybu awaryjnego co jest opisane TUTAJ. (można spróbować najpierw usuwać w Trybie Normalnym -często to się udaje) 2.Uruchom SmitfraudFix.exe ( podwójnie go kliknij) 3. Zainicjuje się linia komend i dostaniesz pierwszy z ekranów z prośbą o “wciśniecie jakiegokolwiek klawisza by kontynuować” więc z klawiatury ENTER: 4. Dostaniesz menu wyboru opcji na niebieskim ekranie: wpisz 2 i naciśnij ENTER 5. Zostanie uruchomione czyszczenie właściwe rozpoczęte od zabicia procesu explorer.exe (zniknie Pulpit i pasek zadań). Następnie padnie pytanie Do you want to clean the registry? - wpisz z klawiatury Y i ENTER, co zainicjuje usuwania kluczyków i restrykcji tapetek. 6.W dalszej kolejności narzędzie sprawdzi czy plik wininet.dll jest zainfekowany a jeśli tak, to może paść pytanie o podmianę pliku, o ile czystą kopię znaleziono: Replace infected file? = Y i ENTER. Jeśli „wininet” nie jest zarażony, to to zostanie pominięte. 7.Finalnie może być wymagany reset komputera by ukończyć sprzątanie.
.
Potem:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm … Ojg5&lid=2 O3 - Toolbar: The netadv - {D1413F77-5B69-4562-84E1-78F997794E9D} - C:\WINDOWS\netadv.dll O4 - Startup: PowerReg Scheduler.exe O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:\WINDOWS\ftpsconfig.dll O21 - SSODL: sysdx - {181C44CF-A409-4C46-97AD-69A6F7DB4C24} - C:\WINDOWS\sysdx.dll O21 - SSODL: msmhost - {5A33F19F-55AC-4186-9351-1FFCD0ADFB52} - C:\WINDOWS\msmhost.dll (file missing) O21 - SSODL: msmdev - {5C6D63A1-2DD2-40F3-94BA-12B9D3328244} - C:\WINDOWS\msmdev.dll (file missing)
Te w/w wpisy sfiksuj w Hijacku (jeśli jeszcze będą):
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked .
Potem ściągnij -->ComboFix (na dole tej strony z linku).
Wklej do Notatnika :
File::
C:\WINDOWS\ftpsconfig.dll
C:\Documents and Settings\dziubki\Menu Start\Programy\Autostart\PowerReg Scheduler.exe
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Daj tu raport SmitfraudFixa i log z ComboFixa.
jessi