Ikonka spyloced

Dla specjalistów Bezpieczeństwo
#1

Witam

Zlapalem ikonke spyloced.

Alt. wyzwala tagi.Alt. z literami zakladki.

Prosze o pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 11:45:18, on 2007-05-11

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\windows\System32\smss.exe

D:\windows\system32\csrss.exe

D:\windows\system32\winlogon.exe

D:\windows\system32\services.exe

D:\windows\system32\lsass.exe

D:\windows\system32\svchost.exe

D:\windows\system32\svchost.exe

D:\windows\System32\svchost.exe

D:\windows\System32\svchost.exe

D:\windows\System32\svchost.exe

D:\windows\Explorer.EXE

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\windows\system32\ctfmon.exe

D:\Program Files\Alwil Software\Avast4\ashDisp.exe

D:\windows\system32\spoolsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\windows\System32\svchost.exe

D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\windows\System32\alg.exe

D:\PROGRA~1\MOZILL~1\firefox.exe

D:\Documents and Settings\admin\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\AcrobatReader 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - D:\Program Files\DIALux 3.1\DLXShellExtension.dll

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [loaddll] loaddll.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [RealPlayer] "D:\Program Files\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

O4 - Startup: Skrót do ashDisp.lnk = D:\Program Files\Alwil Software\Avast4\ashDisp.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'syswvnt.dll' missing

O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://82.160.71.201/AL/WinWebPush.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E13903-48CD-459F-8E69-EEDE4DC1C02F}: NameServer = 85.255.114.43,85.255.112.165

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165

O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - D:\Program Files\DIALux 3.1\DLXToolBox.dll

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Nero\InCD\InCDsrv.exe (file missing)

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe (file missing)

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
#2

Pobierz LSP - FIX zaznacz " I know what I’m doing",

następnie w okienku Keep zaznacz bibliotekę syswvnt.dll i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.

Plik na czerwono usuń ręcznie z dysku w awaryjnym a wpisy w HJT.

Użyj FixWareOut

Zastosuj SimtFraudFix, opcja 2 w trybie awaryjnym.

Nowe logi HJT, SilentRunners oraz c:\rapport.txt i C:\Fixwareout\report.txt.

#3

Ikonka zniknęła.Alt.ok.

Dziękuję.

Oto logi po wykonanych zaleceniach.

Logfile of HijackThis v1.99.1

Scan saved at 15:18:39, on 2007-05-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\windows\System32\smss.exe

D:\windows\system32\winlogon.exe

D:\windows\system32\services.exe

D:\windows\system32\lsass.exe

D:\windows\system32\svchost.exe

D:\windows\System32\svchost.exe

D:\windows\Explorer.EXE

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\windows\system32\ctfmon.exe

D:\Program Files\Alwil Software\Avast4\ashDisp.exe

D:\windows\system32\spoolsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\windows\System32\svchost.exe

D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\PROGRA~1\MOZILL~1\firefox.exe

D:\Documents and Settings\admin\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\AcrobatReader 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - D:\Program Files\DIALux 3.1\DLXShellExtension.dll

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [loaddll] loaddll.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [RealPlayer] "D:\Program Files\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

O4 - Startup: Skrót do ashDisp.lnk = D:\Program Files\Alwil Software\Avast4\ashDisp.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://82.160.71.201/AL/WinWebPush.cab

O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - D:\Program Files\DIALux 3.1\DLXToolBox.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Nero\InCD\InCDsrv.exe (file missing)

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe (file missing)

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "D:\windows\system32\ctfmon.exe" [MS]

"RealPlayer" = ""D:\Program Files\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot" ["RealNetworks, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"TkBellExe" = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"loaddll" = "loaddll.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "D:\Program Files\AcrobatReader 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "DIALux 3.1 ULDBrowserHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\DIALux 3.1\DLXShellExtension.dll" ["DIAL GmbH, Germany"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ALCOCH~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

  -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = "D:\Program Files\Nero\InCD\incdshx.dll" [file not found]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "D:\Program Files\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"

  -> {HKLM...CLSID} = "BitDefender Antivirus v8"

                   \InProcServer32\(Default) = "D:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{7EFFF3DD-71B3-11D4-A25E-005056DCFB89}" = "DIALux 2.0 ULDShellHandler Class"

  -> {HKLM...CLSID} = "DIALux 2.0 ULDShellHandler Class"

                   \InProcServer32\(Default) = "D:\Program Files\DIALux 3.1\DLXShellExtension.dll" ["DIAL GmbH, Germany"]

"{7889C2D5-D128-43e2-A8D8-A7590A12C8B3}" = "DIALux 2.0 DLXShellHandler Class"

  -> {HKLM...CLSID} = "DIALux 2.0 DLXShellHandler Class"

                   \InProcServer32\(Default) = "D:\Program Files\DIALux 3.1\DLXShellExtension.dll" ["DIAL GmbH, Germany"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

<> "{716002db-288c-4bf0-80cd-a467e78d8b55}" = "depreciable"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\windows\system32\dxovx.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "AppInit_DLLs" = "sockspy.dll" [null data]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

DIALux20\(Default) = "{7EFFF3DD-71B3-11D4-A25E-005056DCFB89}"

  -> {HKLM...CLSID} = "DIALux 2.0 ULDShellHandler Class"

                   \InProcServer32\(Default) = "D:\Program Files\DIALux 3.1\DLXShellExtension.dll" ["DIAL GmbH, Germany"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"

  -> {HKLM...CLSID} = "BitDefender Antivirus v8"

                   \InProcServer32\(Default) = "D:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\windows\System32\logon.scr" [MS]



Startup items in "admin" & "All Users" startup folders:

-------------------------------------------------------


D:\Documents and Settings\admin\Menu Start\Programy\Autostart

"Skrót do ashDisp" -> shortcut to: "D:\Program Files\Alwil Software\Avast4\ashDisp.exe" ["ALWIL Software"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_05"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "D:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BitDefender Communicator, XCOMM, ""D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Scan Server, bdss, ""D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]



Keyboard Driver Filters:

------------------------


HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = <> "msikbd2k" ["Netropa Corporation"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 223 seconds, including 18 seconds for message boxes)

SmitFraudFix v2.181


Scan done at 14:57:45,02, 2007-05-13

Run from D:\Documents and Settings\admin\Pulpit\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{716002db-288c-4bf0-80cd-a467e78d8b55}"="depreciable"


[HKEY_CLASSES_ROOT\CLSID\{716002db-288c-4bf0-80cd-a467e78d8b55}\InProcServer32]

@="D:\windows\system32\dxovx.dll"


[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{716002db-288c-4bf0-80cd-a467e78d8b55}\InProcServer32]

@="D:\windows\system32\dxovx.dll"



»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost 


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri


D:\windows\system32\dxovx.dll -> Hoax.Win32.Renos.gen.m

D:\windows\system32\dxovx.dll -> Deleted



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


D:\Program Files\Video AX Object\ Deleted


»»»»»»»»»»»»»»»»»»»»»»»» DNS


Description: Karta SURECOM EP-320X-R 100/10/M PCI Adapter - Sterownik miniport Harmonogramu pakietów

DNS Server Search Order: 85.31.224.10

DNS Server Search Order: 85.31.224.11

DNS Server Search Order: 217.17.34.10


HKLM\SYSTEM\CCS\Services\Tcpip\..\{2FE0D35D-A7DC-497F-A781-4F6863D851F5}: DhcpNameServer=85.255.114.43,85.255.112.165

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3E13903-48CD-459F-8E69-EEDE4DC1C02F}: DhcpNameServer=85.31.224.10 85.31.224.11 217.17.34.10

HKLM\SYSTEM\CS1\Services\Tcpip\..\{2FE0D35D-A7DC-497F-A781-4F6863D851F5}: DhcpNameServer=85.255.114.43,85.255.112.165

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3E13903-48CD-459F-8E69-EEDE4DC1C02F}: DhcpNameServer=85.31.224.10 85.31.224.11 217.17.34.10

HKLM\SYSTEM\CS3\Services\Tcpip\..\{2FE0D35D-A7DC-497F-A781-4F6863D851F5}: DhcpNameServer=85.255.114.43,85.255.112.165

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A3E13903-48CD-459F-8E69-EEDE4DC1C02F}: DhcpNameServer=87.204.188.2 217.17.34.10

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=85.31.224.10 85.31.224.11 217.17.34.10

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.31.224.10 85.31.224.11 217.17.34.10

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=87.204.188.2 217.17.34.10



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"system"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


[/code]

[code] Fixwareout Last edited 4/5/2007 Post this report in the forums please … »»»»»Prerun check HKLM\SOFTWARE~\Winlogon\ “System”=“kdtdn.exe” »»»»» System restarted »»»»» Postrun check HKLM\SOFTWARE~\Winlogon\ “system”="" … … »»»»» Misc files. … »»»»» Checking for older varients. … Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL’S for further inspection. Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other D:\WINDOWS\Temp\kdtdn.ren 63365 2004-08-04 »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “TkBellExe”="“D:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “loaddll”=“loaddll.exe” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“D:\windows\system32\ctfmon.exe” “RealPlayer”="“D:\Program Files\RealPlayer\realplay.exe” /RunUPGToolCommandReBoot" … Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»»

Proszę o ocenę czy wszystko w porządku.

#4

Usuń wpis HJT.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Pobierz i odpal ATF Cleaner >>> zaznacz Empty Selected >>> poczekaj chwilkę na pojawienie się pewnej informacji >>> ponownie kliknij Empty Selected >>> uruchom ponownie komputer.

#5

Dziękuję serdcznie za pomoc.Jestem laikiem w tych sprawach.

Wykonałem wszystko wg.zaleceń.wpis zniknął.

Oto log HJT:

Logfile of HijackThis v1.99.1

Scan saved at 20:18:36, on 2007-05-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\windows\System32\smss.exe

D:\windows\system32\winlogon.exe

D:\windows\system32\services.exe

D:\windows\system32\lsass.exe

D:\windows\system32\svchost.exe

D:\windows\System32\svchost.exe

D:\windows\Explorer.EXE

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\Program Files\Common Files\Real\Update_OB\realsched.exe

D:\windows\system32\ctfmon.exe

D:\Program Files\Alwil Software\Avast4\ashDisp.exe

D:\windows\system32\spoolsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\windows\System32\svchost.exe

D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\windows\system32\wuauclt.exe

D:\Documents and Settings\admin\Pulpit\programy do naprawy i logów\hijackthis\HijackThis.exe

D:\Program Files\Alwil Software\Avast4\setup\avast.setup


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\AcrobatReader 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - D:\Program Files\DIALux 3.1\DLXShellExtension.dll

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] D:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [RealPlayer] "D:\Program Files\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

O4 - Startup: Skrót do ashDisp.lnk = D:\Program Files\Alwil Software\Avast4\ashDisp.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://82.160.71.201/AL/WinWebPush.cab

O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - D:\Program Files\DIALux 3.1\DLXToolBox.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Nero\InCD\InCDsrv.exe (file missing)

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe (file missing)

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

ATF Cleaner pokazał informację;

No files were removed

Proszę o informację czy już jest ok.

Jeszcze raz dziękuję za pomoc.

#6

W logu jest czysto.

#7

Bardzo dziękuje za pomoc.