Irdvxc + sysem i pewnie jeszcze kilka

Thorinbur · 7 Luty 2007 16:05

IRDVXC + SYSEM + pewnie jeszcze kilka

Bylbym bardzo wdzieczny za przejrzenie logow…

HijackThis

Logfile of HijackThis v1.99.1 Scan saved at 16:54:52, on 2007-02-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe E:\srv\Apache2\bin\Apache.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\Program Files\Autodesk\max\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\system32\mnew2win.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe E:\srv\Apache2\bin\Apache.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Trust\3011A WIRELESS OPTICAL DESKSET\Mouse\mouse32a.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\services.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\mysvcc.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\sysem.exe C:\WINDOWS\system32\srvc.exe C:\WINDOWS\System32\ctfmon.exe E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe E:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\mfcee.exe C:\WINDOWS\system32\sysem.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe E:\srv\Apache2\bin\ApacheMonitor.exe R:\programy\Motorola\A925 Desktop Suite\ConnMngmntBox.exe R:\programy\Motorola\A925 Desktop Suite\ECTaskScheduler.exe R:\Programy\Motorola\A925DE~1\Elogerr.exe C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe E:\No-IP\DUC20.exe R:\Programy\Motorola\A925DE~1\BROADC~1.EXE R:\Programy\Motorola\A925DE~1\SCRFS.exe C:\WINDOWS\System32\irdvxc.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe E:\mozilla\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE R:\temp\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - R:\programy\GetRight\xx2gr.dll O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\3011A WIRELESS OPTICAL DESKSET\Mouse\mouse32a.exe O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM…\Run: [msconfig38] mssvcc.exe O4 - HKLM…\Run: [share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM…\Run: [services] C:\WINDOWS\services.exe O4 - HKLM…\Run: [msvcc25] svcchost.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [mysvcig38] mysvcc.exe O4 - HKLM…\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [slack12] C:\WINDOWS\system32\mfcee.exe O4 - HKLM…\Run: [sysemls] C:\WINDOWS\system32\sysem.exe O4 - HKLM…\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “E:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [sysemls] C:\WINDOWS\system32\sysem.exe O4 - HKCU…\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKCU…\RunServices: [Compaq Service Drivers] winsvc32.exe O4 - HKCU…\RunServices: [MS database Service] winsql32.exe O4 - HKCU…\RunServices: [win msdt service] mswindtc.exe O4 - Startup: No-IP DUC.lnk = E:\No-IP\DUC20.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Monitor Apache Servers.lnk = E:\srv\Apache2\bin\ApacheMonitor.exe O4 - Global Startup: A925 Connection Manager.lnk = R:\programy\Motorola\A925 Desktop Suite\ConnMngmntBox.exe O4 - Global Startup: A925 Task Scheduler.lnk = R:\programy\Motorola\A925 Desktop Suite\ECTaskScheduler.exe O8 - Extra context menu item: Download with GetRight - R:\programy\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm O8 - Extra context menu item: Open with GetRight Browser - R:\programy\GetRight\GRbrowse.htm O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (file missing) (HKCU) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach … 0.0.15.cab O17 - HKLM\System\CCS\Services\Tcpip…{9D9F826F-7225-4D6F-A25E-A2F5427BC8EB}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing) O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing) O23 - Service: Apache2 - Unknown owner - E:\srv\Apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\max\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: mnew2win - Unknown owner - C:\WINDOWS\system32\mnew2win.exe O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)

Na czerwono wpisy szczegolnie mnie martwiace

I jaszcze Silent runer

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““E:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “sysemls” = “C:\WINDOWS\system32\sysem.exe” [null data] “johnj315” = “C:\WINDOWS\system32\srvc.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTSysVol” = “C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r” [“Creative Technology Ltd”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “FLMOFFICE4DMOUSE” = “C:\Program Files\Trust\3011A WIRELESS OPTICAL DESKSET\Mouse\mouse32a.exe” [empty string] “Zone Labs Client” = “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [“Zone Labs, LLC”] “msconfig38” = “mssvcc.exe” [file not found] “Share-to-Web Namespace Daemon” = “E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [“Hewlett-Packard”] “Services” = “C:\WINDOWS\services.exe” [null data] “msvcc25” = “svcchost.exe” [file not found] “ISUSPM Startup” = “C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup” [“InstallShield Software Corporation”] “ISUSScheduler” = ““C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“InstallShield Software Corporation”] “Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe” [“Symantec Corporation”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “mysvcig38” = “mysvcc.exe” [null data] “AGEIA PhysX SysTray” = “C:\Program Files\AGEIA Technologies\TrayIcon.exe” [null data] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “slack12” = “C:\WINDOWS\system32\mfcee.exe” [null data] “sysemls” = “C:\WINDOWS\system32\sysem.exe” [null data] “johnj315” = “C:\WINDOWS\system32\srvc.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}(Default) = (no title provided) -> {HKLM…CLSID} = “bho2gr Class” \InProcServer32(Default) = “R:\programy\GetRight\xx2gr.dll” [“Headlight Software, Inc.”] {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}(Default) = (no title provided) -> {HKLM…CLSID} = “URLLink” \InProcServer32(Default) = “C:\Program Files\NewDotNet\newdotnet6_98.dll” [“New.net, Inc.”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{51EEE242-AD87-11d3-9C1E-0090278BBD99}” = “Vim Shell Extension” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\Vim\vim63\gvimext.dll” [“Tianmiao Hu’s Developer Studio”] “{EC10012C-A920-4DBE-A13A-AB798F48E4FD}” = “My A925” -> {HKLM…CLSID} = “My A925” \InProcServer32(Default) = “R:\programy\Motorola\A925DE~1\pw32expl.dll” [“Motorola, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “E:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}” = “IZArc DragDrop Menu” -> {HKLM…CLSID} = “IZArc DragDrop Menu” \InProcServer32(Default) = “E:\PROGRA~1\IZArc\IZArcCM.dll” [null data] “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” = “IZArc Shell Context Menu” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “E:\PROGRA~1\IZArc\IZArcCM.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “E:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview” -> {HKLM…CLSID} = “ACDWFTHMBPRXY” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcDwfThmbPrxy16.dll” [“Autodesk”] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ gvim(Default) = “{51EEE242-AD87-11d3-9C1E-0090278BBD99}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\Vim\vim63\gvimext.dll” [“Tianmiao Hu’s Developer Studio”] IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “E:\PROGRA~1\IZArc\IZArcCM.dll” [null data] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “E:\PROGRA~1\IZArc\IZArcCM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Rafał\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Rafał\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Rafał” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\Rafał\Menu Start\Programy\Autostart “No-IP DUC” -> shortcut to: “E:\No-IP\DUC20.exe” [“Vitalwerks LLC”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “Monitor Apache Servers” -> shortcut to: “E:\srv\Apache2\bin\ApacheMonitor.exe” [“Apache Software Foundation”] “A925 Connection Manager” -> shortcut to: “R:\programy\Motorola\A925 Desktop Suite\ConnMngmntBox.exe” [empty string] “A925 Task Scheduler” -> shortcut to: “R:\programy\Motorola\A925 Desktop Suite\ECTaskScheduler.exe” [“Motorola, Inc.”] Enabled Scheduled Tasks: ------------------------ “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “C:\Program Files\NewDotNet\newdotnet6_98.dll” [“New.net, Inc.”] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\NewDotNet\newdotnet6_98.dll [“New.net, Inc.”], 01 - 02, 19 - 20 %SystemRoot%\system32\mswsock.dll [MS], 03 - 06, 09 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” = “BitComet Toolbar” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {F2B441CC-E026-47FB-BDC3-A07750FA3D2C}\ “ButtonText” = “Ebates” “Script” = “file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm” [file not found] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_05” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll” [“Sun Microsystems, Inc.”] {E19ADC6E-3909-43E4-9A89-B7B676377EE3}\ “ButtonText” = “Sothink SWF Catcher” “MenuText” = “Sothink SWF Catcher” “Script” = “C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Apache2, Apache2, ““E:\srv\Apache2\bin\Apache.exe” -k runservice” [“Apache Software Foundation”] Autodesk Licensing Service, Autodesk Licensing Service, ““C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe”” [“Autodesk”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\System32\CTsvcCDA.exe” [“Creative Technology Ltd”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] mnew2win, mnew2win, “C:\WINDOWS\system32\mnew2win.exe -s” [null data] Network helper Service, MSDisk, ““C:\WINDOWS\System32\irdvxc.exe” /service” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] RaySat_3dsmax8 Server, mi-raysat_3dsmax8, ““E:\Program Files\Autodesk\max\mentalray\satellite\raysat_3dsmax8server.exe”” [null data] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZONELABS\vsmon.exe -service” [“Zone Labs, LLC”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\System32\MsPMSPSv.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 150 seconds, including 12 seconds for message boxes)

Z gory dziekuje a wszelka pomoc.

Proces irdvxc zajmuje coraz wiecej pamieci jak go zostawic. Proba zakonczenia jego proceu owocuje zwolnieniem okolo 2 mb. Gdy wreszcie uda sie go wylaczyc pojawia sie z nowu. Wylaczamy … znowu. Dopiera za 3 razem znika na stale, by pojawic sie po ponownym wlaczeniu komputera.

adam9870 · 7 Luty 2007 16:23

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pobierz i odpal LSP-Fix zaznacz " I know what I’m doing" następnie w okienku Keep zaznacz bibliotekę newdotnet*_** i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:

Drivers to unload: mnew2win MSDisk Win32Kernel Folders to delete: C:\Program Files\NewDotNet Files to delete: C:\WINDOWS\system32\mssvcc.exe C:\WINDOWS\services.exe C:\WINDOWS\system32\mysvcc.exe C:\WINDOWS\system32\mfcee.exe C:\WINDOWS\system32\sysem.exe C:\WINDOWS\system32\srvc.exe C:\WINDOWS\system32\winsvc32.exe C:\WINDOWS\system32\winsql32.exe C:\WINDOWS\system32\mswindtc.exe C:\WINDOWS\System32\rpcc.dll C:\WINDOWS\system32\mnew2win.exe C:\WINDOWS\System32\irdvxc.exe C:\WINDOWS\win32host.exe Registry values to delete: “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” | “sysemls” “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” | “johnj315” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “msconfig38” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “Services” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “msvcc25” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “mysvcig38” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “slack12” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “sysemls” “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” | “johnj315” Registry keys to delete: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avengera i skasuj plik backup.zip czyli np. c:\avenger\backup.zip.

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM…\Run: [msconfig38] mssvcc.exe O4 - HKLM…\Run: [services] C:\WINDOWS\services.exe O4 - HKLM…\Run: [msvcc25] svcchost.exe O4 - HKLM…\Run: [mysvcig38] mysvcc.exe O4 - HKLM…\Run: [slack12] C:\WINDOWS\system32\mfcee.exe O4 - HKLM…\Run: [sysemls] C:\WINDOWS\system32\sysem.exe O4 - HKLM…\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [sysemls] C:\WINDOWS\system32\sysem.exe O4 - HKCU…\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKCU…\RunServices: [Compaq Service Drivers] winsvc32.exe O4 - HKCU…\RunServices: [MS database Service] winsql32.exe O4 - HKCU…\RunServices: [win msdt service] mswindtc.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach … alFWBIniti alSetup1.0.0.15.cab O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: mnew2win - Unknown owner - C:\WINDOWS\system32\mnew2win.exe O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing) O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)

Usuń wpisy HJT.

To Twój program? Jeśli nie to usuń folder ręcznie w trybie awaryjnym, a wpisy HJT.

Użyj SDFix oraz SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt.

Thorinbur · 7 Luty 2007 17:54

Nie wszystko poszlo zgodnie z planem… sciagnalem wszystkie programy i zapisalem twoj post w notatniku. Odlaczylem modem :mrgreen:

i pokolei wykonywalem punkty… Z przyczyn technicznych niebylem w stanie uruchomic systemu w trybie awaryjnym i wszysto robilem w trybie noralnym (problemy z dyskiem ).

Jesli piszac c:\rapport.txt. masz na mysli c:/avenger.txt to oto on (jak nie to tez na niego spojrz bo mial problem z dojsciem do niektorych kluczy w rejetrze.Pozatym plik c:/raport.txt nie istnieje). Zrobilem screna z konsoli ale jak zobaczylem raport w notatniku to go nie zapisywalem.

////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run" | “sysemls Syntax error in line — does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run” | "johnj315 ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\ccqxufrw ******************* Script file located at: ??\C:\WINDOWS\System32^abkuueq.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver mnew2win unloaded successfully. Driver MSDisk unloaded successfully. Driver Win32Kernel unloaded successfully. Folder C:\Program Files\NewDotNet deleted successfully. File C:\WINDOWS\system32\mssvcc.exe not found! Deletion of file C:\WINDOWS\system32\mssvcc.exe failed! Could not process line: C:\WINDOWS\system32\mssvcc.exe Status: 0xc0000034 File C:\WINDOWS\services.exe deleted successfully. File C:\WINDOWS\system32\mysvcc.exe deleted successfully. File C:\WINDOWS\system32\mfcee.exe deleted successfully. File C:\WINDOWS\system32\sysem.exe deleted successfully. File C:\WINDOWS\system32\srvc.exe deleted successfully. File C:\WINDOWS\system32\winsvc32.exe deleted successfully. File C:\WINDOWS\system32\winsql32.exe not found! Deletion of file C:\WINDOWS\system32\winsql32.exe failed! Could not process line: C:\WINDOWS\system32\winsql32.exe Status: 0xc0000034 File C:\WINDOWS\system32\mswindtc.exe not found! Deletion of file C:\WINDOWS\system32\mswindtc.exe failed! Could not process line: C:\WINDOWS\system32\mswindtc.exe Status: 0xc0000034 File C:\WINDOWS\System32\rpcc.dll deleted successfully. File C:\WINDOWS\system32\mnew2win.exe deleted successfully. File C:\WINDOWS\System32\irdvxc.exe deleted successfully. File C:\WINDOWS\win32host.exe not found! Deletion of file C:\WINDOWS\win32host.exe failed! Could not process line: C:\WINDOWS\win32host.exe Status: 0xc0000034 Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|msconfig38 deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Services deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|msvcc25 deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|mysvcig38 deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|slack12 deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|sysemls deleted successfully. Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|johnj315 deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} deleted successfully. Completed script processing. ******************* Finished! Terminate.

Jest jednak sukces. Liczba procesów malała o jakieś 10. Po wykonaniu tych operacji irdvxc i sysem znikneły z listy procesów

Niestety nie moglem sie polaczyc do internetu (wszystko bylo niby ok ale ani zadna strona nie chciala sie otworzyc ani zone alarm nie pokazwal zadnego przeplywu danych. Otworzylem zpowrotem porty ktore zamknalem w Windows worm door cleaner, ale nie pomoglo (zaraz je zpowrotem zamkne ) Okazalo sie ze po uruchomieniu lspfix’a wykazal mi kilka bledow (wczesniej niby wszystko bylo ok) po ich naprawieniu internet dziala jak zloto

tu masz pozostale raporty:

HijackThis Logfile of HijackThis v1.99.1 Scan saved at 18:54:19, on 2007-02-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Trust\3011A WIRELESS OPTICAL DESKSET\Mouse\mouse32a.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe E:\srv\Apache2\bin\ApacheMonitor.exe E:\No-IP\DUC20.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe C:\WINDOWS\System32\svcchost.exe E:\mozilla\firefox.exe R:\temp\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - R:\programy\GetRight\xx2gr.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Trust\3011A WIRELESS OPTICAL DESKSET\Mouse\mouse32a.exe O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM…\Run: [share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “E:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: No-IP DUC.lnk = E:\No-IP\DUC20.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Monitor Apache Servers.lnk = E:\srv\Apache2\bin\ApacheMonitor.exe O4 - Global Startup: A925 Connection Manager.lnk = R:\programy\Motorola\A925 Desktop Suite\ConnMngmntBox.exe O4 - Global Startup: A925 Task Scheduler.lnk = R:\programy\Motorola\A925 Desktop Suite\ECTaskScheduler.exe O8 - Extra context menu item: Download with GetRight - R:\programy\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - R:\programy\GetRight\GRbrowse.htm O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O17 - HKLM\System\CCS\Services\Tcpip…{9D9F826F-7225-4D6F-A25E-A2F5427BC8EB}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing) O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing) O23 - Service: Apache2 - Unknown owner - E:\srv\Apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\max\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

i SilentRunner

hmm…

Silent runner "niemoze uzyc “WMI” by zidentyfikowac mój system operacyjny. Spowodowane to jest bledem w instalacji WMI.

WMI jestzlozony i zalecane jest bym uzyl Microsoftowego narzedzia “WMIDag.vbs” by zdiagnozowac WMI w twoim systemie.

Kliknij ok by skoczyc do strony z ktorej mozna pobrac WMIDiag lub anuluj by wyjsc

-edit:Literowki

PS ebytesmoney(czy cos w tym stylu to nie moj program, lecz sciezka do nego nie istnieje wiec usunąłem tylko wpisy w Hijack’u

Gutek · 7 Luty 2007 18:44

usuń wpisy HJT, ale najpierw użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINDOWS\System32\svcchost.exe

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

co do Silenta - http://www.searchengines.pl/phpbb203/in … opic=15989

Thorinbur · 7 Luty 2007 19:17

Nie będę już zamieszczał nowego raportu.

SilentRunner sam sie naprawił. Widac było to jakoś związane z moimi działaniami i gdy teraz wszystko jest ok już działa poprawnie.

Chciałem tylko podziękować za naprawdę szybką reakcję Adama i Gutka, dzięki czemu proces naprawy przebiegł szybko. Do tej pory musiałem ręcznie kończyć szkodliwe procesy ale ich usunięcie było zbyt trudne bez programów. Wszystkie linki okazały się pomocne a programy te zostaną na dłużej w kompterze

W razie jakichś problemów zgłosze się ponownie (o ile sam sobie nie poradze),

Dzięki!