Witam. W moim kompie awast i inne programy komunikuja że mam win32 agent-daw. Czy istnieje jakas możliwość usunięcia go na dobre, bo próbowałem juz nie raz przez forum i nie powiodło sie. Może znacie jakis program który usunie ten syf? Jesli jest cos takiego to poproszę o link i krótką instrukcje użycia jesli jest on nie po polsku. Czy mam się poddac i formatować? Walcze juz około tygodnia jestem skłonny sie poddać.
Gdzie jest wykrywany ten szkodnik (dokładna lokalizacja)?
Na początek wrzuć komplet logów - HijackThis i SilentRunners:
wykrywalny jest w C:\WINDOWS\system32\winlogon
Złączono Posty : 04.02.2007 (Nie) 23:59
logi wyślę z moment bo komp jest tak zamulony że potrwa to chwile
Złączono Posty : 05.02.2007 (Pon) 0:07
z logami może być problem bo jeśli podłącze kompa do netu to sie zawiesza nie da się czeoś zrobic bez logów??
Złączono Posty : 05.02.2007 (Pon) 0:21
Logfile of HijackThis v1.99.1
Scan saved at 00:16, on 07-02-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Neostrada TP\taskbaricon.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\directxpushup.exe
C:\WINDOWS\system32\srrvc.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\recsl.exe
e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\Run: [Microsoft Directx push] directxpushup.exe
O4 - HKLM\..\Run: [john315] C:\WINDOWS\system32\srrvc.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [Microsoft Directx push] directxpushup.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Microsoft Directx push] directxpushup.exe
O4 - HKCU\..\Run: [john315] C:\WINDOWS\system32\srrvc.exe
O4 - HKCU\..\RunServices: [Microsoft Directx push] directxpushup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C652CE10-A1F8-4642-A39F-428292CDEDD0}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
Dawaj loga z Silent Runners, bo jak na razie to pełno syfu i kolega adam9870 nie będzie mógł Ci pomóc, jak to wyleczyć do końca.
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\directxpushup.exe
C:\WINDOWS\system32\srrvc.exe
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\system32\recsl.exe
O4 - HKLM…\Run: [msvcc25] svcchost.exe
O4 - HKLM…\Run: [mysvcig38] mysvcc.exe
O4 - HKLM…\RunServices: [mysvcig38] mysvcc.ex
O4 - HKLM…\RunServices: [msvcc25] svcchost.exe
O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe
O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
Do usunięcia to wszystko dodatkowo skan jakims anti spyware np.AVG Anti Spyware
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:
W trybie awaryjnym z wyłączonym przywracaniem systemu usuń:
Pliki zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.
Przeskanuj plik:
na stronie http://www.virustotal.com/en/indexf.html, a jeśli okaże się szkodnikiem - także usuń.
Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz z ComboFix’a.
mithnick24
Przeczytaj tematy przyklejone w tym dziale i się do nich dostosuj.JNJN
Jesteście wielcy :!: :!: :!: Mój komputer odżył mam nadzieje że nie chwilowo. Nie znalazłem jednego wpisu O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe ale resztę tak. A oto logi po wykonaniu wszystkich czynności
"Privat" - 07-02-05 23:56:09 Dodatek Service Pack. 1
ComboFix 07-01-25 - Running from: "e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\mysvcc.exe
((((((((((((((((((((((((((((((( Files Created from 2007-01-05 to 2007-02-05 ))))))))))))))))))))))))))))))))))
2007-02-05 22:39 6,656 --a------ C:\DOCUME~1\Privat\directxpush.sys
2007-02-03 22:07 76,589 --a------ C:\DOCUME~1\Privat\3.exe
2007-02-03 22:03 76,589 ---hs---- C:\WINDOWS\system32\srrvc.exe
2007-02-03 22:03 2,560 ---hs---- C:\WINDOWS\system32\helpersrrvc.exe
2007-02-02 22:45
[code]“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “OpwareSE2” = ““C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”” [“ScanSoft, Inc.”] “OPSE reminder” = ““C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” -r “C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini”” [“ScanSoft, Inc.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “msvcc25” = “svcchost.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)” -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Context Menu Shell Extension” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2FreeContMenu(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a2FreeContMenu(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Privat\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Privat\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Privat” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Development Company, L.P.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” -> {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{03C1C47F-0538-4645-8372-D3109B9FC636}(Default) = “Easy-WebPrint” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[V e r s i o n] : S i g n a t u r e = " $ C H I C A G O $ " : A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " : : [R e s t o r e H o m e P a g e] : A d d R e g = R e s t o r e H o m e P a g e . r e g : : [R e s t o r e B r o w s e r S e t t i n g s] : A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g : D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g : : [R e s t o r e H o m e P a g e . r e g] : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % : : [R e s t o r e B r o w s e r S e t t i n g s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " : : t m " : t m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " : : [D e l e t e T e m p l a t e s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " : : [D e l e t e A u t o s e a r c h . r e g] : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " : : [S t r i n g s] : S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " : S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " : : ; I M P O R T A N T N O T E : : ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . : ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . : ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . : M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : Missing lines (compared with English-language version): [Version]: 2 lines [RestoreHomePage]: 1 line [RestoreHomePage.reg]: 1 line [RestoreBrowserSettings.reg]: 12 lines [DeleteTemplates.reg]: 5 lines [DeleteAutosearch.reg]: 1 line [Strings]: 1 line [RestoreBrowserSettings]: 2 lines [Strings]: 3 lines HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\System32\UAService7.exe” [“Sony DADC Austria AG.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor MP110\Driver = “CNMLM6f.DLL” [“CANON INC.”] HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] LIDIL hpzll054\Driver = “hpzll054.dll” [“Hewlett-Packard Company”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 296 seconds, including 4 seconds for message boxes)
Logfile of HijackThis v1.99.1
Scan saved at 23:48, on 07-02-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Neostrada TP\taskbaricon.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svcchost.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C652CE10-A1F8-4642-A39F-428292CDEDD0}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
Pobierz Gmer’a.
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
-
W zakładce Usługi znajdź i skasuj z prawokliku usługę msdirectxpushup oraz MSDisk (jeśli będą)
-
W zakładce CMD z zaznaczoną podopcją CMD.EXE wklej:
- W zakładce CMD z zaznaczoną podopcją REGEDIT.EXE wklej:
-
W zakładce Procesy wybierz Zabij wszystko. Teraz poczekaj cierpliwie aż zniknie pulpit etc. - zostanie tylko okienko Gmer’a
-
Przejdź do zakładki CMD i kliknij Uruchom najpierw przy zaznaczonej opcji CMD.EXE , a potem REGDIT.EXE
Teraz reset.
Proszę przeskanować pliki:
na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/vt/, a jeśli okażą się szkodnikami - usunąć będąc w trybie awaryjnym.
Usuń wpisy HJT jeśli będą.
Po wykonaniu powiedz jak sytuacja oraz pokaż nowy log z ComboFix oraz dwa logi z Gmer’a przy takich ustawieniach:
-
Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
-
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je jako pliki tekstowe w jakimś serwisie hostingowym i tu tylko zlinkuj.
Witam. Wykonałem wszystkie czynnosci w Gmerze jak zresetować komputer? Jak klikam na OK to wyświetla że nie bedę mógł uruchomic zadnego programu. Mam go zresetować recznie?
Gdzie klikasz na OK.
Po wybraniu Zabij wszystko w zakładce Procesy zostaną zabite wszystkie procesy oprócz kilku niezbędnych do pracy Gmer’a. Zaś po kliknięciu Uruchom w zakładce CMD zostaną wykonane czynności tam wprowadzone. Ale nie przejmuj się ponieważ po ponownych uruchomieniu komputera procesy zostaną na nowo załadowane.
Jeśli po kliknięciu Uruchom komputer sam się nie zrestartuje to spróbuj przejść do zakładki Procesy i kliknąć Restart.
klikam na restart w zakladce procesy i nic się nie dzieje.
Wrzuć nowe logi, o które prosiłem.
Ale jak na nowo uruchomic kompa bo w tej chwili nic sie nie dzieja. A ja klikam z drugiego komputera.
Tak, na nowo uruchom komputer. Np. zresetuj go albo wyłącz za pomocą przycisku na obudownie.
OK. Zaraz wrzucę logi.
Złączono Posta : 06.02.2007 (Wto) 22:30
Miałem przeskanować dwa pliki jeden przeskanowałem i jest czysty a tego
nie znalażłem mam plik o nazwie help, czy chodzi o ten?
Złączono Posta : 06.02.2007 (Wto) 23:17
Oto logi po wykonaniu wszystkich czynności:
"Privat" - 07-02-06 23:01:03 Dodatek Service Pack. 1
ComboFix 07-01-25 - Running from: "e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy"
((((((((((((((((((((((((((((((( Files Created from 2007-01-06 to 2007-02-06 ))))))))))))))))))))))))))))))))))
2007-02-06 21:52 754 --a------ C:\WINDOWS\gmer.reg
2007-02-06 00:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-03 22:03 76,589 ---hs---- C:\WINDOWS\system32\srrvc.exe
2007-02-03 22:03 2,560 ---hs---- C:\WINDOWS\system32\helpersrrvc.exe
2007-02-02 22:45
[code]GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2007-02-06 23:18:50 Windows 5.1.2600 Dodatek Service Pack. 1 ---- System - GMER 1.0.12 ---- SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 80502770 4 Bytes [AC, 48, B3, F8] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 8050298C 4 Bytes [12, 48, B3, F8] .text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033FAA .text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034135 .text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034019 .text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033FC8 ---- Registry - GMER 1.0.12 ---- Reg \Registry\MACHINE\SOFTWARE\SecuROM!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xCA 0xD5 0x3A 0x79 … Reg \Registry\MACHINE\SOFTWARE\SecuROM!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x8A 0x87 0x1F 0x5D … ---- EOF - GMER 1.0.12 ----
GMER 1.0.12.12010 - http://www.gmer.net
Rootkit scan 2007-02-06 23:20:32
Windows 5.1.2600 Dodatek Service Pack. 1
---- Services - GMER 1.0.12 ----
Service [SYSTEM] Aavmker4
Service [DISABLED] Abiosdsk
Service [DISABLED] abp480n5
Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [BOOT] ACPI
Service [DISABLED] ACPIEC
Service [DISABLED] adpu160m
Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec
Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD
Service C:\WINDOWS\System32\DRIVERS\agp440.sys [BOOT] agp440
Service [DISABLED] Aha154x
Service [DISABLED] aic78u2
Service [DISABLED] aic78xx
Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn
Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl
Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS
Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Alerter
Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG
Service [DISABLED] AliIde
Service [DISABLED] amsint
Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt
Service C:\WINDOWS\System32\DRIVERS\arp1394.sys [MANUAL] Arp1394
Service [DISABLED] asc
Service [DISABLED] asc3350p
Service [DISABLED] asc3550
Service [AUTO] aswMon2
Service [MANUAL] aswRdr
Service [SYSTEM] aswTdi
Service C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [AUTO] aswUpdSv
Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac
Service C:\WINDOWS\System32\DRIVERS\atapi.sys [BOOT] atapi
Service [DISABLED] Atdisk
Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller
Service C:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart
Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag
Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc
Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv
Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub
Service C:\Program Files\Alwil Software\Avast4\ashServ.exe [AUTO] avast! Antivirus
Service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [MANUAL] avast! Mail Scanner
Service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [MANUAL] avast! Web Scanner
Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [SYSTEM] AVG Anti-Spyware Driver
Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [AUTO] AVG Anti-Spyware Guard
Service C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [SYSTEM] AvgAsCln
Service C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [MANUAL] basic2
Service BattC
Service [SYSTEM] Beep
Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS
Service C:\WINDOWS\System32\DRIVERS\bridge.sys [MANUAL] Bridge
Service C:\WINDOWS\System32\DRIVERS\bridge.sys [MANUAL] BridgeMP
Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser
Service [DISABLED] cbidf2k
Service [DISABLED] cd20xrnt
Service [SYSTEM] Cdaudio
Service [DISABLED] Cdfs
Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [SYSTEM] Cdrom
Service [SYSTEM] Changer
Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc
Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv
Service [DISABLED] CmdIde
Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp
Service ContentFilter
Service ContentIndex
Service [DISABLED] Cpqarray
Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc
Service [DISABLED] dac2w2k
Service [DISABLED] dac960nt
Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp
Service C:\WINDOWS\System32\DRIVERS\disk.sys [BOOT] Disk
Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin
Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot
Service C:\WINDOWS\System32\drivers\dmio.sys [BOOT] dmio
Service C:\WINDOWS\System32\drivers\dmload.sys [BOOT] dmload
Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver
Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic
Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache
Service [DISABLED] dpti2o
Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud
Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc
Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog
Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem
Service C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [AUTO] Fallback
Service [DISABLED] Fastfat
Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility
Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc
Service [SYSTEM] Fips
Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk
Service C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [AUTO] Fsks
Service [SYSTEM] Fs_Rec
Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [BOOT] Ftdisk
Service C:\WINDOWS\System32\DRIVERS\gameenum.sys [MANUAL] gameenum
Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer
Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc
Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc
Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ
Service [DISABLED] hpn
Service C:\WINDOWS\System32\DRIVERS\HPZid412.sys [MANUAL] HPZid412
Service C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [MANUAL] HPZipr12
Service C:\WINDOWS\System32\DRIVERS\HPZius12.sys [MANUAL] HPZius12
Service C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [MANUAL] hsf_msft
Service [SYSTEM] i2omgmt
Service [DISABLED] i2omp
Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt
Service C:\WINDOWS\System32\DRIVERS\imapi.sys [SYSTEM] Imapi
Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService
Service inetaccs
Service [DISABLED] ini910u
Service Inport
Service [DISABLED] IntelIde
Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver
Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp
Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat
Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [SYSTEM] IPSec
Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM
Service ISAPISearch
Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [BOOT] isapnp
Service C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [AUTO] K56
Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass
Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer
Service [BOOT] KSecDD
Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver
Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation
Service [SYSTEM] lbrtfdc
Service ldap
Service LicenseService
Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts
Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger
Service [SYSTEM] mnmdd
Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc
Service [MANUAL] Modem
Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [SYSTEM] Mouclass
Service [BOOT] MountMgr
Service [DISABLED] mraid35x
Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV
Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [SYSTEM] MRxSmb
Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC
Service [SYSTEM] Msfs
Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer
Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV
Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK
Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM
Service [BOOT] Mup
Service [BOOT] NDIS
Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi
Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio
Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan
Service [MANUAL] NDProxy
Service C:\WINDOWS\System32\DRIVERS\netbios.sys [SYSTEM] NetBIOS
Service C:\WINDOWS\System32\DRIVERS\netbt.sys [SYSTEM] NetBT
Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE
Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm
Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman
Service C:\WINDOWS\System32\DRIVERS\nic1394.sys [MANUAL] NIC1394
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla
Service [SYSTEM] Npfs
Service [DISABLED] Ntfs
Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp
Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc
Service [SYSTEM] Null
Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt
Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd
Service C:\WINDOWS\System32\DRIVERS\ohci1394.sys [BOOT] ohci1394
Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose
Service Outlook
Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport
Service [BOOT] PartMgr
Service [AUTO] ParVdm
Service C:\WINDOWS\System32\DRIVERS\pci.sys [BOOT] PCI
Service [SYSTEM] PCIDump
Service C:\WINDOWS\System32\DRIVERS\pciide.sys [BOOT] PCIIde
Service [DISABLED] Pcmcia
Service [MANUAL] PDCOMP
Service [MANUAL] PDFRAME
Service [MANUAL] PDRELI
Service [MANUAL] PDRFRAME
Service [DISABLED] perc2
Service [DISABLED] perc2hib
Service PerfDisk
Service PerfNet
Service PerfOS
Service PerfProc
Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay
Service C:\WINDOWS\System32\HPZipm12.exe [AUTO] Pml Driver HPZ12
Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent
Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport
Service C:\WINDOWS\System32\DRIVERS\processr.sys [SYSTEM] Processor
Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage
Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched
Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink
Service C:\WINDOWS\System32\DRIVERS\PxHelp20.sys [BOOT] PxHelp20
Service [DISABLED] ql1080
Service [DISABLED] Ql10wnt
Service [DISABLED] ql12160
Service [DISABLED] ql1240
Service [DISABLED] ql1280
Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [SYSTEM] RasAcd
Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto
Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp
Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan
Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe
Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti
Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [SYSTEM] Rdbss
Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD
Service RDPDD
Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr
Service RDPNP
Service [MANUAL] RDPWD
Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr
Service C:\WINDOWS\System32\DRIVERS\redbook.sys [SYSTEM] redbook
Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess
Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry
Service C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [MANUAL] Rksample
Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator
Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs
Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP
Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs
Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv
Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr
Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule
Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [MANUAL] Secdrv
Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon
Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS
Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum
Service C:\WINDOWS\System32\DRIVERS\serial.sys [SYSTEM] Serial
Service [SYSTEM] Sfloppy
Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess
Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection
Service [DISABLED] Simbad
Service C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [AUTO] SoftFax
Service [DISABLED] Sparrow
Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter
Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler
Service C:\WINDOWS\System32\DRIVERS\sr.sys [BOOT] sr
Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice
Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv
Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV
Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc
Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum
Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi
Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv
Service [DISABLED] symc810
Service [DISABLED] symc8xx
Service [DISABLED] sym_hi
Service [DISABLED] sym_u3
Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio
Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog
Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv
Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [SYSTEM] Tcpip
Service [MANUAL] TDPIPE
Service [MANUAL] TDTCP
Service C:\WINDOWS\System32\DRIVERS\termdd.sys [SYSTEM] TermDD
Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService
Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes
Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr
Service C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [AUTO] Tones
Service [DISABLED] TosIde
Service [BOOT] Tpkd
Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks
Service TSDDD
Service [DISABLED] Udfs
Service [DISABLED] ultra
Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update
Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr
Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost
Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS
Service usb
Service C:\WINDOWS\System32\DRIVERS\usbccgp.sys [MANUAL] usbccgp
Service C:\WINDOWS\System32\DRIVERS\usbehci.sys [MANUAL] usbehci
Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub
Service C:\WINDOWS\System32\DRIVERS\usbprint.sys [MANUAL] usbprint
Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan
Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR
Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci
Service C:\WINDOWS\System32\UAService7.exe [AUTO] UserAccess7
Service C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [AUTO] V124
Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave
Service [DISABLED] ViaIde
Service [BOOT] VolSnap
Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS
Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time
Service W3SVC
Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp
Service [MANUAL] WDICA
Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud
Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient
Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt
Service [MANUAL] Winsock
Service WinSock2
Service WinTrust
Service C:\WINDOWS\System32\svchost.exe [AUTO] WmdmPmSp
Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi
Service WmiApRpl
Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv
Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv
Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC
Service C:\WINDOWS\System32\DRIVERS\yukonwxp.sys [MANUAL] yukonwxp
Service {45FEC244-C10F-464F-A0BF-4CD50947F48B}
Service {7C4F8FE3-A2A2-4D6B-90AE-CDB9FDCF6D3D}
Service {93D9CA66-A39A-4E50-921C-6A794E842121}
---- EOF - GMER 1.0.12 ----
Plik C:\WINDOWS\system32\helpersrrvc.exe jest ale jest ukryty dlatego najpierw musisz włączyć pokazywanie ukrytych plików i folderów. W tym celu mój komputer => narzędzia => opcje folderów => zakładka widok => w części Ukryte pliki i foldery zaznacz opcję Pokaz ukryte pliki i foldery i potwierdź.
Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\system32\srrvc.exe
C:\WINDOWS\system32\irdvxc.exe
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Po wykonaniu wklej nowy log z ComboFix oraz HijackThis.
Witam. Oto logi:
"Privat" - 07-02-07 20:58:54 Dodatek Service Pack. 1
ComboFix 07-01-25 - Running from: "e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy"
((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))
2007-02-07 20:46
[code]Logfile of HijackThis v1.99.1 Scan saved at 21:06:38, on 2007-02-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\UAService7.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\Packs\Crystal XP\YzToolbar\YzToolbar.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [OpwareSE2] “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe” O4 - HKLM…\Run: [OPSE reminder] “C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” -r “C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - Startup: Y’z Toolbar.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{C652CE10-A1F8-4642-A39F-428292CDEDD0}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
Usuń folder.
W logach tylko ten plik:
Czy go skanowałeś? Czy okazał się szkodnikiem, bo niektóre skanery wykrywają go jako Proxy.Slaper.e. Jeśli okazał się szkodnikiem to usuń go za pomocą killboxa i już po wszystkim ;-).
Niemogę go znaleść, zrobiłem opcje folderów żeby pokazywał ukryte pliki i nie ma go, wpisałem nawet w SZUKAJ i nieznalazło takiego pliku.
Złączono Posta : 07.02.2007 (Sro) 21:59
A może wpiszę go do killboxa i usunę tak na wszelki wypadek?