Jak usunąc win32 Agent-Daw

Boniu · 4 Luty 2007 22:53

Witam. W moim kompie awast i inne programy komunikuja że mam win32 agent-daw. Czy istnieje jakas możliwość usunięcia go na dobre, bo próbowałem juz nie raz przez forum i nie powiodło sie. Może znacie jakis program który usunie ten syf? Jesli jest cos takiego to poproszę o link i krótką instrukcje użycia jesli jest on nie po polsku. Czy mam się poddac i formatować? Walcze juz około tygodnia jestem skłonny sie poddać.

adam9870 · 4 Luty 2007 22:54

Gdzie jest wykrywany ten szkodnik (dokładna lokalizacja)?

Na początek wrzuć komplet logów - HijackThis i SilentRunners:

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Boniu · 4 Luty 2007 22:57

wykrywalny jest w C:\WINDOWS\system32\winlogon

Złączono Posty : 04.02.2007 (Nie) 23:59

logi wyślę z moment bo komp jest tak zamulony że potrwa to chwile

Złączono Posty : 05.02.2007 (Pon) 0:07

z logami może być problem bo jeśli podłącze kompa do netu to sie zawiesza nie da się czeoś zrobic bez logów??

Złączono Posty : 05.02.2007 (Pon) 0:21

Logfile of HijackThis v1.99.1

Scan saved at 00:16, on 07-02-05

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\irdvxc.exe

C:\WINDOWS\System32\mysvcc.exe

C:\WINDOWS\System32\directxpushup.exe

C:\WINDOWS\system32\srrvc.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\urdvxc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\UAService7.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\recsl.exe

e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [msvcc25] svcchost.exe

O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe

O4 - HKLM\..\Run: [Microsoft Directx push] directxpushup.exe

O4 - HKLM\..\Run: [john315] C:\WINDOWS\system32\srrvc.exe

O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe

O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe

O4 - HKLM\..\RunServices: [Microsoft Directx push] directxpushup.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Microsoft Directx push] directxpushup.exe

O4 - HKCU\..\Run: [john315] C:\WINDOWS\system32\srrvc.exe

O4 - HKCU\..\RunServices: [Microsoft Directx push] directxpushup.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C652CE10-A1F8-4642-A39F-428292CDEDD0}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

popula · 5 Luty 2007 07:04

Dawaj loga z Silent Runners, bo jak na razie to pełno syfu i kolega adam9870 nie będzie mógł Ci pomóc, jak to wyleczyć do końca.

mithnick24 · 5 Luty 2007 08:07

C:\WINDOWS\System32\irdvxc.exe

C:\WINDOWS\System32\mysvcc.exe

C:\WINDOWS\System32\directxpushup.exe

C:\WINDOWS\system32\srrvc.exe

C:\WINDOWS\System32\urdvxc.exe

C:\WINDOWS\system32\recsl.exe

O4 - HKLM…\Run: [msvcc25] svcchost.exe

O4 - HKLM…\Run: [mysvcig38] mysvcc.exe

O4 - HKLM…\RunServices: [mysvcig38] mysvcc.ex

O4 - HKLM…\RunServices: [msvcc25] svcchost.exe

O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe

O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe

O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

Do usunięcia to wszystko dodatkowo skan jakims anti spyware np.AVG Anti Spyware

adam9870 · 5 Luty 2007 13:18

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

W trybie awaryjnym z wyłączonym przywracaniem systemu usuń:

O4 - HKLM…\Run: [msvcc25] svcchost.exe O4 - HKLM…\Run: [mysvcig38] mysvcc.exe O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKLM…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\Run: [john315] C:\WINDOWS\system32\srrvc.exe O4 - HKCU…\RunServices: [Microsoft Directx push] directxpushup.exe O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing) O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)

Pliki zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Przeskanuj plik:

na stronie http://www.virustotal.com/en/indexf.html, a jeśli okaże się szkodnikiem - także usuń.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz z ComboFix’a.

JNJN · 5 Luty 2007 13:34

mithnick24

Przeczytaj tematy przyklejone w tym dziale i się do nich dostosuj.JNJN

Boniu · 5 Luty 2007 22:59

Jesteście wielcy :!: :!: :!: Mój komputer odżył mam nadzieje że nie chwilowo. Nie znalazłem jednego wpisu O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe ale resztę tak. A oto logi po wykonaniu wszystkich czynności

"Privat" - 07-02-05 23:56:09 Dodatek Service Pack. 1

ComboFix 07-01-25 - Running from: "e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



C:\WINDOWS\system32\.exe

C:\WINDOWS\system32\mysvcc.exe



((((((((((((((((((((((((((((((( Files Created from 2007-01-05 to 2007-02-05 ))))))))))))))))))))))))))))))))))



2007-02-05 22:39	6,656	--a------	C:\DOCUME~1\Privat\directxpush.sys

2007-02-03 22:07	76,589	--a------	C:\DOCUME~1\Privat\3.exe

2007-02-03 22:03	76,589	---hs----	C:\WINDOWS\system32\srrvc.exe

2007-02-03 22:03	2,560	---hs----	C:\WINDOWS\system32\helpersrrvc.exe

2007-02-02 22:45

[code]“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom R&D”] “OpwareSE2” = ““C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”” [“ScanSoft, Inc.”] “OPSE reminder” = ““C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” -r “C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini”” [“ScanSoft, Inc.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “msvcc25” = “svcchost.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)” -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Context Menu Shell Extension” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2FreeContMenu(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a2FreeContMenu(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Privat\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Privat\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Privat” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Development Company, L.P.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” -> {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{03C1C47F-0538-4645-8372-D3109B9FC636}(Default) = “Easy-WebPrint” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[V e r s i o n] : S i g n a t u r e = " $ C H I C A G O $ " : A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " : : [R e s t o r e H o m e P a g e] : A d d R e g = R e s t o r e H o m e P a g e . r e g : : [R e s t o r e B r o w s e r S e t t i n g s] : A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g : D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g : : [R e s t o r e H o m e P a g e . r e g] : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % : : [R e s t o r e B r o w s e r S e t t i n g s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " : : t m " : t m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " : : [D e l e t e T e m p l a t e s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " : : [D e l e t e A u t o s e a r c h . r e g] : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " : : [S t r i n g s] : S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " : S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " : : ; I M P O R T A N T N O T E : : ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . : ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . : ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . : M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : Missing lines (compared with English-language version): [Version]: 2 lines [RestoreHomePage]: 1 line [RestoreHomePage.reg]: 1 line [RestoreBrowserSettings.reg]: 12 lines [DeleteTemplates.reg]: 5 lines [DeleteAutosearch.reg]: 1 line [Strings]: 1 line [RestoreBrowserSettings]: 2 lines [Strings]: 3 lines HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\System32\UAService7.exe” [“Sony DADC Austria AG.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor MP110\Driver = “CNMLM6f.DLL” [“CANON INC.”] HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] LIDIL hpzll054\Driver = “hpzll054.dll” [“Hewlett-Packard Company”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 296 seconds, including 4 seconds for message boxes)

Logfile of HijackThis v1.99.1

Scan saved at 23:48, on 07-02-05

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\UAService7.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\svcchost.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [msvcc25] svcchost.exe

O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C652CE10-A1F8-4642-A39F-428292CDEDD0}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

adam9870 · 6 Luty 2007 16:01

Pobierz Gmer’a.

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

W zakładce Usługi znajdź i skasuj z prawokliku usługę msdirectxpushup oraz MSDisk (jeśli będą)
W zakładce CMD z zaznaczoną podopcją CMD.EXE wklej:

W zakładce CMD z zaznaczoną podopcją REGEDIT.EXE wklej:

W zakładce Procesy wybierz Zabij wszystko. Teraz poczekaj cierpliwie aż zniknie pulpit etc. - zostanie tylko okienko Gmer’a
Przejdź do zakładki CMD i kliknij Uruchom najpierw przy zaznaczonej opcji CMD.EXE , a potem REGDIT.EXE

Teraz reset.

Proszę przeskanować pliki:

na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/vt/, a jeśli okażą się szkodnikami - usunąć będąc w trybie awaryjnym.

Usuń wpisy HJT jeśli będą.

Po wykonaniu powiedz jak sytuacja oraz pokaż nowy log z ComboFix oraz dwa logi z Gmer’a przy takich ustawieniach:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je jako pliki tekstowe w jakimś serwisie hostingowym i tu tylko zlinkuj.

http://forum.dobreprogramy.pl/viewtopic.php?t=96929

Boniu · 6 Luty 2007 20:56

Witam. Wykonałem wszystkie czynnosci w Gmerze jak zresetować komputer? Jak klikam na OK to wyświetla że nie bedę mógł uruchomic zadnego programu. Mam go zresetować recznie?

adam9870 · 6 Luty 2007 21:01

Gdzie klikasz na OK.

Po wybraniu Zabij wszystko w zakładce Procesy zostaną zabite wszystkie procesy oprócz kilku niezbędnych do pracy Gmer’a. Zaś po kliknięciu Uruchom w zakładce CMD zostaną wykonane czynności tam wprowadzone. Ale nie przejmuj się ponieważ po ponownych uruchomieniu komputera procesy zostaną na nowo załadowane.

Jeśli po kliknięciu Uruchom komputer sam się nie zrestartuje to spróbuj przejść do zakładki Procesy i kliknąć Restart.

Boniu · 6 Luty 2007 21:03

klikam na restart w zakladce procesy i nic się nie dzieje.

adam9870 · 6 Luty 2007 21:06

Wrzuć nowe logi, o które prosiłem.

Boniu · 6 Luty 2007 21:08

Ale jak na nowo uruchomic kompa bo w tej chwili nic sie nie dzieja. A ja klikam z drugiego komputera.

adam9870 · 6 Luty 2007 21:10

Tak, na nowo uruchom komputer. Np. zresetuj go albo wyłącz za pomocą przycisku na obudownie.

Boniu · 6 Luty 2007 21:13

OK. Zaraz wrzucę logi.

Złączono Posta : 06.02.2007 (Wto) 22:30

Miałem przeskanować dwa pliki jeden przeskanowałem i jest czysty a tego

nie znalażłem mam plik o nazwie help, czy chodzi o ten?

Złączono Posta : 06.02.2007 (Wto) 23:17

Oto logi po wykonaniu wszystkich czynności:

"Privat" - 07-02-06 23:01:03 Dodatek Service Pack. 1

ComboFix 07-01-25 - Running from: "e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy"


((((((((((((((((((((((((((((((( Files Created from 2007-01-06 to 2007-02-06 ))))))))))))))))))))))))))))))))))



2007-02-06 21:52	754	--a------	C:\WINDOWS\gmer.reg

2007-02-06 00:23	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-02-03 22:03	76,589	---hs----	C:\WINDOWS\system32\srrvc.exe

2007-02-03 22:03	2,560	---hs----	C:\WINDOWS\system32\helpersrrvc.exe

2007-02-02 22:45

[code]GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2007-02-06 23:18:50 Windows 5.1.2600 Dodatek Service Pack. 1 ---- System - GMER 1.0.12 ---- SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 80502770 4 Bytes [AC, 48, B3, F8] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 8050298C 4 Bytes [12, 48, B3, F8] .text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033FAA .text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034135 .text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034019 .text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033FC8 ---- Registry - GMER 1.0.12 ---- Reg \Registry\MACHINE\SOFTWARE\SecuROM!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xCA 0xD5 0x3A 0x79 … Reg \Registry\MACHINE\SOFTWARE\SecuROM!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x8A 0x87 0x1F 0x5D … ---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12010 - http://www.gmer.net

Rootkit scan 2007-02-06 23:20:32

Windows 5.1.2600 Dodatek Service Pack. 1



---- Services - GMER 1.0.12 ----


Service [SYSTEM] Aavmker4

Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [BOOT] ACPI

Service [DISABLED] ACPIEC

Service [DISABLED] adpu160m

Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec

Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD

Service C:\WINDOWS\System32\DRIVERS\agp440.sys [BOOT] agp440

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn

Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl

Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS

Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Alerter

Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG

Service [DISABLED] AliIde

Service [DISABLED] amsint

Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt

Service C:\WINDOWS\System32\DRIVERS\arp1394.sys [MANUAL] Arp1394

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service [AUTO] aswMon2

Service [MANUAL] aswRdr

Service [SYSTEM] aswTdi

Service C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [AUTO] aswUpdSv

Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac

Service C:\WINDOWS\System32\DRIVERS\atapi.sys [BOOT] atapi

Service [DISABLED] Atdisk

Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller

Service C:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart

Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag

Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv

Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub

Service C:\Program Files\Alwil Software\Avast4\ashServ.exe [AUTO] avast! Antivirus

Service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [MANUAL] avast! Mail Scanner

Service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [MANUAL] avast! Web Scanner

Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [SYSTEM] AVG Anti-Spyware Driver

Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [AUTO] AVG Anti-Spyware Guard

Service C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [SYSTEM] AvgAsCln

Service C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [MANUAL] basic2

Service BattC

Service [SYSTEM] Beep

Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS

Service C:\WINDOWS\System32\DRIVERS\bridge.sys [MANUAL] Bridge

Service C:\WINDOWS\System32\DRIVERS\bridge.sys [MANUAL] BridgeMP

Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser

Service [DISABLED] cbidf2k

Service [DISABLED] cd20xrnt

Service [SYSTEM] Cdaudio

Service [DISABLED] Cdfs

Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [SYSTEM] Cdrom

Service [SYSTEM] Changer

Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc

Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv

Service [DISABLED] CmdIde

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp

Service ContentFilter

Service ContentIndex

Service [DISABLED] Cpqarray

Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp

Service C:\WINDOWS\System32\DRIVERS\disk.sys [BOOT] Disk

Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin

Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot

Service C:\WINDOWS\System32\drivers\dmio.sys [BOOT] dmio

Service C:\WINDOWS\System32\drivers\dmload.sys [BOOT] dmload

Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver

Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache

Service [DISABLED] dpti2o

Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc

Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem

Service C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [AUTO] Fallback

Service [DISABLED] Fastfat

Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility

Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc

Service [SYSTEM] Fips

Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk

Service C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [AUTO] Fsks

Service [SYSTEM] Fs_Rec

Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [BOOT] Ftdisk

Service C:\WINDOWS\System32\DRIVERS\gameenum.sys [MANUAL] gameenum

Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer

Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc

Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ

Service [DISABLED] hpn

Service C:\WINDOWS\System32\DRIVERS\HPZid412.sys [MANUAL] HPZid412

Service C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [MANUAL] HPZipr12

Service C:\WINDOWS\System32\DRIVERS\HPZius12.sys [MANUAL] HPZius12

Service C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [MANUAL] hsf_msft

Service [SYSTEM] i2omgmt

Service [DISABLED] i2omp

Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt

Service C:\WINDOWS\System32\DRIVERS\imapi.sys [SYSTEM] Imapi

Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService

Service inetaccs

Service [DISABLED] ini910u

Service Inport

Service [DISABLED] IntelIde

Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver

Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp

Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat

Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [SYSTEM] IPSec

Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM

Service ISAPISearch

Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [BOOT] isapnp

Service C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [AUTO] K56

Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass

Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer

Service [BOOT] KSecDD

Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver

Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation

Service [SYSTEM] lbrtfdc

Service ldap

Service LicenseService

Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts

Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger

Service [SYSTEM] mnmdd

Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc

Service [MANUAL] Modem

Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [SYSTEM] Mouclass

Service [BOOT] MountMgr

Service [DISABLED] mraid35x

Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV

Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [SYSTEM] MRxSmb

Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC

Service [SYSTEM] Msfs

Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer

Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV

Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK

Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM

Service [BOOT] Mup

Service [BOOT] NDIS

Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi

Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio

Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan

Service [MANUAL] NDProxy

Service C:\WINDOWS\System32\DRIVERS\netbios.sys [SYSTEM] NetBIOS

Service C:\WINDOWS\System32\DRIVERS\netbt.sys [SYSTEM] NetBT

Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE

Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm

Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman

Service C:\WINDOWS\System32\DRIVERS\nic1394.sys [MANUAL] NIC1394

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla

Service [SYSTEM] Npfs

Service [DISABLED] Ntfs

Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp

Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc

Service [SYSTEM] Null

Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt

Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd

Service C:\WINDOWS\System32\DRIVERS\ohci1394.sys [BOOT] ohci1394

Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose

Service Outlook

Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport

Service [BOOT] PartMgr

Service [AUTO] ParVdm

Service C:\WINDOWS\System32\DRIVERS\pci.sys [BOOT] PCI

Service [SYSTEM] PCIDump

Service C:\WINDOWS\System32\DRIVERS\pciide.sys [BOOT] PCIIde

Service [DISABLED] Pcmcia

Service [MANUAL] PDCOMP

Service [MANUAL] PDFRAME

Service [MANUAL] PDRELI

Service [MANUAL] PDRFRAME

Service [DISABLED] perc2

Service [DISABLED] perc2hib

Service PerfDisk

Service PerfNet

Service PerfOS

Service PerfProc

Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay

Service C:\WINDOWS\System32\HPZipm12.exe [AUTO] Pml Driver HPZ12

Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent

Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport

Service C:\WINDOWS\System32\DRIVERS\processr.sys [SYSTEM] Processor

Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage

Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched

Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink

Service C:\WINDOWS\System32\DRIVERS\PxHelp20.sys [BOOT] PxHelp20

Service [DISABLED] ql1080

Service [DISABLED] Ql10wnt

Service [DISABLED] ql12160

Service [DISABLED] ql1240

Service [DISABLED] ql1280

Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [SYSTEM] RasAcd

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto

Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan

Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe

Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti

Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [SYSTEM] Rdbss

Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD

Service RDPDD

Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr

Service RDPNP

Service [MANUAL] RDPWD

Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr

Service C:\WINDOWS\System32\DRIVERS\redbook.sys [SYSTEM] redbook

Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess

Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry

Service C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [MANUAL] Rksample

Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator

Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs

Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP

Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr

Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule

Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [MANUAL] Secdrv

Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon

Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS

Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum

Service C:\WINDOWS\System32\DRIVERS\serial.sys [SYSTEM] Serial

Service [SYSTEM] Sfloppy

Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess

Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection

Service [DISABLED] Simbad

Service C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [AUTO] SoftFax

Service [DISABLED] Sparrow

Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter

Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler

Service C:\WINDOWS\System32\DRIVERS\sr.sys [BOOT] sr

Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice

Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv

Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV

Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc

Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum

Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv

Service [DISABLED] symc810

Service [DISABLED] symc8xx

Service [DISABLED] sym_hi

Service [DISABLED] sym_u3

Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio

Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv

Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [SYSTEM] Tcpip

Service [MANUAL] TDPIPE

Service [MANUAL] TDTCP

Service C:\WINDOWS\System32\DRIVERS\termdd.sys [SYSTEM] TermDD

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService

Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes

Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr

Service C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [AUTO] Tones

Service [DISABLED] TosIde

Service [BOOT] Tpkd

Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks

Service TSDDD

Service [DISABLED] Udfs

Service [DISABLED] ultra

Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update

Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr

Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost

Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS

Service usb

Service C:\WINDOWS\System32\DRIVERS\usbccgp.sys [MANUAL] usbccgp

Service C:\WINDOWS\System32\DRIVERS\usbehci.sys [MANUAL] usbehci

Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub

Service C:\WINDOWS\System32\DRIVERS\usbprint.sys [MANUAL] usbprint

Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan

Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR

Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci

Service C:\WINDOWS\System32\UAService7.exe [AUTO] UserAccess7

Service C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [AUTO] V124

Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave

Service [DISABLED] ViaIde

Service [BOOT] VolSnap

Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS

Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time

Service W3SVC

Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp

Service [MANUAL] WDICA

Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient

Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt

Service [MANUAL] Winsock

Service WinSock2

Service WinTrust

Service C:\WINDOWS\System32\svchost.exe [AUTO] WmdmPmSp

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi

Service WmiApRpl

Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv

Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv

Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC

Service C:\WINDOWS\System32\DRIVERS\yukonwxp.sys [MANUAL] yukonwxp

Service {45FEC244-C10F-464F-A0BF-4CD50947F48B}

Service {7C4F8FE3-A2A2-4D6B-90AE-CDB9FDCF6D3D}

Service {93D9CA66-A39A-4E50-921C-6A794E842121}


---- EOF - GMER 1.0.12 ----

adam9870 · 7 Luty 2007 15:07

Plik C:\WINDOWS\system32\helpersrrvc.exe jest ale jest ukryty dlatego najpierw musisz włączyć pokazywanie ukrytych plików i folderów. W tym celu mój komputer => narzędzia => opcje folderów => zakładka widok => w części Ukryte pliki i foldery zaznacz opcję Pokaz ukryte pliki i foldery i potwierdź.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\srrvc.exe

C:\WINDOWS\system32\irdvxc.exe

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Po wykonaniu wklej nowy log z ComboFix oraz HijackThis.

Boniu · 7 Luty 2007 20:07

Witam. Oto logi:

"Privat" - 07-02-07 20:58:54 Dodatek Service Pack. 1

ComboFix 07-01-25 - Running from: "e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy"


((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))



2007-02-07 20:46

[code]Logfile of HijackThis v1.99.1 Scan saved at 21:06:38, on 2007-02-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\UAService7.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\Packs\Crystal XP\YzToolbar\YzToolbar.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe e:\Documents and Settings\Privat\Moje dokumenty\Tomek\Anty wirusy\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [OpwareSE2] “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe” O4 - HKLM…\Run: [OPSE reminder] “C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe” -r “C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - Startup: Y’z Toolbar.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{C652CE10-A1F8-4642-A39F-428292CDEDD0}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

adam9870 · 7 Luty 2007 20:19

Usuń folder.

W logach tylko ten plik:

Czy go skanowałeś? Czy okazał się szkodnikiem, bo niektóre skanery wykrywają go jako Proxy.Slaper.e. Jeśli okazał się szkodnikiem to usuń go za pomocą killboxa i już po wszystkim ;-).

Boniu · 7 Luty 2007 20:27

Niemogę go znaleść, zrobiłem opcje folderów żeby pokazywał ukryte pliki i nie ma go, wpisałem nawet w SZUKAJ i nieznalazło takiego pliku.

Złączono Posta : 07.02.2007 (Sro) 21:59

A może wpiszę go do killboxa i usunę tak na wszelki wypadek?