misiu1
(Michalrub)
31 Lipiec 2006 20:51
#1
Witam. Komputer od kolegi chodził chyba przez 3 tygodnie bez antywirusa. Nie wiem jak, ale uszkodził jądro Noda. Zainstalowałem na nowo, skanowałem parę razy Nodem 32 i dodatkowo Ewido i dalej siedzą jakieś świństwa. Cały czas próbuje sie łączyć z netem. Prosiłbym o sprawdzenie loga.
Logfile of HijackThis v1.99.1 Scan saved at 12:52:29, on 2006-07-31 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\autoclk.exe C:\PROGRA~1\Wanadoo\taskbaricon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\System32\directxbt.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe C:\WINDOWS\System32\directxnew.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe C:\PROGRA~1\Wanadoo\ComComp.exe C:\PROGRA~1\Wanadoo\Watch.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE C:\Instalki\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe O4 - HKLM…\Run: [MS Config] msdconfig.exe O4 - HKLM…\Run: [Microsoft Office Startup] expl0rer.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [Microsoft Directx] directxup.exe O4 - HKLM…\Run: [egr2cd16] RUNDLL32.EXE w00478d6.dll,n 0022cd140000000a00478d6 O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [defender] C:\dfndref_7.exe O4 - HKLM…\Run: [keyboard] C:\kybrdef_7.exe O4 - HKLM…\Run: [gis2d08c] RUNDLL32.EXE w001d7ec.dll,n 0022d08a0000000a001d7ec O4 - HKLM…\Run: [newname] C:\nwnmef_7.exe O4 - HKLM…\Run: [Microsoft Directxspnew] directxnew.exe O4 - HKLM…\Run: [Microsoft Directxsp] directxbt.exe O4 - HKLM…\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM…\RunServices: [MS Config] msdconfig.exe O4 - HKLM…\RunServices: [Microsoft Office Startup] expl0rer.exe O4 - HKLM…\RunServices: [Microsoft Directx] directxup.exe O4 - HKLM…\RunServices: [Microsoft Directxspnew] directxnew.exe O4 - HKLM…\RunServices: [Microsoft Directxsp] directxbt.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MS Config] msdconfig.exe O4 - HKCU…\Run: [fjdslssdfd] C:\WINDOWS\system32\mat2.exe O4 - HKCU…\Run: [Microsoft Directx] directxup.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [iqqm] C:\PROGRA~1\COMMON~1\iqqm\iqqmm.exe O4 - HKCU…\Run: [Microsoft Directxspnew] directxnew.exe O4 - HKCU…\Run: [Microsoft Directxsp] directxbt.exe O4 - HKCU…\RunServices: [Microsoft Directx] directxup.exe O4 - HKCU…\RunServices: [Microsoft Directxspnew] directxnew.exe O4 - HKCU…\RunServices: [Microsoft Directxsp] directxbt.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{CE1571D7-0F0C-4318-AE76-5D8F382615F5}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\oeecnv32.dll (file missing) O23 - Service: aDLCJDdsaE - Unknown owner - C:\WINDOWS\system32\mat2.exe (file missing) O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing) O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)
Dzięki
adam9870
(adam9870)
31 Lipiec 2006 22:07
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jezeli któryś z nich bedzie na żółto to go zostaw).
Start => Uruchom => Wpisz polecenie services.msc => Sprawdź czy są tam usługi Win32 Kernel Update , aDLCJDdsaE oraz netconf32 jeżli tak to zatrzymaj je i wyłącz.
Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [MS Config] msdconfig.exe O4 - HKLM…\Run: [Microsoft Office Startup] expl0rer.exe O4 - HKLM…\Run: [Microsoft Directx] directxup.exe O4 - HKLM…\Run: [egr2cd16] RUNDLL32.EXE w00478d6.dll,n 0022cd140000000a00478d6 O4 - HKLM…\Run: [defender] C:\dfndref_7.exe O4 - HKLM…\Run: [keyboard] C:\kybrdef_7.exe O4 - HKLM…\Run: [gis2d08c] RUNDLL32.EXE w001d7ec.dll,n 0022d08a0000000a001d7ec O4 - HKLM…\Run: [newname] C:\nwnmef_7.exe O4 - HKLM…\Run: [Microsoft Directxspnew] directxnew.exe O4 - HKLM…\Run: [Microsoft Directxsp] directxbt.exe O4 - HKLM…\RunServices: [MS Config] msdconfig.exe O4 - HKLM…\RunServices: [Microsoft Office Startup] expl0rer.exe O4 - HKLM…\RunServices: [Microsoft Directx] directxup.exe O4 - HKLM…\RunServices: [Microsoft Directxspnew] directxnew.exe O4 - HKLM…\RunServices: [Microsoft Directxsp] directxbt.exe O4 - HKCU…\Run: [MS Config] msdconfig.exe O4 - HKCU…\Run: [fjdslssdfd] C:\WINDOWS\system32\mat2.exe O4 - HKCU…\Run: [Microsoft Directx] directxup.exe O4 - HKCU…\Run: [iqqm] C:\PROGRA~1\COMMON~1\iqqm\iqqmm.exe O4 - HKCU…\Run: [Microsoft Directxspnew] directxnew.exe O4 - HKCU…\Run: [Microsoft Directxsp] directxbt.exe O4 - HKCU…\RunServices: [Microsoft Directx] directxup.exe O4 - HKCU…\RunServices: [Microsoft Directxspnew] directxnew.exe O4 - HKCU…\RunServices: [Microsoft Directxsp] directxbt.exe O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\oeecnv32.dll (file missing) O23 - Service: aDLCJDdsaE - Unknown owner - C:\WINDOWS\system32\mat2.exe (file missing) O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing) O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)
Pliki i foldery zaznaczone usuwasz ręcznie z dysku natomiast wpisy w HijackThis.
Użyj narzędzia SmitFraudFix .
Po wykonaniu w/w dajesz nowy log z HijackThis plus z SilentRunners oraz raport z usuwania SmitFraudFix który jest w C:\raport.txt . Jeżeli z silentem będzie jakiś błąd to podaj treść jego.
misiu1
(Michalrub)
1 Sierpień 2006 19:37
#3
Dzięki, zrobione, choć nie wszystkie pliki były widoczne fizycznie. Usługi wyłączyłem. W WWDC też dwa porty zmieniłem na enable. Podaję logi z Hijacka i Silenta. No i raport z narzędzia SmitFraudFix.
Prosiłbym o ponowne sprawdzenie. Dzięki.
Logfile of HijackThis v1.99.1 Scan saved at 21:35:04, on 2006-08-01 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Wanadoo\taskbaricon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\System32\mssvcc.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe C:\Program Files\Wanadoo\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE c:\Instalki\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM…\Run: [msconfig38] mssvcc.exe O4 - HKLM…\RunServices: [msconfig38] mssvcc.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip…{CE1571D7-0F0C-4318-AE76-5D8F382615F5}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\taskbaricon.exe” [“France Télécom R&D”] “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “REGSHAVE” = “C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN” [“FUJI PHOTO FILM CO., LTD.”] “msconfig38” = “mssvcc.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{BDEADF00-C265-11D0-BCED-00A0C90AB50F}” = “Foldery w sieci Web” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL” [file not found] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{CA7074B7-B511-4D3B-95A6-B6250105FBF6}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\aTaamon.dll” [file not found] “{16CB9738-61EC-47A3-ADB2-518D59C67A32}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\nfhtml.dll” [file not found] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Halinka” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 17 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 21 seconds. ---------- (total run time: 77 seconds)
SmitFraudFix v2.78 Scan done at 21:18:59,65, 2006-08-01 Run from C:\Instalki\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End
instrukcje usuwania znasz
misiu1
(Michalrub)
3 Sierpień 2006 19:21
#5
Dzieki. Czy poza tymi wpisami wszysko ok? Czy dac nowego loga?
kuz5
(Kuz5)
3 Sierpień 2006 19:40
#6
Tak
Tak, daj komplet logów dla pewności silenta i hijacka
misiu1
(Michalrub)
4 Sierpień 2006 09:59
#7
Oto logi do sprawdzenia po czyszczeniu:
Logfile of HijackThis v1.99.1 Scan saved at 11:57:29, on 2006-08-04 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Wanadoo\taskbaricon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe C:\Program Files\Wanadoo\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\totalcmd\TOTALCMD.EXE c:\Instalki\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip…{CE1571D7-0F0C-4318-AE76-5D8F382615F5}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Documents and Settings\Halinka\Moje dokumenty\Nowy folder (2)\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\taskbaricon.exe” [“France Télécom R&D”] “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “REGSHAVE” = “C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN” [“FUJI PHOTO FILM CO., LTD.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{BDEADF00-C265-11D0-BCED-00A0C90AB50F}” = “Foldery w sieci Web” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL” [file not found] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{CA7074B7-B511-4D3B-95A6-B6250105FBF6}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\aTaamon.dll” [file not found] “{16CB9738-61EC-47A3-ADB2-518D59C67A32}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\nfhtml.dll” [file not found] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Halinka\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Halinka” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 16 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 19 seconds. ---------- (total run time: 68 seconds)
Dzięki