Niechciane stronki!

Dla specjalistów Bezpieczeństwo
#1

Mam małe problemy i proszę o pomoc. Format narazie odpada za dużo ważnych danych firmowych. Jestem pewien, że po fachowych poradach problem zniknie równie szybko jak się pojawił. Otwiera się mianowicie dużo stron z ofertami handlowymi różnych firm z całego świata :D. Próbowałem je blokować ale na ich miejsce pojawia sie kilkanaście innych.

To moje logi z HijackThis i Silenta

HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 12:44:23, on 2006-05-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\No-IP\DUC20.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\PVSW\Bin\w3dbsmgr.exe

C:\Program Files\GuildFTPd\GuildFTPd.exe

C:\Program Files\No-IP\DUC20.exe

C:\Symfonia\Amhm.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\Program Files\totalcmd\TOTALCMD.EXE

C:\WINDOWS\System32\WScript.exe

c:\instalki\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe

O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Startup: GuildFTPd - FTP server deamon.lnk = C:\Program Files\GuildFTPd\GuildFTPd.exe

O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe

O4 - Startup: TEPSA.lnk = ?

O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe

O8 - Extra context menu item: Personalizuj Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: RF Pasek Narzędzi - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Wypełnij Pola - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Zapisz Pola - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117548614062

O16 - DPF: {A957CB75-EB22-408A-B718-58F390AF7C53} (obl_cli.obl_cli) - https://sklep.elraty.pl/skk.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B4E3DE9D-77A7-441E-BCA5-474B51E554C2}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\g822lifo182c.dll

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe

O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

i Silent:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"RoboForm" = ""C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"" ["Siber Systems"]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [null data]

"KAVPersonal50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [file not found]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{F0FB13B4-1E7F-435B-9383-186666C91613}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\tkolhelp.dll" [file not found]

"{277D5E6F-1AF4-4C1E-ABEF-C381275C477F}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dgnaddr.dll" [null data]

"{EDCFB84A-E9BC-48D8-A665-8E2734B23EB3}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

  -> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! Shell Extensions\DLLName = "C:\WINDOWS\system32\g822lifo182c.dll" [null data]

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Carrier" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\Carrier\Menu Start\Programy\Autostart

"GuildFTPd - FTP server deamon" -> shortcut to: "C:\Program Files\GuildFTPd\GuildFTPd.exe" [null data]

"No-IP DUC" -> shortcut to: "C:\Program Files\No-IP\DUC20.exe" ["Vitalwerks LLC"]

"TEPSA" -> shortcut to: "" [file not found]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Pervasive.SQL Workgroup Engine" -> shortcut to: "C:\PVSW\Bin\w3dbsmgr.exe -SRDE" ["Pervasive Software Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{724D43A0-0D85-11D4-9908-00400523E39A}"

  -> {HKLM...CLSID} = "&RoboForm"

                   \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{724D43A0-0D85-11D4-9908-00400523E39A}"

  -> {HKLM...CLSID} = "&RoboForm"

                   \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided)

  -> {HKLM...CLSID} = "&RoboForm"

                   \InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Crypkey License, Crypkey License, "crypserv.exe" ["Kenonic Controls Ltd."]

kavsvc, kavsvc, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"" ["Kaspersky Lab"]

NoIPDUCService, NoIPDUCService, "C:\Program Files\No-IP\DUC20.exe -service" ["Vitalwerks LLC"]

VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service" ["RealVNC Ltd."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

SSGB1 Langmon\Driver = "ssgb1mon.dll" ["Samsung Electronics."]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 62 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 51 seconds.

---------- (total run time: 205 seconds)

Z góry serdeczne dzięki.

#2

Zmień ten podpis, a dokładnie jego kolor, zielony jest przeznaczony tylko dla moderatorów

Widziałeś ten komunikat Ważny komunikat dotyczący tytułowania tematów zastosuj sie do niego => inaczej temat poleci do śmietnika :evil:

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite

Uruchom edytor w pole Address wklej ścieżke

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy.

Użyj Look2Me-Destroyer a następnie daj log nr 1 z narzedzia L2Mfix

#3

Ok zrobiłem wg zaleceń i następny log z l2mfix :

#4

W tym logu czysto :slight_smile:

#5

Ten plik usunąć programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:

C:\WINDOWS\System32** asi2dvaa.dll**

następnie program będzie pytał o restart (oczywiście zgadzasz sie)

I bedzie ok

#6

Usunąłem asi2dvaa.dll i już jest dobrze. Chylę czoło. :slight_smile: