fredek1
(Fredshit)
26 Grudzień 2006 12:08
#1
coz… pewnie nie za ciekawie to bedzie wygladac
mi to nie mowi za wiele, ale licze ze wam wiecej i komus
uda sie mi pomoc
logi
Logfile of HijackThis v1.99.1 Scan saved at 13:05:39, on 2006-12-26 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchosts.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\WINDOWS\System32\cmd32.exe C:\WINDOWS\System32\z11.exe C:\Program Files\Common Files{ACA16DD2-07CF-1045-0831-051022030030}\Update.exe C:\Programy\Logitech\MouseWare\system\em_exec.exe C:\DOCUME~1\admin\USTAWI~1\Temp\TldDLadhh C:\Programy\Tlen.pl\tlen.exe C:\WINDOWS\PPATCH~1\javaw.exe C:\Program Files\Common Files?racle\m?config.exe C:\Programy\Rainlendar\Rainlendar.exe C:\Documents and Settings\admin\H0iuFIX.exe C:\WINDOWS\System32\services.exe C:\Documents and Settings\admin\Pulpit\HijackThis.exe C:\WINDOWS\System32\google.png.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F3 - REG:win.ini: run=C:\WINDOWS\inet20000\services.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programy\AdobeAcrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programy\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programy\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programy\FlashGet\fgiebar.dll O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile O4 - HKLM…\Run: [system spool] C:\WINDOWS\System32\syspools.exe O4 - HKLM…\Run: [{ACA16DD2-07CF-1045-0831-051022030030}] “C:\Program Files\Common Files{ACA16DD2-07CF-1045-0831-051022030030}\Update.exe” te-110-12-0000273 O4 - HKLM…\Run: [dmusy.exe] C:\WINDOWS\System32\dmusy.exe O4 - HKCU…\Run: [Komunikator] “C:\Programy\Tlen.pl\tlen.exe” --confdir=user --path=“C:\Programy” O4 - HKCU…\Run: [WinMedia] C:\361101032251599765.exe O4 - HKCU…\Run: [Winstj] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstc] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstn] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstd] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstt] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsto] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsty] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsth] C:\3611010322521600593.exe O4 - HKCU…\Run: [internet Connection Wizard] stisvsq1.exe O4 - HKCU…\Run: [Games Acceleration] svshost1.exe O4 - HKCU…\Run: [internet Mail and News] msqdevl1.exe O4 - HKCU…\Run: [Microsoft Management Console] lssas1.exe O4 - HKCU…\Run: [Multimedia extensions] mservice1.exe O4 - HKCU…\Run: [xp_system] C:\WINDOWS\inet20000\services.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O4 - HKCU…\Run: [system spool] C:\WINDOWS\System32\syspools.exe O4 - HKCU…\Run: [Key] C:\DOCUME~1\admin\USTAWI~1\Temp\6.tmp O4 - HKCU…\Run: [Mopl] “C:\WINDOWS\PPATCH~1\javaw.exe” -vt yazb O4 - HKCU…\Run: [Vxxpg] C:\Program Files\Common Files?racle\m?config.exe O4 - Startup: Rainlendar.lnk = C:\Programy\Rainlendar\Rainlendar.exe O8 - Extra context menu item: Download All by FlashGet - C:\Programy\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Programy\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\Programy\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programy\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programy\FlashGet\flashget.exe O16 - DPF: {2B8D0D47-17D6-6F47-2373-45C7605DE4C3} - http://85.255.114.166/1/rdgFR2650.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{27CECBF1-B3C1-48A0-B0D2-A45693974505}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{9F918CA0-5535-4ECC-8712-B18B1F033BA7}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{B832AA71-35BD-40B1-9C3F-8A0ED21BF7F8}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\Plugin Manager\Skype4COM.dll O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000273 (file missing) O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32:svchost.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
adam9870
(adam9870)
26 Grudzień 2006 12:31
#2
Start => uruchom => wpisz cmd i kliknij ok => w = konsoli, która się otworzy wpisz:
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Użyj narzędzia FixWareOut .
Użyj narzędzia SmitFraudFix (opcja 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
R3 - URLSearchHook: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll F3 - REG:win.ini: run=C:\WINDOWS\inet20000\services.exe O2 - BHO: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll O4 - HKLM…\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile O4 - HKLM…\Run: [system spool] C:\WINDOWS\System32\syspools.exe O4 - HKLM…\Run: [{ACA16DD2-07CF-1045-0831-051022030030}] “C:\Program Files\Common Files{ACA16DD2-07CF-1045-0831-051022030030}\Update.exe” te-110-12-0000273 O4 - HKLM…\Run: [dmusy.exe] C:\WINDOWS\System32\dmusy.exe O4 - HKCU…\Run: [WinMedia] C:\361101032251599765.exe O4 - HKCU…\Run: [Winstj] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstc] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstn] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstd] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstt] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsto] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsty] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsth] C:\3611010322521600593.exe O4 - HKCU…\Run: [internet Connection Wizard] stisvsq1.exe O4 - HKCU…\Run: [Games Acceleration] svshost1.exe O4 - HKCU…\Run: [internet Mail and News] msqdevl1.exe O4 - HKCU…\Run: [Microsoft Management Console] lssas1.exe O4 - HKCU…\Run: [Multimedia extensions] mservice1.exe O4 - HKCU…\Run: [xp_system] C:\WINDOWS\inet20000\services.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O4 - HKCU…\Run: [system spool] C:\WINDOWS\System32\syspools.exe O4 - HKCU…\Run: [Key] C:\DOCUME~1\admin\USTAWI~1\Temp\6.tmp O4 - HKCU…\Run: [Mopl] “C:\WINDOWS\PPATCH~1\javaw.exe” -vt yazb O4 - HKCU…\Run: [Vxxpg] C:\Program Files\Common Files?racle\m?config.exe O16 - DPF: {2B8D0D47-17D6-6F47-2373-45C7605DE4C3} - http://85.255.114.166/1/rdgFR2650.exe O17 - HKLM\System\CCS\Services\Tcpip…{27CECBF1-B3C1-48A0-B0D2-A45693974505}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{9F918CA0-5535-4ECC-8712-B18B1F033BA7}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{B832AA71-35BD-40B1-9C3F-8A0ED21BF7F8}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000273 (file missing)
Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.
Poczytaj o usuwaniu plików i folderów z pytajnikiem - Usuwanie PurityScan .
Wpisu R3 nie usuwasz hijackiem tylko usuniesz Registrar Lite , opis masz TUTAJ .
Użyj ATF Cleaner i przeczyść Current User Temp oraz All Users Temp .
Po wykonaniu pokaż nowy log z hjt, SilentRunners + raport z smitfraudfix oraz fixwareout.
fredek1
(Fredshit)
26 Grudzień 2006 13:21
#3
dobra
lece po kolei jak szlo mniej wiecej, mam nadzieje ze dobrze porobilem co trzeba, wiec tak
smithfraud
SmitFraudFix v2.131 Scan done at 13:35:48,03, 2006-12-26 Run from C:\Documents and Settings\admin\Pulpit\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\winstall.exe Deleted C:\WINDOWS\system32\cmd32.exe Deleted C:\WINDOWS\system32\dial23.exe Deleted C:\WINDOWS\system32\svchosts.exe Deleted C:\WINDOWS\system32\taskdir.exe Deleted C:\WINDOWS\system32\z11.exe Deleted C:\WINDOWS\system32\z12.exe Deleted C:\WINDOWS\system32\z13.exe Deleted C:\WINDOWS\system32\z14.exe Deleted C:\WINDOWS\system32\z15.exe Deleted C:\WINDOWS\system32\z16.exe Deleted C:\WINDOWS\system32\zlbw.dll Deleted C:\DOCUME~1\admin\Pulpit\asfds Deleted C:\DOCUME~1\admin\Pulpit\cdegfr Deleted C:\DOCUME~1\admin\Pulpit\fdsf Deleted C:\DOCUME~1\admin\Pulpit\sdfdsf Deleted C:\DOCUME~1\admin\Pulpit\SpySheriff.lnk Deleted C:\DOCUME~1\admin\Pulpit\wdcsadsad Deleted C:\DOCUME~1\admin\Pulpit\zxczxc Deleted C:\DOCUME~1\admin\MENUST~1\Programy\SpySheriff Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”=“csjhn.exe” »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End Fixwareout Fixwareout Last edited 12/06/2006 Post this report in the forums please … Prerun check [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”=“csjhn.exe” … … Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins}81C14537A864-6AEB-9E34-E744-20952A8C{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins}61E69BB29183-B899-0E04-0959-FEFB1DB7{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ollmd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes … Random Runs removed from HKLM “dmllo.exe”=- … … PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names… »»»»» Search five digit cs, dm kd and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\CSMZR.EXE 51 778 2006-11-22 C:\WINDOWS\SYSTEM32\DMLLO.EXE 60 508 2002-09-28 Other suspects. C:\WINDOWS\System32{192126D7-344F-4FC5-A6C6-5816EABB4973}.exe C:\WINDOWS\System32{8F668C35-50C8-4B11-A853-1198DB61588E}.exe »»»»» Misc files. C:\WINDOWS\System32\taskdir.exe C:\WINDOWS\System32\adir.dll »»»»» Checking for older varients covered by the Rem3 tool. … Postrun check [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”="" … i hijack this po wszystkim, chyba, co mialem zrobic Logfile of HijackThis v1.99.1 Scan saved at 14:23:04, on 2006-12-26 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\ipwins\ipwins.exe C:\Programy\Tlen.pl\tlen.exe C:\Programy\Logitech\MouseWare\system\em_exec.exe C:\Programy\Rainlendar\Rainlendar.exe C:\Programy\Firefox2\firefox.exe C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\admin\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programy\AdobeAcrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programy\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll (file missing) O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programy\FlashGet\getflash.dll O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programy\FlashGet\fgiebar.dll O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll (file missing) O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [ipWins] C:\Program Files\ipwins\ipwins.exe O4 - HKCU…\Run: [Komunikator] “C:\Programy\Tlen.pl\tlen.exe” --confdir=user --path=“C:\Programy” O4 - HKCU…\Run: [Winstc] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstn] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstd] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstt] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsto] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsty] C:\361101032251601390.exe O4 - Startup: Rainlendar.lnk = C:\Programy\Rainlendar\Rainlendar.exe O8 - Extra context menu item: Download All by FlashGet - C:\Programy\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Programy\FlashGet\jc_link.htm O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\Programy\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programy\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programy\FlashGet\flashget.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com.pl/resources/v … nicode.cab O16 - DPF: {2B8D0D47-17D6-6F47-2373-45C7605DE4C3} - http://85.255.114.166/1/rdgFR2650.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{27CECBF1-B3C1-48A0-B0D2-A45693974505}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{9F918CA0-5535-4ECC-8712-B18B1F033BA7}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{B832AA71-35BD-40B1-9C3F-8A0ED21BF7F8}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\Plugin Manager\Skype4COM.dll O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32:svchost.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe brak alertu i brak okienek przy starcie systemu jeszcze cos czego powinienem sie pozbyc? przy pisaniu w cmd +COM obu jakis error porty poblokowane
Bieniol
(Bbieniol)
26 Grudzień 2006 13:31
#4
Pobierz i uruchom narzędzie The Avenger . Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:
Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK . Po restarcie odpali Ci się Hijack, więc robisz skan i usuwasz nim wpisy:
R3 - URLSearchHook: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll O2 - BHO: (no name) - {9A83E191-2C07-74FE-2183-0045747A2DC5} - C:\WINDOWS\System32\qbcpafxm.dll O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll (file missing) O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3CA16~1\Bar888.dll (file missing) O4 - HKLM…\Run: [ipWins] C:\Program Files\ipwins\ipwins.exe O4 - HKCU…\Run: [Winstc] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstn] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstd] C:\361101032251601390.exe O4 - HKCU…\Run: [Winstt] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsto] C:\361101032251601390.exe O4 - HKCU…\Run: [Winsty] C:\361101032251601390.exe O16 - DPF: {2B8D0D47-17D6-6F47-2373-45C7605DE4C3} - http://85.255.114.166/1/rdgFR2650.exe O17 - HKLM\System\CCS\Services\Tcpip…{27CECBF1-B3C1-48A0-B0D2-A45693974505}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{9F918CA0-5535-4ECC-8712-B18B1F033BA7}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip…{B832AA71-35BD-40B1-9C3F-8A0ED21BF7F8}: NameServer = 85.255.114.52,85.255.112.12 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12
Kasujesz ręcznie z dysku plik: C:\Avenger\ backup.zip i wklejasz na forum raport: C:\ avenger.txt + nowy log z Hijacka + log z Silent Runners
fredek1
(Fredshit)
26 Grudzień 2006 14:31
#5
Logfile of HijackThis v1.99.1 Scan saved at 15:31:34, on 2006-12-26 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Programy\Logitech\MouseWare\system\em_exec.exe C:\Programy\Tlen.pl\tlen.exe C:\WINDOWS\system32\notepad.exe C:\Programy\Rainlendar\Rainlendar.exe C:\Programy\Firefox2\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\admin\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programy\AdobeAcrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programy\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programy\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programy\FlashGet\fgiebar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKCU…\Run: [Komunikator] “C:\Programy\Tlen.pl\tlen.exe” --confdir=user --path=“C:\Programy” O4 - HKCU…\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe O4 - Startup: Rainlendar.lnk = C:\Programy\Rainlendar\Rainlendar.exe O8 - Extra context menu item: Download All by FlashGet - C:\Programy\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Programy\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\Programy\OFFICE~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programy\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programy\FlashGet\flashget.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com.pl/resources/v … nicode.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.12 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\Plugin Manager\Skype4COM.dll O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32:svchost.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\lpjuyffe ******************* Script file located at: ??\C:\WINDOWS\wkpuscws.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\SYSTEM32\CSMZR not found! Deletion of file C:\WINDOWS\SYSTEM32\CSMZR failed! Could not process line: C:\WINDOWS\SYSTEM32\CSMZR Status: 0xc0000034 File C:\WINDOWS\SYSTEM32\DMLLO.EXE deleted successfully. File C:\WINDOWS\System32{192126D7-344F-4FC5-A6C6-5816EABB4973}.exe deleted successfully. File C:\WINDOWS\System32{8F668C35-50C8-4B11-A853-1198DB61588E}.exe deleted successfully. File C:\WINDOWS\System32\taskdir.exe deleted successfully. File C:\WINDOWS\System32\adir.dll deleted successfully. File C:\361101032251601390.exe not found! Deletion of file C:\361101032251601390.exe failed! Could not process line: C:\361101032251601390.exe Status: 0xc0000034 File C:\WINDOWS\System32\qbcpafxm.dll deleted successfully. Program C:\Documents and Settings\admin\Pulpit\HijackThis.exe successfully set up to run once on reboot. Completed script processing. ******************* Finished! Terminate.
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Komunikator” = ““C:\Programy\Tlen.pl\tlen.exe” --confdir=user --path=“C:\Programy”” [“o2.pl Sp. z o.o.”] “taskdir” = “C:\WINDOWS\System32\taskdir.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “Logitech Utility” = “Logi_MwX.Exe” [“Logitech Inc.”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programy\AdobeAcrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\Programy\FlashGet\jccatch.dll” [“FlashGet”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “gFlash Class” \InProcServer32(Default) = “C:\Programy\FlashGet\getflash.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\Programy\OFFICE~1\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Programy\OFFICE~1\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\Office2003\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll” [“Nero AG”] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice.ux.pl 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Programy\MP3 Player Utilities 4.04\AMVConverter\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “admin” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\admin\Menu Start\Programy\Autostart “Rainlendar” -> shortcut to: “C:\Programy\Rainlendar\Rainlendar.exe” [“Rainy”] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\Programy\FlashGet\fgiebar.dll” [“Amaze Soft”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\Programy\FlashGet\flashget.exe” [“FlashGet.com ”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] USB Data Adapter, Usbpda, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\usbpda.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ FPR5:\Driver = “fpmon5.dll” [“FinePrint Software, LLC”] Monitor języka PJL\Driver = “PJLMON.DLL” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 865 seconds, including 9 seconds for message boxes)
zostawilem te tcp adresy bo to moje dns’y
cociaz jesli nie sa tam gdzie powinny to usune, prosze powiedziec
jeszcze cos czego nie powinno byc?
Bieniol
(Bbieniol)
26 Grudzień 2006 14:35
#6
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG
Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Co do DNSów, to szczerze wątpię, żeby były Twoje, ponieważ są to dnsy ukraińskie, które symbolizują (w Twoim przypadku również) rootkita Windows Security Center. Usuń je
Po zabiegach wklej nowe logi