Podejrzane wpisy O1

Adalbert · 26 Maj 2007 18:44

Niedawno postanowiłem sprawdzić ile mam syfu na kompie. Zrobiłem log HijackThis i od razu zobaczyłem podejrzane wpisy O1. Prawdopodobnie trzeba je usunąć, ale chciałbym się Was poradzić szczególnie o te wpisy (czym są spowodowane?), ale i o “zdrowie” mojego systemu. Zrobiłem też scan Silent Runners, ale na nim się kompletnie nie znam i nie wiem co tam może być.

Logfile of HijackThis v1.99.1 Scan saved at 20:15:02, on 2007-05-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\Avast\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\taskmgr.exe C:\DOCUME~1\Adalbert\USTAWI~1\Temp\Katalog tymczasowy 1 dla HijackThis 1.99.1.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 82.146.41.70 lloydstsb.co.uk O1 - Hosts: 82.146.41.70 online.lloydstsb.co.uk O1 - Hosts: 82.146.41.70 http://www.lloydstsb.co.uk O1 - Hosts: 82.146.41.70 http://www.lloydstsb.com O1 - Hosts: 82.146.41.70 personal.barclays.co.uk O1 - Hosts: 82.146.41.70 barclays.co.uk O1 - Hosts: 82.146.41.70 ibank.barclays.co.uk O1 - Hosts: 82.146.41.70 http://www.barclays.co.uk O1 - Hosts: 82.146.41.70 http://www.nwolb.com O1 - Hosts: 82.146.41.70 nwolb.com O1 - Hosts: 82.146.41.70 hsbc.co.uk O1 - Hosts: 82.146.41.70 http://www.hsbc.co.uk O1 - Hosts: 82.146.41.70 abbey.com O1 - Hosts: 82.146.41.70 http://www.abbey.com O1 - Hosts: 82.146.41.70 http://www.abbey.co.uk O1 - Hosts: 82.146.41.70 abbey.co.uk O1 - Hosts: 82.146.41.70 cahoot.com O1 - Hosts: 82.146.41.70 http://www.cahoot.com O1 - Hosts: 82.146.41.70 http://www.cahoot.co.uk O1 - Hosts: 82.146.41.70 cahoot.co.uk O1 - Hosts: 82.146.41.70 http://www.co-operativebank.co.uk O1 - Hosts: 82.146.41.70 co-operativebank.co.uk O1 - Hosts: 82.146.41.70 http://www.co-operativebank.com O1 - Hosts: 82.146.41.70 co-operativebank.com O1 - Hosts: 82.146.41.70 welcome2.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 welcome6.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 welcome8.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 welcome10.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 http://www.smile.co.uk O1 - Hosts: 82.146.41.70 smile.co.uk O1 - Hosts: 82.146.41.70 http://www.cajamar.es O1 - Hosts: 82.146.41.70 cajamar.es O1 - Hosts: 82.146.41.70 http://www.cajamar.com O1 - Hosts: 82.146.41.70 http://www.unicaja.es O1 - Hosts: 82.146.41.70 unicaja.es O1 - Hosts: 82.146.41.70 http://www.unicaja.com O1 - Hosts: 82.146.41.70 unicaja.com O1 - Hosts: 82.146.41.70 http://www.caixagalicia.es O1 - Hosts: 82.146.41.70 caixagalicia.es O1 - Hosts: 82.146.41.70 http://www.caixagalicia.com O1 - Hosts: 82.146.41.70 caixagalicia.com O1 - Hosts: 82.146.41.70 activa.caixagalicia.es O1 - Hosts: 82.146.41.70 http://www.caixapenedes.es O1 - Hosts: 82.146.41.70 caixapenedes.es O1 - Hosts: 82.146.41.70 http://www.caixapenedes.com O1 - Hosts: 82.146.41.70 caixapenedes.com O1 - Hosts: 82.146.41.70 bancae.caixapenedes.com O1 - Hosts: 82.146.41.70 http://www.caixasabadell.es O1 - Hosts: 82.146.41.70 caixasabadell.es O1 - Hosts: 82.146.41.70 http://www.caixasabadell.net O1 - Hosts: 82.146.41.70 caixasabadell.net O1 - Hosts: 82.146.41.70 http://www.cajamadrid.es O1 - Hosts: 82.146.41.70 cajamadrid.es O1 - Hosts: 82.146.41.70 http://www.cajamadrid.com O1 - Hosts: 82.146.41.70 cajamadrid.com O1 - Hosts: 82.146.41.70 oi.cajamadrid.es O1 - Hosts: 82.146.41.70 http://www.ccm.es O1 - Hosts: 82.146.41.70 ccm.es O1 - Hosts: 82.146.41.70 http://www.haspa.de O1 - Hosts: 82.146.41.70 haspa.de O1 - Hosts: 82.146.41.70 ssl2.haspa.de O1 - Hosts: 82.146.41.70 http://www.dresdner-bank.de O1 - Hosts: 82.146.41.70 dresdner-bank.de O1 - Hosts: 82.146.41.70 http://www.dresdner-privat.de O1 - Hosts: 82.146.41.70 postbank.de O1 - Hosts: 82.146.41.70 http://www.postbank.de O1 - Hosts: 82.146.41.70 banking.postbank.de O1 - Hosts: 82.146.41.70 http://www.sparda-b.de O1 - Hosts: 82.146.41.70 sparda-b.de O1 - Hosts: 82.146.41.70 http://www.bankingonline.de O1 - Hosts: 82.146.41.70 http://www.raiffeisenbank-erding.de O1 - Hosts: 82.146.41.70 raiffeisenbank-erding.de O1 - Hosts: 82.146.41.70 http://www.vr-networld-ebanking.de O1 - Hosts: 82.146.41.70 vr-networld-ebanking.de O1 - Hosts: 82.146.41.70 http://www.bnhof.de O1 - Hosts: 82.146.41.70 bnhof.de O1 - Hosts: 82.146.41.70 http://www.deutsche-bank.de O1 - Hosts: 82.146.41.70 deutsche-bank.de O1 - Hosts: 82.146.41.70 meine.deutsche-bank.de O1 - Hosts: 82.146.41.70 http://www.citibank.de O1 - Hosts: 82.146.41.70 citibank.de O1 - Hosts: 82.146.41.70 cipehb13.cdg.citibank.de O1 - Hosts: 82.146.41.70 http://www.dkb.de O1 - Hosts: 82.146.41.70 dkb.de O1 - Hosts: 82.146.41.70 http://www.sparkasse-regensburg.de O1 - Hosts: 82.146.41.70 sparkasse-regensburg.de O1 - Hosts: 82.146.41.70 http://www.berliner-bank.de O1 - Hosts: 82.146.41.70 berliner-bank.de O1 - Hosts: 82.146.41.70 http://www.berliner-sparkasse.de O1 - Hosts: 82.146.41.70 berliner-sparkasse.de O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdmcks.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Pobierz z Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 0949388147 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS] “avast!” = “C:\PROGRA~1\Avast\ashDisp.exe” [“ALWIL Software”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}(Default) = (no title provided) -> {HKLM…CLSID} = “FDMIECookiesBHO Class” \InProcServer32(Default) = “C:\PROGRA~1\FREEDO~1\iefdmcks.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “C:\Program Files\Data Exchange Software\DESShellExt.dll” [“Siemens AG”] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “C:\Program Files\Data Exchange Software\DESShellExt.dll” [“Siemens AG”] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “C:\Program Files\Data Exchange Software\DESShellExt.dll” [“Siemens AG”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Nero AG”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Dodatki Spika” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “C:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” = “Dodatki Spika” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “C:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “My Phones” -> {HKLM…CLSID} = “My Phones” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll” [“Teleca Software Solutions AB”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Ikona obsługi nakładki Podpisów cyfrowych AutoCAD” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast\ashShell.dll” [“ALWIL Software”] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “C:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast\ashShell.dll” [“ALWIL Software”] Spik(Default) = “{B4B924A2-EBDA-11DA-95DA-00E08161165F}” -> {HKLM…CLSID} = “SpikShellExt Class” \InProcServer32(Default) = “C:\Program Files\Spik\shellext_wpmsg.dll” [“Wirtualna Polska”] Default executables: -------------------- HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\WINDOWS\system32\write.exe” “%1"” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Adalbert\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] 000000000005\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 33 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 90 domain names to IP addresses, 90 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Avast\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Avast\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Avast\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Avast\ashWebSv.exe” /service” [“ALWIL Software”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} C-DillaCdaC11BA, C-DillaCdaC11BA, “C:\WINDOWS\system32\drivers\CDAC11BA.EXE” [“Macrovision”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor i560\Driver = “CNMLM58.DLL” [“CANON INC.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 129 seconds. ---------- (total run time: 310 seconds)

qrczak13 · 26 Maj 2007 19:06

O1 - Hosts: 82.146.41.70 lloydstsb.co.uk O1 - Hosts: 82.146.41.70 online.lloydstsb.co.uk O1 - Hosts: 82.146.41.70 http://www.lloydstsb.co.uk O1 - Hosts: 82.146.41.70 http://www.lloydstsb.com O1 - Hosts: 82.146.41.70 personal.barclays.co.uk O1 - Hosts: 82.146.41.70 barclays.co.uk O1 - Hosts: 82.146.41.70 ibank.barclays.co.uk O1 - Hosts: 82.146.41.70 http://www.barclays.co.uk O1 - Hosts: 82.146.41.70 http://www.nwolb.com O1 - Hosts: 82.146.41.70 nwolb.com O1 - Hosts: 82.146.41.70 hsbc.co.uk O1 - Hosts: 82.146.41.70 http://www.hsbc.co.uk O1 - Hosts: 82.146.41.70 abbey.com O1 - Hosts: 82.146.41.70 http://www.abbey.com O1 - Hosts: 82.146.41.70 http://www.abbey.co.uk O1 - Hosts: 82.146.41.70 abbey.co.uk O1 - Hosts: 82.146.41.70 cahoot.com O1 - Hosts: 82.146.41.70 http://www.cahoot.com O1 - Hosts: 82.146.41.70 http://www.cahoot.co.uk O1 - Hosts: 82.146.41.70 cahoot.co.uk O1 - Hosts: 82.146.41.70 http://www.co-operativebank.co.uk O1 - Hosts: 82.146.41.70 co-operativebank.co.uk O1 - Hosts: 82.146.41.70 http://www.co-operativebank.com O1 - Hosts: 82.146.41.70 co-operativebank.com O1 - Hosts: 82.146.41.70 welcome2.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 welcome6.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 welcome8.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 welcome10.co-operativebankonline.co.uk O1 - Hosts: 82.146.41.70 http://www.smile.co.uk O1 - Hosts: 82.146.41.70 smile.co.uk O1 - Hosts: 82.146.41.70 http://www.cajamar.es O1 - Hosts: 82.146.41.70 cajamar.es O1 - Hosts: 82.146.41.70 http://www.cajamar.com O1 - Hosts: 82.146.41.70 http://www.unicaja.es O1 - Hosts: 82.146.41.70 unicaja.es O1 - Hosts: 82.146.41.70 http://www.unicaja.com O1 - Hosts: 82.146.41.70 unicaja.com O1 - Hosts: 82.146.41.70 http://www.caixagalicia.es O1 - Hosts: 82.146.41.70 caixagalicia.es O1 - Hosts: 82.146.41.70 http://www.caixagalicia.com O1 - Hosts: 82.146.41.70 caixagalicia.com O1 - Hosts: 82.146.41.70 activa.caixagalicia.es O1 - Hosts: 82.146.41.70 http://www.caixapenedes.es O1 - Hosts: 82.146.41.70 caixapenedes.es O1 - Hosts: 82.146.41.70 http://www.caixapenedes.com O1 - Hosts: 82.146.41.70 caixapenedes.com O1 - Hosts: 82.146.41.70 bancae.caixapenedes.com O1 - Hosts: 82.146.41.70 http://www.caixasabadell.es O1 - Hosts: 82.146.41.70 caixasabadell.es O1 - Hosts: 82.146.41.70 http://www.caixasabadell.net O1 - Hosts: 82.146.41.70 caixasabadell.net O1 - Hosts: 82.146.41.70 http://www.cajamadrid.es O1 - Hosts: 82.146.41.70 cajamadrid.es O1 - Hosts: 82.146.41.70 http://www.cajamadrid.com O1 - Hosts: 82.146.41.70 cajamadrid.com O1 - Hosts: 82.146.41.70 oi.cajamadrid.es O1 - Hosts: 82.146.41.70 http://www.ccm.es O1 - Hosts: 82.146.41.70 ccm.es O1 - Hosts: 82.146.41.70 http://www.haspa.de O1 - Hosts: 82.146.41.70 haspa.de O1 - Hosts: 82.146.41.70 ssl2.haspa.de O1 - Hosts: 82.146.41.70 http://www.dresdner-bank.de O1 - Hosts: 82.146.41.70 dresdner-bank.de O1 - Hosts: 82.146.41.70 http://www.dresdner-privat.de O1 - Hosts: 82.146.41.70 postbank.de O1 - Hosts: 82.146.41.70 http://www.postbank.de O1 - Hosts: 82.146.41.70 banking.postbank.de O1 - Hosts: 82.146.41.70 http://www.sparda-b.de O1 - Hosts: 82.146.41.70 sparda-b.de O1 - Hosts: 82.146.41.70 http://www.bankingonline.de O1 - Hosts: 82.146.41.70 http://www.raiffeisenbank-erding.de O1 - Hosts: 82.146.41.70 raiffeisenbank-erding.de O1 - Hosts: 82.146.41.70 http://www.vr-networld-ebanking.de O1 - Hosts: 82.146.41.70 vr-networld-ebanking.de O1 - Hosts: 82.146.41.70 http://www.bnhof.de O1 - Hosts: 82.146.41.70 bnhof.de O1 - Hosts: 82.146.41.70 http://www.deutsche-bank.de O1 - Hosts: 82.146.41.70 deutsche-bank.de O1 - Hosts: 82.146.41.70 meine.deutsche-bank.de O1 - Hosts: 82.146.41.70 http://www.citibank.de O1 - Hosts: 82.146.41.70 citibank.de O1 - Hosts: 82.146.41.70 cipehb13.cdg.citibank.de O1 - Hosts: 82.146.41.70 http://www.dkb.de O1 - Hosts: 82.146.41.70 dkb.de O1 - Hosts: 82.146.41.70 http://www.sparkasse-regensburg.de O1 - Hosts: 82.146.41.70 sparkasse-regensburg.de O1 - Hosts: 82.146.41.70 http://www.berliner-bank.de O1 - Hosts: 82.146.41.70 berliner-bank.de O1 - Hosts: 82.146.41.70 http://www.berliner-sparkasse.de O1 - Hosts: 82.146.41.70 berliner-sparkasse.de

Usuń w HJT.

Edytuj plik >>> hosts.

Nowe logi po tym wklej.

O pliku hosts

Adalbert · 26 Maj 2007 19:29

Usunąłem wpisy w HJT zgodnie z opisem.

Plik host wyglądał tak:

Zmieniłem na:

Nowy log:

Logfile of HijackThis v1.99.1 Scan saved at 21:28:59, on 2007-05-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\Avast\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\taskmgr.exe C:\PROGRA~1\FIREFOX\FIREFOX.EXE F:\Adalbert\pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdmcks.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Pobierz z Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 0949388147 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

qrczak13 · 26 Maj 2007 19:32

Jest ok

Adalbert · 26 Maj 2007 19:46

Thx za pomoc.

1)Mógłby jednak ktoś napisać czym może być spowodowane pojawienie się tych wpisów? Czy odsyłały one na stronę o “niskiej reputacji”?

2)Czy jakieś kosmetycznie zmiany należałoby poczynić w moim systemie? Np czy coś robić z wpisami jre1.5.0_06?

qrczak13 · 26 Maj 2007 20:03

Podałem wyżej o pliku hosts (zjedź na dół do O1 , jest napisane).

Start > uruchom > msconfig > zakładka uruchamianie > możesz odznaczyć w\w.

Jak nie używasz Messenger’a to możesz go usunąć > start > uruchom > wpisz polecenie >

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

Adalbert · 26 Maj 2007 22:28

Jeszcze raz thx za pomoc.