Persbc
(Persbc)
10 Listopad 2006 14:08
#1
Witam!
Wsyztsko zaczelo sie od otworzenia linka na gadu…
Wiem ze nei powinno sie tak robic ale skoro to dostalem od kilku osob myslalem ze to fotki z imprezy itd… W kazdym razie moje konto zostalo zblokowane na gadu a;le to niewazne…
Wielokrotnie skanowalem dyski mks virem… Obecnie zainstalowanego mam avasta… I mam wrazenie ze ten trojan (lub cokolwiek innego) wysyla ciagle maile przez moje porty a jak avast nei moze skasowac tego pliku. Prosz eo pomoc wiem ze na pewno nei mam jednego wirusa. Uprzejmie prosz eo analize mojego loga:
Logfile of HijackThis v1.99.1 Scan saved at 15:10:12, on 2006-11-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe E:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe E:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\WinFast\WFTVFM\WFWIZ.exe C:\Program Files\LANChat Pro\LANChat.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe E:\Program Files\Winamp\winampa.exe C:\WINDOWS\SOUNDMAN.EXE C:\program files\zango\zango.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe E:\Program Files\mozilla.org \Mozilla\Mozilla.exe E:\Program Files\ivo\UniSpiker-2.6\uni_spiker-2.6.exe E:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\svchost.exe E:\Program Files\Winamp\winamp.exe C:\Program Files\Tlen.pl\tlen.exe E:\Program Files\Gadu-Gadu\gg.exe E:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C7E2117998AB75760EA83FA5EF80752B94E3D9795A7441293FC2 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll O2 - BHO: ZangoToolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: XBTP03811 - {85A3F3A9-CCD8-40e0-95BE-18D218855BCD} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\GETION~1.DLL O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: ZangoToolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll O3 - Toolbar: Getionary Toolbar - {3FE20A68-5F78-4CF1-A941-3AAA55DE4C9D} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\getionaryPL.dll O4 - HKLM…\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe O4 - HKLM…\Run: [LANChatPro] C:\Program Files\LANChat Pro\LANChat.exe /q O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [zango] “c:\program files\zango\zango.exe” O4 - HKLM…\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [sIDEBAR] “E:\Program Files\Desktop Sidebar\dsidebar.exe” O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [NBJ] “E:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Mozilla Quick Launch] “E:\Program Files\mozilla.org \Mozilla\Mozilla.exe” -turbo O4 - Startup: UniSpiker-2.6.lnk = ? O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Uninstall.exe O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - E:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - E:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - E:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Podświetl - E:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - E:\Program Files\Avant Browser\Search.htm O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - E:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) - http://www.lemontv.pl/lmctrls.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {CE1F7381-100B-4ED9-8C41-0B282C18E924} - http://www.getionary.pl/cab/getionaryPL.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_22.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_24.cab O17 - HKLM\System\CCS\Services\Tcpip…{9B91EB60-9849-4EFA-8068-3C0CC78BF2D9}: NameServer = 62.233.128.17,213.77.115.28 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Bieniol
(Bbieniol)
10 Listopad 2006 14:16
#2
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
Znasz to?
Jeżeli tak, to zostaw - jeżeli nie to usuń razem z folderem
Po zabiegach nowy log z Hijacka + log z Silent Runners
Persbc
(Persbc)
10 Listopad 2006 15:36
#3
Ok dzieki
a ajk sie wylacza przywracanie systemu?
i zeby wejsc do trybu awaryjnego to jaki klawisz musze nacisnac przy uruchamianiu?
Bieniol
(Bbieniol)
10 Listopad 2006 15:39
#4
Wyłączasz przywracanie systemu:
Włączasz tryb awaryjny:
Persbc
(Persbc)
10 Listopad 2006 16:10
#5
Tak wsyztsko piknie i ladnie tylko tego lpliku nie moge wogole usunac… tzn wyskakuje mi komunikat a po skasowaniu za kazdym skanowaniem log pojawia sie od nowa mam an mysli
rpcc.dll
Złączono Posta : 10.11.2006 (Pią) 17:12
aha i nowy log:
Logfile of HijackThis v1.99.1 Scan saved at 17:14:52, on 2006-11-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\WinFast\WFTVFM\WFWIZ.exe C:\Program Files\LANChat Pro\LANChat.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe E:\Program Files\Winamp\winampa.exe C:\WINDOWS\SOUNDMAN.EXE E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe E:\Program Files\mozilla.org \Mozilla\Mozilla.exe E:\Program Files\ivo\UniSpiker-2.6\uni_spiker-2.6.exe E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe E:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe E:\Program Files\Alwil Software\Avast4\ashWebSv.exe E:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C7E2117998AB75760EA83FA5EF80752B94E3D9795A7441293FC2 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll (file missing) O2 - BHO: ZangoToolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: XBTP03811 - {85A3F3A9-CCD8-40e0-95BE-18D218855BCD} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\GETION~1.DLL (file missing) O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: ZangoToolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll (file missing) O3 - Toolbar: Getionary Toolbar - {3FE20A68-5F78-4CF1-A941-3AAA55DE4C9D} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\getionaryPL.dll (file missing) O4 - HKLM…\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe O4 - HKLM…\Run: [LANChatPro] C:\Program Files\LANChat Pro\LANChat.exe /q O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [zango] “c:\program files\zango\zango.exe” O4 - HKLM…\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [sIDEBAR] “E:\Program Files\Desktop Sidebar\dsidebar.exe” O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [NBJ] “E:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Mozilla Quick Launch] “E:\Program Files\mozilla.org \Mozilla\Mozilla.exe” -turbo O4 - Startup: UniSpiker-2.6.lnk = ? O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - E:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - E:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - E:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Podświetl - E:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - E:\Program Files\Avant Browser\Search.htm O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - E:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) - http://www.lemontv.pl/lmctrls.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {CE1F7381-100B-4ED9-8C41-0B282C18E924} - http://www.getionary.pl/cab/getionaryPL.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_22.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_24.cab O17 - HKLM\System\CCS\Services\Tcpip…{9B91EB60-9849-4EFA-8068-3C0CC78BF2D9}: NameServer = 62.233.128.17,213.77.115.28 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Złączono Posta : 10.11.2006 (Pią) 17:15
w jakim notatniku gdzie? mam to zapisac?
Złączono Posta : 10.11.2006 (Pią) 17:19
CZemu ten wczesniejszy post zostal skasowany?
ehhh no usunelem ale nie zdazylem skopiowac co tam wczesnie pisalo odnosnie tego pliku z notatnikiem moglbys powtorzyc?
Złączono Posta : 10.11.2006 (Pią) 17:26
Log z Silent
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “SIDEBAR” = ““E:\Program Files\Desktop Sidebar\dsidebar.exe”” [file not found] “MsnMsgr” = ““C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [MS] “NBJ” = ““E:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Mozilla Quick Launch” = ““E:\Program Files\mozilla.org \Mozilla\Mozilla.exe” -turbo” [“Mozilla Foundation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “WinFast Schedule” = “C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [“Leadtek Research Inc.”] “LANChatPro” = “C:\Program Files\LANChat Pro\LANChat.exe /q” [“Official homepage: http://www.republika.pl/lanchat ”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe” [“HP”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “WinampAgent” = “E:\Program Files\Winamp\winampa.exe” [null data] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “zango” = ““c:\program files\zango\zango.exe”” [file not found] “avast!” = “E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {56F1D444-11BF-4879-A12B-79CF0177F038}(Default) = “Zango Search Assistant Helper /fleok=1D8A83A5C7E2117998AB75760EA83FA5EF80752B94E3D9795A7441293FC2” -> {HKLM…CLSID} = “Zango Search Assistant Helper” \InProcServer32(Default) = “c:\program files\zango\zangohook.dll” [file not found] {5CBE2611-C31B-401F-89BC-4CBB25E853D7}(Default) = “ZangoToolbar” -> {HKLM…CLSID} = “ZangoToolbar” \InProcServer32(Default) = “C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll” [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {85A3F3A9-CCD8-40e0-95BE-18D218855BCD}(Default) = “XBTP03811” -> {HKLM…CLSID} = “XBTP03811 Class” \InProcServer32(Default) = “C:\WINDOWS\DOWNLO~1\CONFLICT.1\GETION~1.DLL” [file not found] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch2 Class” \InProcServer32(Default) = “E:\PROGRA~1\FlashGet\jccatch.dll” [“Amaze Soft”] {C333CF63-767F-4831-94AC-E683D962C63C}(Default) = (no title provided) -> {HKLM…CLSID} = “CoTGT_BHO Class” \InProcServer32(Default) = “C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “E:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “E:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “E:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “E:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll” [“Siemens AG”] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “E:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll” [“Siemens AG”] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “E:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll” [“Siemens AG”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Dawid\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssmypics.scr” [MS] Startup items in “Dawid” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\Dawid\Menu Start\Programy\Autostart “UniSpiker-2.6” -> shortcut to: “E:\Program Files\ivo\UniSpiker-2.6\uni_spiker-2.6.exe” [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “ATI CATALYST System Tray” -> shortcut to: “C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{5CBE2611-C31B-401F-89BC-4CBB25E853D7}” -> {HKLM…CLSID} = “ZangoToolbar” \InProcServer32(Default) = “C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{5CBE2611-C31B-401F-89BC-4CBB25E853D7}” -> {HKLM…CLSID} = “ZangoToolbar” \InProcServer32(Default) = “C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll” [file not found] “{3FE20A68-5F78-4CF1-A941-3AAA55DE4C9D}” -> {HKLM…CLSID} = “Getionary Toolbar” \InProcServer32(Default) = “C:\WINDOWS\Downloaded Program Files\CONFLICT.1\getionaryPL.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “E:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{5CBE2611-C31B-401F-89BC-4CBB25E853D7}” = “ZangoToolbar” -> {HKLM…CLSID} = “ZangoToolbar” \InProcServer32(Default) = “C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll” [file not found] “{3FE20A68-5F78-4CF1-A941-3AAA55DE4C9D}” = (no title provided) -> {HKLM…CLSID} = “Getionary Toolbar” \InProcServer32(Default) = “C:\WINDOWS\Downloaded Program Files\CONFLICT.1\getionaryPL.dll” [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {0EBACAF2-E0F9-47A9-98CF-0ECCE30B654C}(Default) = (no title provided) -> {HKLM…CLSID} = “Zango Information Window” \InProcServer32(Default) = “C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll” [file not found] HKLM\Software\Classes\CLSID{1321BB91-6CD4-4898-B3ED-2A8D0A4FC452}(Default) = “Zango Web Assistant” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\ZangoToolbar\Bin\4.8.2.0\ZbHostIE.dll” [file not found] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “E:\PROGRA~1\FlashGet\flashget.exe” [“Amaze Soft”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““E:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““E:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] StarWind iSCSI Service, StarWindService, “E:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt05\Driver = “hpzlnt05.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 43 seconds, including 6 seconds for message boxes)
Czy juz jest wszytsko ok?
Bieniol
(Bbieniol)
10 Listopad 2006 16:27
#6
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\rpcc.dll
Klikasz X i restart kompa
Odpalasz Hijacka -> Do a system scan only i zaznaczasz wpisy:
I klikasz na dole Fix checked
Po zabiegach nowe logi
Bieniol
(Bbieniol)
10 Listopad 2006 17:03
#8
Odpalasz Hijacka -> Do a system scan only i zaznaczasz wpisy:
I klikasz na dole Fix checked