Mam problem Kerio pokazuje atak
C:\Windows\System32\dllcache\qxchost.exe
Komp ogólnie zarazony róznymi wirusami i trojanami
Częsc usunełem, zauwazyłem poprawe ale cos mu jeszcze jest
Daje logi
Logfile of HijackThis v1.99.1
Scan saved at 11:41:27, on 2007-06-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\cisvc.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\winlogin.exe
C:\WINDOWS\system32\srvcc.exe
C:\WINDOWS\System32\svcchosst.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\dllcache\qxchost.exe
C:\WINDOWS\system\msdll.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
C:\WINDOWS\system\msnntlp.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Anna\Pulpit\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [sched] C:\WINDOWS\taskmrg.exe
O4 - HKLM\..\Run: [taskmgr] C:\WINDOWS\winlogin.exe
O4 - HKLM\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [Windows Security Center Notification Appls] C:\WINDOWS\System32\sxe.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Spik] C:\Program Files\Spik\Spik.exe -autostart
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [Iexplore Data1 Center] C:\WINDOWS\System32\clockz.exe
O4 - HKLM\..\RunServices: [Windows Security Center Notification Applsee] C:\WINDOWS\System32\sysecurex.exe
O4 - HKLM\..\RunServices: [system32] C:\WINDOWS\System\uninst32.exe
O4 - HKLM\..\RunServices: [system] C:\WINDOWS\System\bootchk.exe
O4 - HKLM\..\RunServices: [uninst32] C:\WINDOWS\System\windat32.exe
O4 - HKLM\..\RunServices: [bootchk] C:\WINDOWS\System\scvhost.exe
O4 - HKLM\..\RunServices: [clsid] C:\WINDOWS\System\memory.exe
O4 - HKLM\..\RunServices: [user32] C:\WINDOWS\System\debug.exe
O4 - HKLM\..\RunServices: [reg32] C:\WINDOWS\System\sched.exe
O4 - HKLM\..\RunServices: [cmd] C:\WINDOWS\System\taskmrg.exe
O4 - HKLM\..\RunServices: [sched] C:\WINDOWS\System\winlogin.exe
O4 - HKLM\..\RunServices: [taskmgr] C:\WINDOWS\System32\comsys.exe
O4 - HKLM\..\RunServices: [winlogon] C:\WINDOWS\System32\sysvc32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
O4 - HKCU\..\Run: [system32] C:\WINDOWS\redegit.exe
O4 - HKCU\..\Run: [bootchk] C:\WINDOWS\windat32.exe
O4 - HKCU\..\Run: [clsid] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [user32] C:\WINDOWS\memory.exe
O4 - HKCU\..\Run: [reg32] C:\WINDOWS\debug.exe
O4 - HKCU\..\Run: [cmd] C:\WINDOWS\sched.exe
O4 - HKCU\..\Run: [sched] C:\WINDOWS\taskmrg.exe
O4 - HKCU\..\Run: [taskmgr] C:\WINDOWS\winlogin.exe
O4 - HKCU\..\Run: [Windows Security Center Notification Appls] C:\WINDOWS\System32\sxe.exe
O4 - HKCU\..\Run: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\RunServices: [system32] C:\WINDOWS\System\uninst32.exe
O4 - HKCU\..\RunServices: [system] C:\WINDOWS\System\bootchk.exe
O4 - HKCU\..\RunServices: [uninst32] C:\WINDOWS\System\windat32.exe
O4 - HKCU\..\RunServices: [bootchk] C:\WINDOWS\System\scvhost.exe
O4 - HKCU\..\RunServices: [clsid] C:\WINDOWS\System\memory.exe
O4 - HKCU\..\RunServices: [user32] C:\WINDOWS\System\debug.exe
O4 - HKCU\..\RunServices: [reg32] C:\WINDOWS\System\sched.exe
O4 - HKCU\..\RunServices: [cmd] C:\WINDOWS\System\taskmrg.exe
O4 - HKCU\..\RunServices: [sched] C:\WINDOWS\System\winlogin.exe
O4 - HKCU\..\RunServices: [taskmgr] C:\WINDOWS\System32\comsys.exe
O4 - HKCU\..\RunServices: [winlogon] C:\WINDOWS\System32\sysvc32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{451E5AE6-BCCB-4950-AFD1-95CC40590DFF}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe
O23 - Service: msdll - Unknown owner - C:\WINDOWS\system\msdll.exe
O23 - Service: msnntlp - Unknown owner - C:\WINDOWS\system\msnntlp.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"johnj3155" = "C:\WINDOWS\system32\srvcc.exe" [null data]
"system32" = "C:\WINDOWS\redegit.exe" [null data]
"bootchk" = "C:\WINDOWS\windat32.exe" [null data]
"clsid" = "C:\WINDOWS\scvhost.exe" [null data]
"user32" = "C:\WINDOWS\memory.exe" [null data]
"reg32" = "C:\WINDOWS\debug.exe" [null data]
"cmd" = "C:\WINDOWS\sched.exe" [null data]
"sched" = "C:\WINDOWS\taskmrg.exe" [null data]
"taskmgr" = "C:\WINDOWS\winlogin.exe" [null data]
"Windows Security Center Notification Appls" = "C:\WINDOWS\System32\sxe.exe" [file not found]
"MSN MESSENGER 9.0" = "messengerr.exe" [file not found]
"Gadu-Gadu" = ""C:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"RemoteControl" = ""D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"NWEReboot" = "(empty string)" [file not found]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"WinampAgent" = "F:\Program Files\Winamp\winampa.exe" [null data]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
"sched" = "C:\WINDOWS\taskmrg.exe" [null data]
"taskmgr" = "C:\WINDOWS\winlogin.exe" [null data]
"johnj3155" = "C:\WINDOWS\system32\srvcc.exe" [null data]
"msvccc66" = "svcchosst.exe" [null data]
"Windows Security Center Notification Appls" = "C:\WINDOWS\System32\sxe.exe" [file not found]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"Spik" = "C:\Program Files\Spik\Spik.exe -autostart" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B4B924A2-EBDA-11DA-95DA-00E08161165F}" = "Dodatki Spika"
-> {HKLM...CLSID} = "SpikShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Spik\shellext_wpmsg.dll" ["Wirtualna Polska"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<> crypt\DLLName = "crypts.dll" [null data]
<> rpcc\DLLName = "C:\WINDOWS\System32\rpcc.dll" [null data]