Problem z usunięciem złośliwego oprogramowania

lehooo · 21 Czerwiec 2007 22:35

Sytuacja jest taka. Mam ostatnimi czasy problem z różnym świństwem i stabilnością systemu więc wyprubowuje różne programy do usuwania śmieci. Zazwyczaj nic nie znajdują, ale ściagnąłem taki programik “uniblue spyeraser” (mam nadzieje że to nie był program podszywający się tylko pod narzędzie usuwające śmieci). Programik ten wykrył mi dużo zagrożeń i podał klucze (czy jak to się tam nazywa) rejstru w których śmieci się znajdują. Niestety nie chciał ich usunąć bo była to jakaś wersja demo (wyskoczyło okienko że usunie zagrożenia jak kupię wersję pełną czego oczywiście nie zrobiłem-nie można też było zrobić loga). Poszukałem troche na forach o tym co zostało wykryte i zauważyłem że zagrożenia te “ujawniały” się w logu hijackthis w polu O15 - trusted zone autoadd. Czym prędzej zrobiłem log w HJT ale nie pojawiły się tam wogóle “wartości” O15

Wygląda to tak:

Logfile of HijackThis v1.99.1 Scan saved at 23:55:08, on 2007-06-21 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\A4Tech\Mouse\Amoumain.exe C:\Program Files\Tlen.pl\tlen.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\SYSTEM32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Leszek\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe

Zajrzałem do rejestru gdzie śmieci miały się znajdować(lokalizacja niżej) i znalazłem tam jeszcze więcej mocno podejrzanych wpisów. Śmieci (wymieniam tylko niektóre bo jest ich baaaardzo dużo) mają nazwy: net-nucleus.com, xxxtoolbar.com, slotch.com, blazefind.com, mt-downloader.com, teensguru.com itd. Znajdują się w

Pytanie brzmi jak się pozbyć tych śmieci bez uszkadzania systemu i czy są one groźne. Chętnie bym wam pokazał całą liste co tam się znajduje ale nie wiem jak (ręczne przepisywanie odpada). Dzięki za ewentualną pomoc

slake · 22 Czerwiec 2007 08:57

Czysto.

Pokaż log z Silent Runners i ComboFix.

LostWorld · 22 Czerwiec 2007 10:07

Mówisz , że zainstalowałeś złośliwe oprogramowanie?

[Przeskanuj tym progrosem]

system · 22 Czerwiec 2007 11:18

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

SpyEraser typowy przykład fałszywego i szkodliwego programu anty. Zastosuj program linkowny przez Lost World do jego usunięcia.

lehooo · 22 Czerwiec 2007 13:31

zastosowałem program od Lost World i nic nie wykrył (ten spyeraser poprostu odinstalowałem już wcześniej), ale dzięki za link

już wiem że te strony podejrzane są zablokowane.

Co do logów:

Combofix

ComboFix 07-06-13.3 - BĄd CScript: Dost©p do Hosta skrypt˘w systemu Windows jest wyĄczony na tym komputerze. Skontaktuj si© z administratorem, aby uzyska† szczeg˘owe informacje. “Leszek” - 2007-06-22 14:46:08 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 ))))))))))))))))))))))))))))))) 2007-06-21 23:31 2007-06-21 22:41 2007-06-18 23:03 2007-06-18 14:53 52,736 --a------ C:\WINDOWS\ipuninst.exe 2007-06-18 12:08 2007-06-17 01:50 2007-06-17 01:22 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-17 00:39 786,432 --ah----- C:\DOCUME~1\ADMINI~1.000\NTUSER.DAT 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-17 00:39 2007-06-16 13:32 524,288 --ah----- C:\DOCUME~1\ADMINI~1.CAS\NTUSER.DAT 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 13:32 2007-06-16 11:54 2007-06-13 14:04 52 --a------ C:\WINDOWS\system\ACD2.CMD 2007-06-13 14:04 52 --a------ C:\WINDOWS\system\ACD.CMD 2007-06-11 21:33 24,626 --a------ C:\WINDOWS\system32\scrrntr.dll 2007-06-11 21:33 20,480 --a------ C:\WINDOWS\system32\PAC.EXE 2007-06-11 21:33 180,224 --a------ C:\WINDOWS\system32\Ijl11.dll 2007-06-02 13:22 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys 2007-06-02 13:22 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys 2007-06-02 13:22 2007-06-02 13:08 2007-06-01 15:49 2007-06-01 15:49 2007-05-25 22:37 2007-05-25 22:32 2007-05-25 22:32 2007-05-25 22:30 2007-05-25 22:28 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll 2007-05-25 22:28 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe 2007-05-25 22:28 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe 2007-05-25 22:28 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll 2007-05-25 22:28 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-05-25 22:28 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll 2007-05-25 22:28 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll 2007-05-25 22:27 2007-05-25 22:22 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll 2007-05-25 22:22 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll 2007-05-25 22:22 14,916 --------- C:\WINDOWS\hphmdl12.dat 2007-05-25 22:22 126,804 --a------ C:\WINDOWS\HPHins12.dat 2007-05-22 15:52 376,832 —hs---- C:\WINDOWS\system32\activexdebugger32.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-21 09:02:15 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\foobar2000 2007-06-20 18:41:48 -------- d-----w C:\Program Files\StrongDC++ 2007-06-18 09:29:52 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-06-17 09:34:29 -------- d-----w C:\Program Files\AIDA32 - Enterprise System Information 2007-06-16 23:28:49 -------- d-----w C:\Program Files\freeCommander2006 2007-06-15 00:39:15 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\Tlen.pl 2007-06-12 20:07:22 1,080 ----a-w C:\WINDOWS\AUTOLNCH.REG 2007-06-03 09:50:29 -------- d-----w C:\Program Files\Opera 2007-05-25 20:29:42 -------- d-----w C:\Program Files\Hewlett-Packard 2007-05-21 13:42:35 -------- d-----w C:\Program Files\TweakRAM 2007-05-20 17:20:02 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-17 16:23:42 -------- d-----w C:\Program Files\IrfanView 2007-05-17 11:31:00 -------- d-----w C:\Program Files\Ashampoo 2007-05-15 11:49:51 -------- d-----w C:\Program Files\iViVo 2007-05-14 21:35:30 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\ivivo 2007-05-11 08:13:49 -------- d-----w C:\Program Files\ffdshow 2007-05-09 09:49:18 -------- d-----w C:\Program Files\Tlen.pl 2007-05-03 07:56:58 -------- d-----w C:\Program Files\Google 2007-05-03 07:56:57 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-02 21:37:02 -------- d-----w C:\Program Files\SiSoftware 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-27 10:26:17 -------- d-----w C:\DOCUME~1\Leszek\DANEAP~1\Help 2007-04-21 19:33:34 205 ----a-w C:\WINDOWS\system32\lsprst7.dll 2007-04-21 19:26:05 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll 2007-04-21 19:25:25 1,024 ----a-w C:\WINDOWS\system32\clauth2.dll 2007-04-21 19:25:25 1,024 ----a-w C:\WINDOWS\system32\clauth1.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\ssprs.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\serauth2.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\serauth1.dll 2007-04-21 19:25:25 0 ----a-w C:\WINDOWS\system32\nsprs.dll 2007-04-19 12:14:14 208,896 ----a-w C:\WINDOWS\system32\nvunrm.exe 2007-04-19 11:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll 2007-04-19 11:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll 2007-04-19 11:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll 2007-04-19 11:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-04-19 11:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll 2007-04-19 11:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll 2007-04-19 11:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll 2007-04-19 11:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll 2007-04-19 11:26:00 5,255,168 ----a-w C:\WINDOWS\system32\nvdispsr.dll 2007-04-19 11:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-04-19 11:26:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll 2007-04-19 11:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-04-19 11:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-04-19 11:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-04-19 11:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll 2007-04-19 11:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll 2007-04-19 11:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll 2007-04-19 11:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll 2007-04-19 11:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll 2007-04-19 11:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll 2007-04-19 11:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll 2007-04-19 11:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll 2007-04-19 11:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll 2007-04-19 11:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll 2007-04-19 11:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll 2007-04-19 11:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll 2007-04-19 11:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll 2007-04-19 11:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll 2007-04-19 11:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll 2007-04-19 11:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll 2007-04-19 11:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-04-19 11:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll 2007-04-19 11:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll 2007-04-19 11:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll 2007-04-19 11:26:00 3,203,072 ----a-w C:\WINDOWS\system32\nvgamesr.dll 2007-04-19 11:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll 2007-04-19 11:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll 2007-04-19 11:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll 2007-04-19 11:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll 2007-04-19 11:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll 2007-04-19 11:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll 2007-04-19 11:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll 2007-04-19 11:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll 2007-04-19 11:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll 2007-04-19 11:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll 2007-04-19 11:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll 2007-04-19 11:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll 2007-04-19 11:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll 2007-04-19 11:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll 2007-04-19 11:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll 2007-04-19 11:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll 2007-04-19 11:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll 2007-04-19 11:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll 2007-04-19 11:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll 2007-04-19 11:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll 2007-04-19 11:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll 2007-04-19 11:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll 2007-04-19 11:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll 2007-04-19 11:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll 2007-04-19 11:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll 2007-04-19 11:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll 2007-04-19 11:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll 2007-04-19 11:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2007-06-15 10:41] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-12-22 11:09 C:\WINDOWS\SOUNDMAN.EXE] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “nwiz”=“nwiz.exe” [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe] “WheelMouse”=“C:\Program Files\A4Tech\Mouse\Amoumain.exe” [2006-05-14 10:37] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-04-19 13:26] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Komunikator”=“C:\Program Files\Tlen.pl\tlen.exe” [2007-02-12 12:01] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2007-06-15 10:41] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ClearRecentDocsOnExit”=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{1f5bc5b8-127c-11dc-a9f1-0014858b370e}] Auto\command- I:\activexdebugger32.exe f AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f explore\Command- I:\activexdebugger32.exe f open\Command- I:\activexdebugger32.exe f [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4a130ec2-9375-11db-99e8-0014858b370e}] Auto\command- I:\activexdebugger32.exe f AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f explore\Command- I:\activexdebugger32.exe f open\Command- I:\activexdebugger32.exe f [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{78d60be4-e2a0-11db-9ac3-0014858b370e}] AutoRun\command- J:\LaunchU3.exe Contents of the ‘Scheduled Tasks’ folder 2007-06-21 21:06:59 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job 2007-06-21 21:06:59 C:\WINDOWS\tasks\Uniblue SpyEraser.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-22 14:48:42 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-22 14:50:19 — E O F —

Silentrunners

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “WheelMouse” = “C:\Program Files\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co., Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Ikona obsługi nakładki Podpisów cyfrowych AutoCAD” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] TzShell(Default) = “{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}” -> {HKLM…CLSID} = “TzShell” \InProcServer32(Default) = “C:\PROGRA~1\TUGZip\TzShell.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] TzShell(Default) = “{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}” -> {HKLM…CLSID} = “TzShell” \InProcServer32(Default) = “C:\PROGRA~1\TUGZip\TzShell.dll” [null data] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] Default executables: -------------------- HKLM\Software\Classes.scr\ = (key not found) Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Leszek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Leszek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Development Company, L.P.”] Enabled Scheduled Tasks: ------------------------ “Uniblue SpyEraser Nag” -> launches: “C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -ynag” [file not found] “Uniblue SpyEraser” -> launches: “C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -s” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = (no title provided) -> {HKLM…CLSID} = “&Badanie” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ “MenuText” = “Spybot - Search & Destroy Configuration” “CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}” -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] C-DillaCdaC11BA, C-DillaCdaC11BA, “C:\WINDOWS\system32\drivers\CDAC11BA.EXE” [“Macrovision”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\SYSTEM32\HPZipm12.exe” [“HP”] Sunbelt Kerio Personal Firewall 4, KPF4, ““C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe”” [“Sunbelt Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HPLJ1020LM\Driver = “ZLhp1020.DLL” [“Zenographics, Inc.”] LIDIL hpzll4pi\Driver = “hpzll4pi.dll” [“Hewlett-Packard Company”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 43 seconds. ---------- (total run time: 116 seconds)

Zerknijcie czy nie czai się tam jakieś zło

slake · 22 Czerwiec 2007 13:59

Plik na czerwono przeskanuj na http://virusscan.jotti.org i podaj wynik skanowania.

lehooo · 22 Czerwiec 2007 14:49

No i strzał w 10…oto co wyskoczyło:

Co z tym śmieciem teraz zrobić?

slake · 22 Czerwiec 2007 15:08

Śmieć idzie do kasacji

lehooo · 22 Czerwiec 2007 16:46

wykasowałem draństwo (na wszelki wypadek w trybie awaryjnym)…mam nadzieje że już będzie ok…

Dzięki wszystkim za pomoc!! :lol: