mleczny
(Baruu)
18 Czerwiec 2006 15:15
#1
Moj komputer zaatakowaly jakies trojany, probowalem sam usunacbosam to usunac, bezskutecznie(n. info z Windows Secutrity Center w prawym rogu o infekcji komputera). Prosze o sprawdzenie logow oraz podanie instrukcji jak postepowac.
Logfile of HijackThis v1.99.1 Scan saved at 14:20:24, on 2006-06-18 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Acer\eManager\anbmServ.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\acer\epm\epm-dm.exe C:\Program Files\Arcade\PCMService.exe C:\Program Files\Launch Manager\LaunchAp.exe C:\Program Files\Launch Manager\PowerKey.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\OSDCtrl.exe C:\Program Files\Launch Manager\Wbutton.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\spoolsvv.exe C:\WINDOWS\system32\jsssvc.exe C:\Program Files\ceys.exe C:\WINDOWS\system32\winldra.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Documents and Settings\x\Ustawienia lokalne\Dane aplikacji\a7b8175.exe C:\WINDOWS\system32\0mcamcap.exe C:\WINDOWS\system32\vxgame6.exe3072.exe C:\winstall.exe C:\Program Files\YDP\YdpDict\Watch.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\DOCUME~1\x\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis1.99.1.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe” O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [EPM-DM] c:\acer\epm\epm-dm.exe O4 - HKLM…\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot O4 - HKLM…\Run: [iMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32 O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM…\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe” O4 - HKLM…\Run: [LaunchAp] “C:\Program Files\Launch Manager\LaunchAp.exe” O4 - HKLM…\Run: [PowerKey] “C:\Program Files\Launch Manager\PowerKey.exe” O4 - HKLM…\Run: [LManager] “C:\Program Files\Launch Manager\HotkeyApp.exe” O4 - HKLM…\Run: [CtrlVol] “C:\Program Files\Launch Manager\CtrlVol.exe” O4 - HKLM…\Run: [LMgrOSD] “C:\Program Files\Launch Manager\OSDCtrl.exe” O4 - HKLM…\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe” O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM…\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [a7b8175.exe] C:\WINDOWS\system32\a7b8175.exe O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe O4 - HKLM…\RunServices: [jssvc23] jsssvc.exe O4 - HKLM…\RunServices: [jssvc23] jsssvc.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU…\Run: [a7b8175.exe] C:\Documents and Settings\x\Ustawienia lokalne\Dane aplikacji\a7b8175.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Aktywacja Testera.lnk = C:\Program Files\YDP\YdpDict\Watch.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_21.dll O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Windows update loader” = “C:\Windows\xpupdate.exe” [file not found] “a7b8175.exe” = “C:\Documents and Settings\x\Ustawienia lokalne\Dane aplikacji\a7b8175.exe” [null data] “taskdir” = “C:\WINDOWS\system32\taskdir.exe” [null data] “0mcamcap” = “C:\WINDOWS\system32\0mcamcap.exe” [null data] “WinMedia” = “C:\WINDOWS\system32\vxgame6.exe3072.exe” [null data] “Windows installer” = “C:\winstall.exe” [null data] “shell” = ““C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe”” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “preload” = “C:\Windows\RUNXMLPL.exe” [“Wistron”] “IgfxTray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “HotKeysCmds” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “EPM-DM” = “c:\acer\epm\epm-dm.exe” [“Acer Inc”] “ePowerManagement” = “C:\Acer\ePM\ePM.exe boot” [“Acer Value Labs, Taiwan”] “IMJPMIG8.1” = ““C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32” [MS] “MSPY2002” = “C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC” [null data] “PHIME2002ASync” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC” [MS] “PHIME2002A” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName” [MS] “PCMService” = ““C:\Program Files\Arcade\PCMService.exe”” [“CyberLink Corp.”] “LaunchAp” = ““C:\Program Files\Launch Manager\LaunchAp.exe”” [empty string] “PowerKey” = ““C:\Program Files\Launch Manager\PowerKey.exe”” [empty string] “LManager” = ““C:\Program Files\Launch Manager\HotkeyApp.exe”” [“Wistron”] “CtrlVol” = ““C:\Program Files\Launch Manager\CtrlVol.exe”” [“Wistron”] “LMgrOSD” = ““C:\Program Files\Launch Manager\OSDCtrl.exe”” [empty string] “Wbutton” = ““C:\Program Files\Launch Manager\Wbutton.exe”” [empty string] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “Easy-PrintToolBox” = “C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon” [“CANON INC.”] “SsAAD.exe” = “C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe” [null data] “ISUSPM Startup” = “C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup” [“InstallShield Software Corporation”] “ISUSScheduler” = ““C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“InstallShield Software Corporation”] “a7b8175.exe” = “C:\WINDOWS\system32\a7b8175.exe” [null data] “spoolsvv” = “C:\WINDOWS\system32\spoolsvv.exe” [null data] “clcbt.exe” = “C:\WINDOWS\system32\clcbt.exe” [null data] “0mcamcap” = “C:\WINDOWS\system32\0mcamcap.exe” [null data] “jssvc23” = “jsssvc.exe” [null data] “SysTray” = “C:\Program Files\ceys.exe” [MS] “win32hp” = “C:\WINDOWS\system32\win32hlp.exe” [null data] “load32” = “C:\WINDOWS\system32\winldra.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {196B9CB5-4C83-46F7-9B06-9672ECD9D99B}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\winbrume.dll” [null data] {C08DF07A-3E49-4E25-9AB0-D3882835F153}(Default) = (no title provided) -> {HKLM…CLSID} = “QUICKfind BHO Object” \InProcServer32(Default) = “C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}” = “EPM-PO Shell Extension” -> {HKLM…CLSID} = “EPM-PO Shell Extensions” \InProcServer32(Default) = “epm-po.dll” [“Acer Labs USA”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Ikona obsługi nakładki Podpisów cyfrowych AutoCAD” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}” = “DCOM Server” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\dcom_21.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “DCOM Server” = “{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\dcom_21.dll” [null data] “TDKyNSD” = “{153319D5-BF99-B37F-A9EC-DABA542F8FBC}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\yslvh.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “Shell” = “explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe”” [MS], [file not found], [file not found], [file not found], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! artm_newreg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll” [null data] INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”] INFECTION WARNING! SensSrv\DLLName = “senssrv.dll” [“Microsoft Windows Publisher”] Default executables: -------------------- HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\WINDOWS\notepad.exe” “%1"” [MS] Group Policies [Description]: ----------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “ForceActiveDesktopOn”=dword:00000001 [enables Active Desktop and prevents disabling it] HIJACK WARNING! “Wallpaper” = “C:\WINDOWS\desktop.html” [disables the Display Properties|Desktop (tab) (except the “Customize Desktop…” button); selects wallpaper if Active Desktop is enabled] Active Desktop and Wallpaper: ----------------------------- Active Desktop enabled via Group Policy. Wallpaper selected via Group Policy. Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “x” & “All Users” startup folders: --------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “Aktywacja Testera” -> shortcut to: “C:\Program Files\YDP\YdpDict\Watch.exe” [“Young Digital Poland”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” -> {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ C-DillaCdaC11BA, C-DillaCdaC11BA, “C:\WINDOWS\system32\drivers\CDAC11BA.EXE” [“Macrovision”] C-DillaSrv, C-DillaSrv, “C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE” [“C-Dilla Ltd”] Notebook Manager Service, anbmService, “C:\Acer\eManager\anbmServ.exe” [“OSA Technologies Inc.”] Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC, UserAccess, “C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe” [null data] SonicStage SCSI Service, SSScsiSV, “C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe” [“Sony Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor iP4200\Driver = “CNMLM78.DLL” [“CANON INC.”] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 36 seconds, including 8 seconds for message boxes)
Szuprycz
(Szuprycz)
18 Czerwiec 2006 16:12
#2
Prosiłbym, żebyś tego wszystkiego jeszcze nie usuwał zanim nie potwierdzi tego kuz5 , Gutek2222 lub Bieniol , tym samym proszę jendego z Was właśnie o potwierdzenie
W trybie awaryjnym przy wyłączonym przywracaniu systemu:
Fix w HijackThis, pogrubione wyrzucasz ręcznie z dysku, w razie problemów użyj narzędzia KillBox
mleczny:
C:\WINDOWS\system32\spoolsvv.exe C:\WINDOWS\system32\jsssvc.exe C:\Program Files\ceys.exe C:\WINDOWS\system32\winldra.exe C:\Documents and Settings\x\Ustawienia lokalne\Dane aplikacji\a7b8175.exe C:\WINDOWS\system32\0mcamcap.exe C:\WINDOWS\system32\vxgame6.exe3072.exe C:\winstall.exe F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe” R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll O4 - HKCU…\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU…\Run: [a7b8175.exe] C:\Documents and Settings\x\Ustawienia lokalne\Dane aplikacji\a7b8175.exe O4 - HKLM…\Run: [a7b8175.exe] C:\WINDOWS\system32\a7b8175.exe O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe O4 - HKLM…\RunServices: [jssvc23] jsssvc.exe O4 - HKLM…\RunServices: [jssvc23] jsssvc.exe O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_21.dll
Wykonaj skan Ewido po update. Po wszystkim nowy log.
Bieniol
(Bbieniol)
18 Czerwiec 2006 18:12
#3
Wszystko robisz tak jak napisał Szuprycz , tylko że:
Do usunięcia jeszcze te pliki:
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\clcbt.exe
C:\WINDOWS\system32\win32hlp.exe
C:\WINDOWS\desktop.html
c:\secure32.html
Otwórz notatnik i wklej w nim to:
Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pod nazwą FIX.REG
W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Bieniol
(Bbieniol)
18 Czerwiec 2006 18:35
#5
Szuprycz:
a nie win32hlp ?
Nie - wszystko sie zgadza:
PS> Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.