Prośba o pomoc: Lager-T, Smithfraud i pewnie cos jeszcze


(Keryn) #1

Witam

Prośba o pomoc! !!

Mam tu szaleństwo w laptopie

Komp odpalany w normalnym trybie po wejsciu do Windows (XP) pokazuje pytanie o to czy chcę przywrócić pulpit (jakbym go źle zamknął poprzednio) - lecz cokolwiek zrobię (ale również gdy nie zrobie abslutnie nic) maksymalnie po kilkunastu sekundach zrzuca pamięć fizyczną, zamyka się i ponownie zaczyna uruchamiać.

Nie robi tego wyłącznie w trybie awaryjnym.

Xoftspy (tylko skaner) wykrył masę śmieci, między innymi:

  • Spy Sheriff

  • Smithfraud (pełno)

  • Haxdoor

  • Trojan.vxgame

Był też chyba wcześniej Trojan "Lager-T" ale jakoś go teraz nie wykrył (wyrzuciłem na siłe z System32 pliki testtestt.exe oraz taskdir.exe - mam nadzieje ze czegos tym nie skopalem. bardziej)

Zdjalem log Hijackiem (mam nadzieje ze poprawnie go ponizej wklejam):

Wielka prosba o analize i pomoc

Logfile of HijackThis v1.99.1

Scan saved at 22:38:40, on 2006-06-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\TOOLS\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=,

F3 - REG:win.ini: run=,

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [SysTray] C:\Program Files\ceys.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe

O4 - HKLM\..\RunServices: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKCU\..\Run: [a1cc7d37.exe] C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\Maciej\USTAWI~1\Temp\3.tmp3072.exe" 

O4 - HKCU\..\Run: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151072168578

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

(Mayster X) #2

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz :

Pliki na pomarańczowo usuń ręcznie z dysku

W razie problemów z usunięciem Plików/Folderów Użyj programu Pocket KillBox

Po czynnościach wklej Loga HijackThis + SilentRunners


(Keryn) #3

Sorry ze tyle trwalo

Komp potwornie mi się spowolnil - jakis proces w tle ktorego nawet nie bylem w stanie przerwac.

Ale - finalnie zrobilem co nalezalo

Uruchomilem go tez - zwyczajnym trybem - ale na razie nadal sie sam zamyka po krotkim czasie (zrzuca pamięc i tak dalej)

Tymczasem - logi:

W pierwszej kolejnosci - HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 00:39:04, on 2006-06-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\TOOLS\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [SysTray] C:\Program Files\ceys.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKCU\..\Run: [a1cc7d37.exe] C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe

O4 - HKCU\..\Run: [˙_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151072168578

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

A z Silent RUnners otrzymałem:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"a1cc7d37.exe" = "C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe" [file not found]

"˙_zskWEXJK" = "C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe" [file not found]

"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]

"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]

"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]

"˙_zskWEXJK" = "C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe" [file not found]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"SysTray" = "C:\Program Files\ceys.exe" [file not found]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PCTools Site Guard"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]

{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! artm_newreg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll" [file not found]

INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies [Description] {enabled Group Policy setting}:

------------------------------------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001 

[enables Active Desktop and prevents disabling it]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Enable Active Desktop}


HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"

[disables the Display Properties|Desktop (tab) (except the "Customize

Desktop..." button); selects wallpaper and enables Active Desktop]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Active Desktop Wallpaper|Wallpaper Name:}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop enabled via Group Policy.


Wallpaper selected via Group Policy.



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]



Startup items in "Maciej" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

"ButtonText" = "Spyware Doctor"

"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

  -> {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

HP WMI Interface, hpqwmi, "C:\Program Files\HPQ\SHARED\HPQWMI.exe" ["Hewlett-Packard Development Company, L.P."]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Usługa dostarczania sieci, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}

Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]}



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 29 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 69 seconds)

Co powiniene dalej?


(Gutek) #4

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

Po wszystkim nowe logi


(Keryn) #5

Dzięki za info!

Wprowadziłem podany plik zmieniający rejestr.

Na razie brak nowych efektów - wciąz się wyłacza i ponownie odpala łobuz - ale się nie zrażam.

Załączam Logi:

Logfile of HijackThis v1.99.1

Scan saved at 11:29:32, on 2006-06-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\TOOLS\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [ÿ_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [SysTray] C:\Program Files\ceys.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [ÿ_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - HKCU\..\Run: [a1cc7d37.exe] C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe

O4 - HKCU\..\Run: [ÿ_zskWEXJK] C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151072168578

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

log z Silent Runners

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"a1cc7d37.exe" = "C:\Documents and Settings\Maciej\Ustawienia lokalne\Dane aplikacji\a1cc7d37.exe" [file not found]

"ÿ_zskWEXJK" = "C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]

"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]

"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]

"ÿ_zskWEXJK" = "C:\WINDOWS\system32\_zskwrkni05DOBLKX]PQ[\KJXEW.exe" [file not found]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"SysTray" = "C:\Program Files\ceys.exe" [file not found]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyœwietlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyœwietlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies [Description] {enabled Group Policy setting}:

------------------------------------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001 

[enables Active Desktop and prevents disabling it]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Enable Active Desktop}


HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"

[disables the Display Properties|Desktop (tab) (except the "Customize

Desktop..." button); selects wallpaper and enables Active Desktop]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Active Desktop Wallpaper|Wallpaper Name:}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop enabled via Group Policy.


Wallpaper selected via Group Policy.



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]



Startup items in "Maciej" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

HP WMI Interface, hpqwmi, "C:\Program Files\HPQ\SHARED\HPQWMI.exe" ["Hewlett-Packard Development Company, L.P."]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

Karta wydajnoœci WMI, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Us³uga administracyjna Mened¿era dysków logicznych, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Us³uga dostarczania sieci, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}

Us³uga numeru seryjnego multimediów przenoœnych, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]}



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 24 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 61 seconds)

Z innej beczki:

Czy w międzyczasie mogę zainstalowaćc na nim antywira Kaspersky'ego?

Czy raczej sie wstrzymać żeby jednoczesnie nie mieszać na kilku frontach?

Pozdrowienia!

Złączono Posta : 30.06.2006 (Pią) 15:18

Captains Log 3: Misja ocalenia trwa...

Co nowego?

Mimo prób działania - ciągle coś przeszkadza.

Przy próbie normalnego odpalenia - na ekranie cały czas jest widoczne ostrzeżenie Windowsowego Systemu Zabezpieczeń (że jest zagrożenie)

System wyłacza sie po 15, góra 20 sekundach - pokazując niebieski ekran i białą czcionką informując między innymi o "zrzucaniu pamięci"

I tak w kółko.

W trybie awaryjnym względny spokój (chociaz w jednym z profili użytkowników mam zablokowany dostep do menadżera programów (??) - nie wiem o co chodzi ) - w każdym razie mogę jakoś walczyć, coś robić ze sprzętem.

Około 16-tej czas mi się skończy - i odpalić ponownie kompy (jednego leczę i ten jest odłączony od sieci, żeby nie nabroił - z drugiego pisze i przygotowuję programy wypalane na płytce, z której operuję "chorego") będe mógł trochę PRZED GODZINĄ 22 (by rozpocząć piękną noc, pełną walecznych serc i opornej materii!).

Tak na serio - to trochę już mam deprechę - ale przecież nie mogę się poddać skrzynce z prądem! Tak łatwo nie odpuszczę.

To co mi podsunęli MaYsTeR i Gutek2222 - radykalnie pchnęło system do przodu (przedtem w tr. awaryjnym nawet było szaleństwo) - widać światło.

Będę bardzo wdzięczny za wszelką pomoc.

Z góry dzięki!


(Gblade) #6

Otwórz notatnik i wklej:

Plik>>>zapisz jako>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.REG i uruchom w trybie awaryjnym


(Gutek) #7

InfinityToJa - zerknij co najpierw - http://forum.dobreprogramy.pl/viewtopic.php?t=83484 ten temat zamykam, wyszło szydło w tym Service C:\WINDOWS\pe386.sys (*** hidden *** ) [sYSTEM] pe386 <-- ROOTKIT !