MSH
(Authilius)
23 Kwiecień 2006 11:58
#1
Logfile of HijackThis v1.99.1
Scan saved at 125952, on 2006-04-23
Platform Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes
CWINDOWSSystem32smss.exe
CWINDOWSsystem32winlogon.exe
CWINDOWSsystem32services.exe
CWINDOWSsystem32lsass.exe
CWINDOWSsystem32svchost.exe
CWINDOWSSystem32svchost.exe
CWINDOWSsystem32spoolsv.exe
CWINDOWSexplorer.exe
EProgramyAntywirusowyAntiViraswUpdSv.exe
EProgramyANTYWI~1AntiVirashDisp.exe
CPROGRA~1PESTPA~1PPControl.exe
CPROGRA~1PESTPA~1PPMemCheck.exe
CPROGRA~1PESTPA~1CookiePatrol.exe
CProgram FilesJavajre1.5.0_06binjusched.exe
CProgram FilesQuickTimeqttask.exe
CWINDOWSsystem32ctfmon.exe
CProgram FilesEnhanceKeyboardkb_2k.exe
EProgramyAntywirusowyAntiVirashServ.exe
EProgramyAntywirusowyKerioPersonal Firewall 4kpf4ss.exe
CProgram FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
CWINDOWSSystem32nvsvc32.exe
CWINDOWSSystem32svchost.exe
EProgramyAntywirusowyKerioPersonal Firewall 4kpf4gui.exe
EProgramyAntywirusowyAntiVirashMaiSv.exe
CWINDOWSsystem32WgaTray.exe
EProgramyAntywirusowyKerioPersonal Firewall 4kpf4gui.exe
EProgramyAntywirusowyAntiVirashWebSv.exe
EProgramyWinampWinamp.exe
EProgramyFirefoxfirefox.exe
EProgramyWinRARWinRAR.exe
CDOCUME~1deadtree.MSHUSTAWI~1TempRar$EX00.707HijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = httpwp.pl
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
F2 - REGsystem.ini Shell=explorer.exe CProgram FilesCommon FilesMicrosoft SharedWeb Foldersibm00001.exe
O2 - BHO AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - EProgramyAdobeReaderReaderActiveXAcroIEHelper.dll
O2 - BHO (no name) - {53707962-6F74-2D53-2644-206D7942484F} - EProgramyANTYWI~1SPYBOT~1SDHelper.dll
O2 - BHO SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - CProgram FilesJavajre1.5.0_06binssv.dll
O2 - BHO FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - EProgramyFlashFXPFlashFXPIEFlash.dll
O4 - HKLM..Run [avast!] EProgramyANTYWI~1AntiVirashDisp.exe
O4 - HKLM..Run [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..Run [PestPatrol Control Center] CPROGRA~1PESTPA~1PPControl.exe
O4 - HKLM..Run [PPMemCheck] CPROGRA~1PESTPA~1PPMemCheck.exe
O4 - HKLM..Run [CookiePatrol] CPROGRA~1PESTPA~1CookiePatrol.exe
O4 - HKLM..Run [NeroCheck] CWINDOWSSystem32NeroCheck.exe
O4 - HKLM..Run [SunJavaUpdateSched] CProgram FilesJavajre1.5.0_06binjusched.exe
O4 - HKLM..Run [iTunesHelper] CProgram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run [QuickTime Task] CProgram FilesQuickTimeqttask.exe -atboottime
O4 - HKLM..Run [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..RunOnce [Pest Cleaning] CPROGRA~1PESTPA~1ppclean.exe clean ts20060210190936 cws 2
O4 - HKCU..Run [ctfmon.exe] CWINDOWSsystem32ctfmon.exe
O4 - Startup Rejestrowanie produktów Corela.lnk = CProgram FilesCorelGraphics9RegisterRemind32.exe
O4 - Global Startup enhanced keyboard driver.lnk =
O4 - Global Startup Microsoft Office.lnk = CProgram FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item Eksport do programu Microsoft Excel - resCPROGRA~1MICROS~2Office10EXCEL.EXE3000
O9 - Extra button (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CProgram FilesJavajre1.5.0_06binssv.dll
O9 - Extra 'Tools' menuitem Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - CProgram FilesJavajre1.5.0_06binssv.dll
O16 - DPF {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http195.136.36.165activexAMC.cab
O16 - DPF {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http67.15.101.3g_binplbillard8_2_0_0_24.cab
O16 - DPF {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http67.15.101.3g_binplbillardt_2_0_0_24.cab
O16 - DPF {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http67.15.101.3g_binplsnooker_2_0_0_24.cab
O16 - DPF {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http67.15.101.3g_binplbillard8UK_2_0_0_24.cab
O17 - HKLMSystemCCSServicesTcpip..{702453BA-5130-4CA2-A686-C8734C35A652} NameServer = 194.204.159.1,194.204.152.34
O17 - HKLMSystemCCSServicesTcpip..{77EBF541-4BDF-43BB-9E82-71C68203B471} NameServer = 194.204.159.1,194.204.152.34
O18 - Protocol ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - CProgram FilesCommon FilesMicrosoft SharedHelphxds.dll
O20 - Winlogon Notify WgaLogon - CWINDOWSSYSTEM32WgaLogon.dll
O23 - Service avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - EProgramyAntywirusowyAntiViraswUpdSv.exe
O23 - Service avast! Antivirus - Unknown owner - EProgramyAntywirusowyAntiVirashServ.exe
O23 - Service avast! Mail Scanner - Unknown owner - EProgramyAntywirusowyAntiVirashMaiSv.exe service (file missing)
O23 - Service avast! Web Scanner - Unknown owner - EProgramyAntywirusowyAntiVirashWebSv.exe service (file missing)
O23 - Service InstallDriver Table Manager (IDriverT) - Macrovision Corporation - CProgram FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service iPodService - Apple Computer, Inc. - CProgram FilesiPodbiniPodService.exe
O23 - Service Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - EProgramyAntywirusowyKerioPersonal Firewall 4kpf4ss.exe
O23 - Service NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - CWINDOWSSystem32nvsvc32.exe
Bieniol
(Bbieniol)
23 Kwiecień 2006 12:27
#2
Wyłączasz przywracanie systemu:
Włączasz tryb awaryjny:
Odpalasz Hijacka --> do a system scan only i zaznaczasz wpis:
I klikasz na dole “fix checked”
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:/Program Files/Common Files/Microsoft Shared/Web Folders/ibm00001.exe
Klikasz X i restart kompa
Po zabiegach nowy log + log z Silent Runners
MSH
(Authilius)
23 Kwiecień 2006 20:52
#3
Dziękuje za próbę pomocy, ale jak zapewne zauważyłeś podczas szczegółowego przeglądania mojego log’a nie posiadam w nim wpisu
Operacja KillBox’em też nic nie daje zarówno w trybie normalnym jak i awaryjnym.
skan z Silent Runners:
“Silent Runners.vbs”, revision 44, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “E:\Programy\ANTYWI~1\AntiVir\ashDisp.exe” [null data] “NvCplDaemon” = “RUNDLL32.EXE NvQTwk,NvCplDaemon initialize” [MS] “PestPatrol Control Center” = “C:\PROGRA~1\PESTPA~1\PPControl.exe” [“Computer Associates International”] “PPMemCheck” = “C:\PROGRA~1\PESTPA~1\PPMemCheck.exe” [null data] “CookiePatrol” = “C:\PROGRA~1\PESTPA~1\CookiePatrol.exe” [“Computer Associates International”] “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Pest Cleaning” = "“C:\PROGRA~1\PESTPA~1\ppclean.exe” “clean” “ts:20060210190936” “cws” “2"” [“Computer Associates”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\Programy\Adobe\Reader\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Programy\ANTYWI~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashFXP Helper for Internet Explorer” \InProcServer32(Default) = “E:\Programy\FlashFXP\FlashFXP\IEFlash.dll” [“IniCom Networks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Programy\Antywirusowy\AntiVir\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {HKLM…CLSID} = “Eksplorator pulpitów” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive” -> {HKLM…CLSID} = “GMail Drive” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet” -> {HKLM…CLSID} = “GMailFS Property Sheet” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler” -> {HKLM…CLSID} = “GMailFS Drop Handler” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu” -> {HKLM…CLSID} = “GMailFS Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “Shell” = “explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [MS], [file not found], [file not found], [file not found], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Programy\Antywirusowy\AntiVir\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “E:\Programy\Antywirusowy\AntiVir\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\deadtree.MSH\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Startup items in “deadtree” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\deadtree.MSH\Menu Start\Programy\Autostart “Rejestrowanie produktów Corela” -> shortcut to: “C:\Program Files\Corel\Graphics9\Register\Remind32.exe” [file not found] C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “enhanced keyboard driver” -> shortcut to: “C:\Program Files\EnhanceKeyboard\kb_2k.exe” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““E:\Programy\Antywirusowy\AntiVir\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““E:\Programy\Antywirusowy\AntiVir\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““E:\Programy\Antywirusowy\AntiVir\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““E:\Programy\Antywirusowy\AntiVir\ashWebSv.exe” /service” [“ALWIL Software”] iPodService, iPodService, “C:\Program Files\iPod\bin\iPodService.exe” [“Apple Computer, Inc.”] Kerio Personal Firewall 4, KPF4, ““E:\Programy\Antywirusowy\Kerio\Personal Firewall 4\kpf4ss.exe”” [“Kerio Technologies”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor i250\Driver = “CNMLM50.DLL” [“CANON INC.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 568 seconds, including 24 seconds for message boxes)
Bieniol
(Bbieniol)
23 Kwiecień 2006 21:25
#4
Takiego nie posiadasz - pierwszy raz widze na oczy taki dziwny log, ale posiadasz taki wpis:
Usuń go w awaryjnym
Gutek
(Gutek)
23 Kwiecień 2006 21:38
#5
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “Shell” = “explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [MS], [file not found], [file not found], [file not found], [file not found], [file not found]
Otwórz notatnik i wklej:
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa