Proszę o sprawdzenie mojego loga


(Lipek998) #1

Virus Alert

Na pasku zadań przy zagerku wyskakuje mi powiadomienie o tym ze moj komputer jest zainfekowany... "Your computer is infected"


(Gblade) #2

Ściągnij LSP-Fix>>>uruchom>>>zaznacz "I know what im doing" , przenieś newdotnet*_**.dll do okienka "REMOVE" i kliknij Finish

Odinstaluj Newdotnet

Zapuść w awaryjnym smitfraudfix http://forum.dobreprogramy.pl/viewtopic.php?t=36654 z opcj nr 2 , wklej raport + nowe logi hijackthis + silent runners .


(Lipek998) #3


(Gblade) #4

skasuj hijackiem i opróżnij katalog temp w awaryjnym, wklej całego loga z silent runners , ten jest ucięty.


(Lipek998) #5
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [MS]

"Steam" = "C:\Steam\Steam.exe -silent" ["Valve Corporation"]

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"WheelMouse" = "D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co., Ltd."]

"NeroCheck" = "D:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]

"KAVPersonal50" = ""D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize" ["Kaspersky Lab"]

"DataLayer" = "D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]

"PCSuiteTrayApplication" = "D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar Helper"

                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{5929CD6E-2062-44a4-B2C5-2C7E78FBAB38}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Seekmo Search Assistant Helper"

                   \InProcServer32\(Default) = "d:\program files\seekmo\seekmohook.dll" [file not found]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "D:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~2\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"

  -> {HKLM...CLSID} = "Contact View"

                   \InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]

"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"

  -> {HKLM...CLSID} = "Message View"

                   \InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\Office11\MSOXMLMF.dll" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "D:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "D:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\Lipek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{A2595F37-48D0-46A1-9B51-478591A97764}"

  -> {HKLM...CLSID} = "Protection Bar"

                   \InProcServer32\(Default) = "D:\Program Files\IntCodec\iesplugin.dll" [file not found]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{A2595F37-48D0-46A1-9B51-478591A97764}" = (no title provided)

  -> {HKLM...CLSID} = "Protection Bar"

                   \InProcServer32\(Default) = "D:\Program Files\IntCodec\iesplugin.dll" [file not found]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]



HOSTS file

----------


D:\WINDOWS\System32\drivers\etc\HOSTS


maps: 4386 domain names to IP addresses,

      3 of the IP addresses are *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


kavsvc, kavsvc, ""D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"" ["Kaspersky Lab"]

NVIDIA Driver Helper Service, NVSvc, "D:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

StarWind iSCSI Service, StarWindService, "D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 536 seconds, including 8 seconds for message boxes)

(Gblade) #6

Zrób to co napisałem w poście wyżej

Edytuj plik hosts w notatniku, znajdujący się w D:\WINDOWS\System32\drivers\etc\HOSTS

powinna znajdować się tam linijka

Wszystkie inne pod nią, jeśli sam nie dodawałeś, skasuj i zapisz zmiany.


(squeet) #7

Proszę zmienić temat na konkretny, mówiący o problemie.