wezuj
(Rafo17)
12 Grudzień 2006 16:36
#1
Witam
Wiem, że ten temat był już kilkukrotnie poruszany, ale mimo wszystko chcialbym prosić was o pomoc. Przyznaje że jestem kompletnie zielony w tych sprawach. Poniżej zamieszczam log z Hijack’a i prosiłbym o porade w jaki sposób pozbyć sie pliku rpcc.dll (hijackThis nie usuwa) i ewentualnie co jeszcze powinienem stąd usunąć
Logfile of HijackThis v1.99.1 Scan saved at 17:37:46, on 2006-12-12 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\system32\srrvc.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\srrvc.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Documents and Settings\Home\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [msconfig38] mssvcc.exe O4 - HKLM…\Run: [secures23] lup.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM…\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe O4 - HKLM…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O4 - HKLM…\Run: [kav] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” O4 - HKLM…\Run: [Media Access] C:\PROGRA~1\MEDIAA~1\MediaAccK.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\RunServices: [mouse] mouse.exe O4 - HKLM…\RunServices: [msconfig38] mssvcc.exe O4 - HKLM…\RunServices: [secures23] lup.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKCU…\Run: [john315] C:\WINDOWS\system32\srrvc.exe O4 - HKCU…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://netvenda.com/default.cab?uid=32& … art=050630 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ … 7cde19f6fa ac48ae81b7344b44599c1ffe6852e922ed28187ff09a0438d0999ea48b7ef8a12d6bcf7 afbe81c42a5c91952933ea831ee344723547f5272ae4b84:622c8eeb16a060b4c8fbdc ee079d24e O17 - HKLM\System\CCS\Services\Tcpip…{0C565033-0F9A-4ED9-99EE-CBE551386FBF}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip…{1767A77F-AEE0-49F0-9043-5430396C3621}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip…{E3B36FB4-D883-4350-88F1-351E1DD95D5F}: NameServer = 194.204.152.34 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{0C565033-0F9A-4ED9-99EE-CBE551386FBF}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CS2\Services\Tcpip…{0C565033-0F9A-4ED9-99EE-CBE551386FBF}: NameServer = 195.95.218.3,85.255.112.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O23 - Service: Kaspersky Anti-Virus Home Edition 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RADNET - Unknown owner - C:\WINDOWS\radnet32.exe (file missing) O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing) O23 - Service: Windows Spooler (winspool32) - Unknown owner - C:\WINDOWS\spool.exe (file missing)
I przepraszam za rozwalenie szerokości strony
adam9870
(adam9870)
12 Grudzień 2006 16:53
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Start => uruchom => cmd => wpisz:
Użyj narzędzia SmitFraudFix (opcja 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O4 - HKLM…\Run: [msconfig38] mssvcc.exe O4 - HKLM…\Run: [secures23] lup.exe O4 - HKLM…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKLM…\Run: [john315] C:\WINDOWS\system32\srrvc.exe O4 - HKLM…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O4 - HKLM…\Run: [Media Access] C:\PROGRA~1\MEDIAA~1\MediaAccK.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 O4 - HKLM…\RunServices: [mouse] mouse.exe O4 - HKLM…\RunServices: [msconfig38] mssvcc.exe O4 - HKLM…\RunServices: [secures23] lup.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKCU…\Run: [john315] C:\WINDOWS\system32\srrvc.exe O4 - HKCU…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ … 7cde19f6fa ac48ae81b7344b44599c1ffe6852e922ed28187ff09a0438d0999ea48b7ef8a12d6bcf7 afbe81c42a5c91952933ea831ee344723547f5272ae4b84:622c8eeb16a060b4c8fbdc ee079d24e O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O23 - Service: RADNET - Unknown owner - CC:\WINDOWS\radnet32.exe (file missing) O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing) O23 - Service: Windows Spooler (winspool32) - Unknown owner - C:\WINDOWS\spool.exe (file missing)
Pliki i foldery zaznaczone usuwasz ręcznie z dysku natomiast wpisy w HijackThis.
Po wykonaniu pokaż nowy log z hjt, SilentRunners oraz c:\rapport.txt
wezuj
(Rafo17)
12 Grudzień 2006 17:46
#3
żebym miał jasność. usuwam te które powtórzą się w SmitFraudFix czy wszystkie zaznaczone?
Joan
(Joan Sunshine)
12 Grudzień 2006 18:05
#4
Najpierw stosujesz SmitFraudFix - usunie część syfu. Potem pliki na czerwono znajdujesz na dysku i usuwasz w trybie awaryjnym, a podane przez adama9870 wpisy zaznaczasz w HJT i klikasz na dole “Fix checked” . Potem nowe logi
wezuj
(Rafo17)
12 Grudzień 2006 19:03
#5
Dobra, coś pokombinowalem i na ten moment wygląda to tak:
Logfile of HijackThis v1.99.1 Scan saved at 19:49:01, on 2006-12-12 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Home\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [secures23] lup.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM…\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKLM…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O4 - HKLM…\Run: [kav] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” O4 - HKLM…\Run: [Media Access] C:\PROGRA~1\MEDIAA~1\MediaAccK.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\RunServices: [msconfig38] mssvcc.exe O4 - HKLM…\RunServices: [secures23] lup.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKCU…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://netvenda.com/default.cab?uid=32& … art=050630 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ … 7cde19f6fa ac48ae81b7344b44599c1ffe6852e922ed28187ff09a0438d0999ea48b7ef8a12d6b cf7afbe81c42a5c91952933ea831ee344723547f5272ae4b84:622c8eeb16a060b4c8f bdceee079d24e O17 - HKLM\System\CCS\Services\Tcpip…{0C565033-0F9A-4ED9-99EE-CBE551386FBF}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip…{1767A77F-AEE0-49F0-9043-5430396C3621}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip…{E3B36FB4-D883-4350-88F1-351E1DD95D5F}: NameServer = 194.204.152.34 217.98.63.164 O17 - HKLM\System\CS1\Services\Tcpip…{0C565033-0F9A-4ED9-99EE-CBE551386FBF}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CS2\Services\Tcpip…{0C565033-0F9A-4ED9-99EE-CBE551386FBF}: NameServer = 195.95.218.3,85.255.112.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O23 - Service: Kaspersky Anti-Virus Home Edition 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
SmitFraudFix v2.128 Scan done at 19:11:52,10, 2006-12-12 Run from C:\Documents and Settings\Home\Pulpit\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End “Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “mel34” = “C:\WINDOWS\system32\mdm4.exe” [file not found] “stack12” = “C:\WINDOWS\system32\mfee.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom RD”] “WOOTASKBARICON” = “C:\Program Files\Neostrada TP\taskbaricon.exe” [“France Télécom RD”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “secures23” = “lup.exe” [file not found] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “PCSuiteTrayApplication” = “C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup” [“Nokia”] “High Definition Audio Property Page Shortcut” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”] “AlcWzrd” = “ALCWZRD.EXE” [“RealTek Semicoductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “mel34” = “C:\WINDOWS\system32\mdm4.exe” [file not found] “stack12” = “C:\WINDOWS\system32\mfee.exe” [file not found] “kav” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”” [“Kaspersky Lab”] “(Default)” = “(empty string)” [file not found] “Media Access” = “C:\PROGRA~1\MEDIAA~1\MediaAccK.exe” [file not found] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {28CAEFF3-0F18-4036-B504-51D73BD81ABC}(Default) = (no title provided) - {HKLM…CLSID} = “EliteBar” \InProcServer32(Default) = “C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll” [file not found] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) - {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] Z Silent Runners miałem pewne problemy więc log chyba niekompletny. Jak się uporam to uzupełnie
adam9870
(adam9870)
12 Grudzień 2006 19:12
#6
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\System32\rpcc.dll
Klikasz X czerwony i restart kompa (restart dopiero po usunięciu ostatniego pliku).
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing) O4 - HKLM…\Run: [secures23] lup.exe O4 - HKLM…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKLM…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O4 - HKLM…\Run: [Media Access] C:\PROGRA~1\MEDIAA~1\MediaAccK.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\RunServices: [msconfig38] mssvcc.exe O4 - HKLM…\RunServices: [secures23] lup.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [mel34] C:\WINDOWS\system32\mdm4.exe O4 - HKCU…\Run: [stack12] C:\WINDOWS\system32\mfee.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://netvenda.com/default.cab?uid=32& … art=050630 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ … .cab?6edee 6e57cde19f6faac48ae81b7344b44599c1ffe6852e922ed28187ff09a 0438d0999ea48b7ef8a12d6bcf7afbe81c42a5c91952933ea831ee3447 23547f5272ae4b84:622c8eeb16a060b4c8fbdceee079d24e O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
Usuń w hjt.
Po wykonaniu nowe logi. Tylko teraz wklej całego Silenta bo teraz jest ucięty.
adam9870
(adam9870)
12 Grudzień 2006 20:37
#8