Sprawdzenie logow HiJack oraz silentrunners

jamesz12345 · 30 Grudzień 2006 17:12

Moj komputer jest dosc zawirusowany. usunalem kilka wirusow za pomoca SmitfraudFix, ale nadal siedzi kilka z nich miedzy inymi spyMarshal… Nie wiem jak sie ich pozbyc . Podaje logid Hijack i silentrunner. Logi zrobilem w trybie awaryjnym, nie wiem czy to dobrze czy nie. Prosze o pomoc . pozdrawiam

Logfile of HijackThis v1.99.1 Scan saved at 18:00:14, on 2006-12-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Tom\USTAWI~1\Temp\Rar$EX00.641\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.extremeaccess.info/?rid=2 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKLM…\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe O4 - HKLM…\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM…\Run: [systems] C:\WINDOWS\system32\sysmon.exe O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.archiviosex.net O15 - Trusted Zone: http://www.contentdiscount.info O15 - Trusted Zone: http://www.extremeaccess.info O17 - HKLM\System\CCS\Services\Tcpip…{6A092D5B-81FF-4B97-871E-AFC2E8176B74}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip…{D3D90202-58DA-47D5-96C8-0DF62570A70E}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.6 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.6 O18 - Protocol: bw+0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll c:\windows\system32\ldcore.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Gdjhlo32.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: BMCNAWS - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Tom\USTAWI~1\Temp\BMCNAWS.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tZWs\command.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “LDM” = “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [“Logitech”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Smapp” = “C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [“Analog Devices, Inc.”] “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” [null data] “OutpostFeedBack” = “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”] “ASUS Probe” = “C:\Program Files\ASUS\Asus Probe\AsusProb.exe” [null data] “Logitech Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech Inc.”] “Systems” = “C:\WINDOWS\system32\sysmon.exe” [null data] “MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “Internet Explorer” = “{F28A40D7-AD0E-034A-C651-5F0ED76232E6}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Gdjhlo32.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “AppInit_DLLs” = “C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll c:\windows\system32\ldcore.dll” [“Agnitum Ltd.”] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “System” = “csoik.exe” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! rpcc\DLLName = “C:\WINDOWS\system32\rpcc.dll” [null data] INFECTION WARNING! winsys2freg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Tom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Logitech Desktop Messenger” -> shortcut to: “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start” [“Logitech”] “Logitech SetPoint” -> shortcut to: “C:\Program Files\Logitech\SetPoint\SetPoint.exe” [“Logitech Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll [null data], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ATI Smart, ATI Smart, “C:\WINDOWS\system32\ati2sgag.exe” [empty string] Command Service, cmdService, “C:\WINDOWS\VG9tZWs\command.exe” [null data] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] Network Monitor, Network Monitor, “C:\Program Files\Network Monitor\netmon.exe service” [null data] NOD32 Kernel Service, NOD32krn, “C:\Program Files\Eset\nod32krn.exe” [null data] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\mspmsnsv.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 37 seconds, including 8 seconds for message boxes)

adam9870 · 30 Grudzień 2006 17:20

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avangera i skasuj plik backup.zip czyli np. c:\avanger\backup.zip.

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym z wyłączonym przywracaniem systemu.

Użyj narzędzia FixWareOut.

Użyj ATF Cleaner i przeczyść Current User Temp oraz All Users Temp.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.extremeaccess.info/?rid=2 O4 - HKLM…\Run: [systems] C:\WINDOWS\system32\sysmon.exe O15 - Trusted Zone: http://www.archiviosex.net O15 - Trusted Zone: http://www.contentdiscount.info O15 - Trusted Zone: http://www.extremeaccess.info O17 - HKLM\System\CCS\Services\Tcpip…{6A092D5B-81FF-4B97-871E-AFC2E8176B74}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip…{D3D90202-58DA-47D5-96C8-0DF62570A70E}: NameServer = 85.255.115.2,85.255.112.6 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.6 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.6 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.6 O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Gdjhlo32.dll O23 - Service: BMCNAWS - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Tom\USTAWI~1\Temp\BMCNAWS.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tZWs\command.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Usuń w hjt.

Po wykonaniu pokaż nowy log z hjt, SilentRunners plus raport z smitfraudfix oraz fixwareout.

Gutek · 30 Grudzień 2006 20:57

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

jamesz12345 · 31 Grudzień 2006 15:00

Wykonalem powyzsze polecenia. Ale nadal; mam wirusy. Outpost mi sie przyt stracie nie uruchamia, na pulpicie mam skroty do programow ktore nie wiem skad sie wziely,. podaje logi

HiJack

Logfile of HijackThis v1.99.1 Scan saved at 15:39:34, on 2006-12-31 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\cleanmgr.exe C:\WINDOWS\explorer.exe K:\Katalog Kuba\z moich dok\Computers\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKLM…\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe O4 - HKLM…\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: bw+0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {8194EDDD-1847-4E7E-86F4-31EF438F4300} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll c:\windows\system32\ldcore.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

SilentRunners

“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “LDM” = “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe” [“Logitech”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Smapp” = “C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [“Analog Devices, Inc.”] “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” [null data] “OutpostFeedBack” = “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”] “ASUS Probe” = “C:\Program Files\ASUS\Asus Probe\AsusProb.exe” [null data] “Logitech Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “AppInit_DLLs” = “C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll c:\windows\system32\ldcore.dll” [“Agnitum Ltd.”] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “System” = “csoik.exe” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Tom” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Logitech Desktop Messenger” -> shortcut to: “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start” [“Logitech”] “Logitech SetPoint” -> shortcut to: “C:\Program Files\Logitech\SetPoint\SetPoint.exe” [“Logitech Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll [null data], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ATI Smart, ATI Smart, “C:\WINDOWS\system32\ati2sgag.exe” [empty string] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] NOD32 Kernel Service, NOD32krn, “C:\Program Files\Eset\nod32krn.exe” [null data] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\mspmsnsv.dll” [MS]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 27 seconds, including 4 seconds for message boxes)

SmitFraudFix v2.131 Scan done at 15:28:34,04, 2006-12-31 Run from L:\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”=“csoik.exe” »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End avenger V

Bieniol · 31 Grudzień 2006 15:09

Użyj narzędzia -> FixWareOut

Po zabiegach nowy log z Hijacka + log z Silent Runners + raport z FixwareOut