Spyware alert... I nie tylko


(Dominik T) #1

Witam!

Co chwile wyskakuje mi alert abym uruchomił odpowiednią stronę i ściągnoł program... W paneli bocznym także wyskakuje krzyżyk z Alertem...

Także tapeta czasem zmienia się...

Wiadomo o co chodzi?:slight_smile:

Log z hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 00:51:13, on 2007-11-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\system32\spoolsv.exe

H:\WINDOWS\Explorer.EXE

H:\Program Files\VDOTool\TBPanel.exe

H:\Program Files\Multimedia Card Reader\shwicon2k.exe

H:\WINDOWS\system32\RUNDLL32.EXE

H:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

H:\PROGRA~1\NEOSTR~1\CnxMon.exe

H:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

H:\Program Files\Eset\nod32kui.exe

H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

H:\Program Files\Bonjour\mDNSResponder.exe

H:\Program Files\Eset\nod32krn.exe

H:\WINDOWS\System32\nvsvc32.exe

I:\Alcohol 120\StarWind\StarWindService.exe

H:\WINDOWS\System32\svchost.exe

H:\Program Files\PC Connectivity Solution\ServiceLayer.exe

H:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

H:\Program Files\Gadu-Gadu\gg.exe

I:\Winamp\winamp.exe

H:\Program Files\Mozilla Firefox\firefox.exe

H:\Documents and Settings\ones\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - H:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: MSVPS System - {15272B08-F6FE-4E71-B2BD-A59AD23EBE3C} - H:\WINDOWS\bndsrfst.dll (file missing)

O2 - BHO: MSVPS System - {31E3F653-ED88-4355-B83E-FB263CD355E3} - H:\WINDOWS\popnetnpr.dll

O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - H:\Program Files\GetRight\xx2gr.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - H:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - H:\Program Files\Save Flash\SaveFlash.dll

O3 - Toolbar: The jokwmp - {9E004C23-5424-4C79-BAFE-C2B3460ECB56} - H:\WINDOWS\jokwmp.dll

O4 - HKLM\..\Run: [Gainward] H:\Program Files\VDOTool\TBPanel.exe /A

O4 - HKLM\..\Run: [Sunkist2k] H:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [SSBkgdUpdate] "H:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "H:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [WooCnxMon] H:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] H:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] H:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [nod32kui] "H:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\adobe reader\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "H:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "H:\Documents and Settings\All Users\Dane aplikacji\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] H:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "H:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "H:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

O4 - HKCU\..\Run: [AdobeUpdater] H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - Startup: hamachi.lnk = H:\Program Files\Hamachi\hamachi.exe

O4 - Startup: UniSpiker-2.6.lnk = ?

O4 - Global Startup: GetRight - Tray Icon.lnk = H:\Program Files\GetRight\getright.exe

O8 - Extra context menu item: Download with GetRight - H:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint – Dodaj do listy drukowania - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint – Drukuj - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Easy-WebPrint – Drukuj z dużą szybkością - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint – Podgląd - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Open with GetRight Browser - H:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: h:\program files\bonjour\mdnsnsp.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{928D5777-F110-4468-B6E6-EEA7395621C3}: NameServer = 192.168.1.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - H:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: msvb - {909FC493-8A51-47ED-9F6C-036773A76A06} - H:\WINDOWS\msvb.dll (file missing)

O21 - SSODL: sysdx - {484736F2-86B3-48A5-B405-A32CC723BAFA} - H:\WINDOWS\sysdx.dll (file missing)

O21 - SSODL: sapnet - {4C1073CF-4F56-4E84-A4BA-8DE17D46D2E2} - H:\WINDOWS\sapnet.dll

O21 - SSODL: rmvgor - {69B07BFC-461B-463C-AF17-78A7588027C8} - H:\WINDOWS\rmvgor.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diablo II Close Game Server (D2GS) - Unknown owner - H:\Documents and Settings\ones\Pulpit\D2GS-111b(21)\D2GSSVC.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - H:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - J:\MOHA GRA\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe

O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - I:\Alcohol 120\StarWind\StarWindService.exe

Co jeszcze dodać? Chciałbym się go pozbyć;/

Złączono Posta : 21.11.2007 (Sro) 8:25

Oto log z DSS:


(Lost World) #2

Na początek automat , nic nie ściągaj.

Pobierz narzędzie SDFix

*Klikamy 2 krotknie na ikonę SDFix.exe ,program wypakuje się domyślnie do lokalizacji C:\ SDFix

*Wchodzimy do trybu awaryjnego z obsługą sieci:

>>>>>> Jak wejść do trybu awaryjnego z obsługą sieci?

*F8 podczas bootowania systemu.

*Używamy narzędzia BootSafe.exe zaznaczamy opcje Safe Mode- Networking i klikamy reboot

*Gdy już jesteśmy w trybie awaryjnym,wchodzimy do folderu SDFix i uruchamiamy narzędzie klikająć

2-krotnie na plik RunThis.bat lewym przyciskiem myszy.

*Wciskamy Y co uruchomi proces usuwania

*Kiedy proces usuwania się zakończy wciskamy dowolny klawisz>>nastąpi restart.

*Po restarcie SDFix dokończy proces usuwania,kiedy w oknie narzędzia SDFix pojawi się napis Finished

klikamy dowolny klawisz,narzędzie zakończy swoją pracę,na pulpicie załadują się ikony.

*Wchodzimy do folderu SDFix i kopiujemy zawartość pliku tekstowego Report.txt i wklejamy go na forum

Pobierz : SmitFraudFix

Tryb numer 2 i wklejasz raport (C:\SmitfraudFix.txt).Oczywiście w trybie awaryjnym.


(Dominik T) #3

Raport SDFix...

Teraz jeszcze zajmę się SmitFraudFix

SDFix: Version 1.115


Run by Administrator on 2007-11-21 at 21:24


Microsoft Windows XP [Wersja 5.1.2600]


Running From: H:\SDFix


Safe Mode:

Checking Services: 



Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Default HomePage Value

Restoring Default Desktop Components Value


Rebooting...



Normal Mode:

Checking Files: 


Trojan Files Found:


H:\WINDOWS\privacy_danger\index.htm - Deleted

H:\WINDOWS\privacy_danger\images\capt.gif - Deleted

H:\WINDOWS\privacy_danger\images\danger.jpg - Deleted

H:\WINDOWS\privacy_danger\images\down.gif - Deleted

H:\WINDOWS\privacy_danger\images\spacer.gif - Deleted

H:\WINDOWS\dat.txt - Deleted

H:\WINDOWS\jokwmp.dll - Deleted

H:\WINDOWS\nethop.exe - Deleted

H:\WINDOWS\rmvgor.dll - Deleted

H:\WINDOWS\rs.txt - Deleted

H:\WINDOWS\sapnet.dll - Deleted

H:\WINDOWS\POPNET~1.DLL - Deleted




Folder H:\WINDOWS\privacy_danger - Removed


Removing Temp Files...


ADS Check:


H:\WINDOWS

No streams found. 


H:\WINDOWS\system32

No streams found. 


H:\WINDOWS\system32\svchost.exe

No streams found.


H:\WINDOWS\system32\ntoskrnl.exe

No streams found.




                                 Final Check:


catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-21 21:28:01

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:e442b469

"s2"=dword:c4de46d6

"h0"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="I:\Alcohol 120\"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"p0"="H:\Program Files\DAEMON Tools Pro\"

"h0"=dword:00000001

"hdf12"=hex:c4,96,c7,de,a6,14,6d,b4,17,da,2d,f9,ba,c8,f1,50,92,cb,59,a3,b1,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,2f,6b,d7,56,ae,93,19,52,43,f7,96,3f,d1,77,f9,4f,b1,..

"hdf12"=hex:9d,46,0e,ec,ec,fd,e6,ee,ec,b5,cf,70,e4,be,9d,82,f6,65,e5,78,66,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:5a,be,27,1c,2a,34,bd,99,68,76,27,c4,5b,f3,ba,94,71,99,60,a1,92,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]

"hdf12"=hex:f9,f0,c4,57,f4,82,2f,5f,df,56,ff,96,df,6a,76,7d,97,a7,0a,39,0f,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]

"hdf12"=hex:d7,39,a9,8e,95,a8,91,5d,0b,49,06,79,8e,43,91,91,8f,c2,86,f8,06,..

"a0"=hex:20,01,00,00,ce,02,1a,56,a7,aa,a7,df,ba,54,66,db,6f,23,ce,9f,23,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0]

"hdf12"=hex:5a,be,27,1c,2a,34,bd,99,68,76,27,c4,5b,f3,ba,94,71,99,60,a1,92,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1]

"hdf12"=hex:83,28,1d,29,d4,4b,5b,9c,69,c0,6a,e2,5f,a8,17,f5,f2,7d,e4,cf,2a,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:df,43,0d,69,da,26,aa,71,c0,c9,ec,02,44,0c,09,62,f3,c6,df,fd,de,..

"p0"="H:\Program Files\DAEMON Tools\"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:bc,0d,1c,e3,e8,38,fe,52,b9,b1,1b,5b,f5,33,85,4b,16,f5,d9,59,d1,..

"a0"=hex:20,01,00,00,4c,76,da,56,fd,bc,33,29,6c,1e,bb,b9,50,9b,f1,9c,42,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:d5,c1,84,09,24,5b,58,33,79,af,3c,d0,08,6f,8d,03,3f,99,ec,dd,b4,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:a7,11,4b,92,d7,ff,33,2d,1e,23,a8,01,ff,33,62,85,5c,7a,f8,b0,ec,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

"khjeh"=hex:f2,36,4e,34,87,d8,0c,80,e7,75,14,45,10,e9,1e,be,20,dd,d2,5a,f4,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

"khjeh"=hex:2d,fb,9a,8a,78,ff,4a,94,bb,48,89,91,a0,61,85,55,ed,10,85,17,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="I:\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="H:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:9e,70,a1,a0,aa,c4,4f,73,de,50,43,8d,ea,ea,6f,2e,d5,21,05,90,5b,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,67,27,a2,c5,7c,96,75,a2,7b,d0,0b,d3,b9,43,d6,39,79,..

"khjeh"=hex:ec,26,3f,b4,1c,e4,05,b1,b1,b1,10,3a,b1,d6,6c,0d,96,0f,09,43,85,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:bd,b7,fc,6f,51,2d,17,e7,8f,b3,1e,b3,85,d0,6d,62,ac,33,3e,11,55,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:80,a8,55,51,02,82,b5,da,d8,c6,2f,89,45,f6,79,0b,d7,40,d6,cd,15,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="I:\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"p0"="H:\Program Files\DAEMON Tools Pro\"

"h0"=dword:00000001

"hdf12"=hex:c4,96,c7,de,a6,14,6d,b4,17,da,2d,f9,ba,c8,f1,50,92,cb,59,a3,b1,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,2f,6b,d7,56,ae,93,19,52,43,f7,96,3f,d1,77,f9,4f,b1,..

"hdf12"=hex:9d,46,0e,ec,ec,fd,e6,ee,ec,b5,cf,70,e4,be,9d,82,f6,65,e5,78,66,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:5a,be,27,1c,2a,34,bd,99,68,76,27,c4,5b,f3,ba,94,71,99,60,a1,92,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]

"hdf12"=hex:f9,f0,c4,57,f4,82,2f,5f,df,56,ff,96,df,6a,76,7d,97,a7,0a,39,0f,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002]

"hdf12"=hex:d7,39,a9,8e,95,a8,91,5d,0b,49,06,79,8e,43,91,91,8f,c2,86,f8,06,..

"a0"=hex:20,01,00,00,ce,02,1a,56,a7,aa,a7,df,ba,54,66,db,6f,23,ce,9f,23,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0]

"hdf12"=hex:5a,be,27,1c,2a,34,bd,99,68,76,27,c4,5b,f3,ba,94,71,99,60,a1,92,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1]

"hdf12"=hex:83,28,1d,29,d4,4b,5b,9c,69,c0,6a,e2,5f,a8,17,f5,f2,7d,e4,cf,2a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:df,43,0d,69,da,26,aa,71,c0,c9,ec,02,44,0c,09,62,f3,c6,df,fd,de,..

"p0"="H:\Program Files\DAEMON Tools\"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:bc,0d,1c,e3,e8,38,fe,52,b9,b1,1b,5b,f5,33,85,4b,16,f5,d9,59,d1,..

"a0"=hex:20,01,00,00,4c,76,da,56,fd,bc,33,29,6c,1e,bb,b9,50,9b,f1,9c,42,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:d5,c1,84,09,24,5b,58,33,79,af,3c,d0,08,6f,8d,03,3f,99,ec,dd,b4,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:a7,11,4b,92,d7,ff,33,2d,1e,23,a8,01,ff,33,62,85,5c,7a,f8,b0,ec,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]

"khjeh"=hex:f2,36,4e,34,87,d8,0c,80,e7,75,14,45,10,e9,1e,be,20,dd,d2,5a,f4,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]

"khjeh"=hex:2d,fb,9a,8a,78,ff,4a,94,bb,48,89,91,a0,61,85,55,ed,10,85,17,66,..


scanning hidden registry entries ...


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..


scanning hidden files ...


scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0



Remaining Services:

------------------




Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"H:\\Program Files\\Gadu-Gadu\\gg.exe"="H:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program główny"

"H:\\Program Files\\Bonjour\\mDNSResponder.exe"="H:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"J:\\cs\\hl.exe"="J:\\cs\\hl.exe:*:Enabled:Half-Life Launcher"

"H:\\Program Files\\Hamachi\\hamachi.exe"="H:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"

"I:\\eMule\\emule.exe"="I:\\eMule\\emule.exe:*:Enabled:eMule"

"H:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="H:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"H:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="H:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"H:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="H:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"G:\\SetupWizard.exe"="G:\\SetupWizard.exe:*:Enabled:SetupWizard"

"J:\\MOHA GRA\\UnrealEngine3\\Binaries\\MOHA.exe"="J:\\MOHA GRA\\UnrealEngine3\\Binaries\\MOHA.exe:*:Enabled:Medal of Honor Airborne"

"H:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"="H:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"

"H:\\Program Files\\FileZilla\\FileZilla.exe"="H:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"

"H:\\Program Files\\Skype\\Phone\\Skype.exe"="H:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"G:\\SetupWizard.exe"="G:\\SetupWizard.exe:*:Enabled:SetupWizard"


Remaining Files:

---------------


File Backups: - H:\SDFix\backups\backups.zip


Files with Hidden Attributes:


Mon 19 Nov 2007 13,256 A..H. --- H:\PULPIT\MAPHACK\AUTOMAP0.TMP

Mon 19 Nov 2007 440 A..H. --- H:\PULPIT\MAPHACK\AUTOMAP1.TMP

Tue 17 Oct 2006 304,736 A..H. --- H:\PROGRA~1\CANON\MPNAVI~1.0\MAINT.EXE

Tue 17 Oct 2006 61,440 A..H. --- H:\PROGRA~1\CANON\MPNAVI~1.0\UINSTRSC.DLL

Wed 21 Nov 2007 328,869 A..H. --- H:\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1155.TMP

Wed 21 Nov 2007 328,869 A..H. --- H:\DOCUME~1\ONES\USTAWI~1\TEMP\BIT2E30.TMP

Sat 13 Oct 2007 328,869 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT10F3.TMP

Sat 13 Oct 2007 328,869 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1101.TMP

Wed 21 Nov 2007 328,869 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1155.TMP

Wed 8 Aug 2007 85,946 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1213.TMP

Sat 13 Oct 2007 328,869 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1217.TMP

Wed 8 Aug 2007 85,946 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1A16.TMP

Wed 8 Aug 2007 85,946 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1A17.TMP

Wed 8 Aug 2007 85,946 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT1A23.TMP

Tue 20 Nov 2007 335,858 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT2E30.TMP

Wed 8 Aug 2007 85,946 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BIT3.TMP

Wed 8 Aug 2007 85,946 A..H. --- H:\DECKARD\SYSTEM~1\BACKUP\DOCUME~1\ONES\USTAWI~1\TEMP\BITF.TMP


Finished!

Złączono Posta : 21.11.2007 (Sro) 21:40Log z SmitFraudFix: Wirus usunięty?

SmitFraudFix v2.253


Scan done at 21:36:17,23, 2007-11-21

Run from H:\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix


S!Ri's WS2Fix: LSP not Found.



»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files



»»»»»»»»»»»»»»»»»»»»»»»» DNS


Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Sterownik miniport Harmonogramu pakietów

DNS Server Search Order: 192.168.1.1


HKLM\SYSTEM\CCS\Services\Tcpip\..\{928D5777-F110-4468-B6E6-EEA7395621C3}: NameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{928D5777-F110-4468-B6E6-EEA7395621C3}: NameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{928D5777-F110-4468-B6E6-EEA7395621C3}: NameServer=192.168.1.1



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]

(Gutek) #4

Daj log z ComboFix