Strona startowa msn.com


(Cole_) #1

Strona startowa MSIE jest podmieniana na http://www.msn.com, mój provider nie chce mnie wpuścić do internetu (podkłada swoją stronę, na której informuje, że mam wirusa)... Wydawało mi się, że usunąłem trojana, którego wykrył Avast, ale problem powrócił, stąd ta prośba. Na http://www.hijackthis.de/ napisali, że tylko

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll

jest nasty, ale jest też kilka nieznanych procesów.


(Gblade) #2

1.Startujesz do trybu awaryjnego

2.Wyłanczasz przywracanie systemu (tylko Me/Xp)

3.Kasujesz wpisy w HijackThis

4.Kasujesz pogrubione pliki/foldery

5.Dajesz nowy log z hjt + log z Silent Runners

po co ci avg i avast ? odinstaluj jednego

ten automat wprowadza ludzi w błąd, ma nie aktualną baze ...wady moge wymieniać cały dzień, radze nie korzystać z niego.


(Cole_) #3

Z tym jest problem, bo 4 z tych plików (te, które siedzą w C:/Documents and Settings/All Users/Dokumenty/Settings) nie chcą się dać usunąć hjt...

A to nie ja instalowałem, to w ogóle nie mój komputer :slight_smile: Ale przekażę.

Jeszcze wrzucam loga SilentRunnera:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" [file not found]

"SiSSoundMan" = "C:\WINDOWS\system32\SoundMan.exe" ["Avance Logic, Inc."]

"AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"wpkontakt" = "C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe -autostart" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"

  -> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"

                   \InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [null data]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"

                   \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "System" = "cslbm.exe" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! 2006reg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll" [null data]

INFECTION WARNING! 2014reg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll" [null data]

INFECTION WARNING! 20242402reg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll" [null data]

INFECTION WARNING! artm_newreg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"

                   \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"

                   \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Tato\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\AVASTSS.scr" ["ALWIL Software"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

"ButtonText" = "eBay - Homepage"

"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

  -> {HKLM...CLSID} = "Toolbar Extension for Executable"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

"Exec" = "C:\Program Files\IrfanView\Ebay\Ebay.htm" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 148 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 54 seconds.

---------- (total run time: 531 seconds)

(Gblade) #4

Ściągnij Pocket Killbox>>>uruchom>>>zaznacz opcje "Delete on Reboot" i "all files">>>w polu "Full path of file" wklej ścieżki:

Po wklejeniu każdej ścieżki z osobna , klikasz x, dopiero gdy wkleisz "ostatnią" zgadzasz się na restart kompa.

Otwórz notatnik i wklej:

Plik>>>zapisz jako>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.REG i uruchom w trybie awaryjnym

Puść w ruch fixwareout i pokaż raport.


(Cole_) #5

Wrzucam loga z fixwareout'a:

Fixwareout ver 1.003

Last edited 07/1/2006

Post this report in the forums please 


Reg Entries that were deleted 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\iugogol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\atsniwd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tafggrfd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tsiphxp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nmdapxlt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cvsgolps

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fcqmd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\iugogol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\sidkkhc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\atsniwd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ko2toob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tafggrfd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tsiphxp

...


Random Runs removed from HKLM 

...


PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Example ipsec6.exe is legitimate


»»»»» Search by size and names... 


»»»»» Misc files 


»»»»» Checking for older varients covered by the Rem3 tool


»»»»» 

Search five digit cs, dm and jb files

This WILL/CAN also list Legit Files, Submit them at Virustotal

 Other suspects

Directory of C:\WINDOWS\system32

I z hjt:

Logfile of HijackThis v1.99.1

Scan saved at 13:58:31, on 2006-07-06

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\AVPersonal\AVGNT.EXE

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Tato\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

O4 - HKLM\..\Run: [SiSSoundMan] C:\WINDOWS\system32\SoundMan.exe

O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [wpkontakt] C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe -autostart

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2534AA11-16BB-4265-A0AB-4CA35D85FB27}: NameServer = 172.16.1.254,217.96.23.251

O17 - HKLM\System\CS1\Services\Tcpip\..\{2534AA11-16BB-4265-A0AB-4CA35D85FB27}: NameServer = 172.16.1.254,217.96.23.251

O17 - HKLM\System\CS3\Services\Tcpip\..\{2534AA11-16BB-4265-A0AB-4CA35D85FB27}: NameServer = 172.16.1.254,217.96.23.251

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

(Gblade) #6

logi czyste


(Cole_) #7

Tylko Avast jeszcze wywala mi że "czas na połączenie upłynął" i wypisuje pod spodem SERVICES.EXE -> . I tak co chwilę... :roll:


(Gblade) #8

wrzuć jeszcze loga z silent runners , podaj screena z komunikatu avasta


(Cole_) #9

Na razie wywaliłem wszystkie antywirusy oprócz Avasta, wyłączyłem systemową i avastową zaporę i zainstalowałem Zone Alarma. W ZA zabroniłem procesowi services.exe dostępu do netu i objawy ustały. Na jak długo - zobaczymy :slight_smile: Dzięki za wszystko!