Trojan Win32.backdoor.rbot i samowolne restarty kompa

system · 1 Grudzień 2006 06:27

witam

mam problem od wczoraj a mianowice:

-samowolny reset kompa po ktorym system laduje sie normalnie a po wlaczenieu wyswietla sie raport o bledach:

http://img221.imageshack.us/done.php?l=img221/5816/bladmc9.png

-po kilku restertach przeskanowalem ad-awerem i wykrylo cos takiego jak Win32.Backdoor.RBot - usunolem i od tego momentu bylo ok az do rana. po uruchomieniu przy ladowaniu systemu wywalilo niebieski ekran i od razu reset, za 2 razem system sie tez nie zaladowal - dopiero zadzialalo przywrocenie ostatnich dzialajacych ustawien

-system sie zaladowal wiec zaczolem skanowac ad-werem - restet

-po uruchomieniu pokazalo ten blad co wyzej

-p juz udanym skanowaniu i wykryciu i skasowaniu win32.backdoor.rbot problem narazie ustal czyli komp sie nie resetuje

czy da sie na dobre wywalic tego trojana? wydaje mi sie ze te restarty to jego wina

-jest 2 opcja - do 256 dolozylem wczoraj 512 ramu - lecz nie sadze zeby to bylo to bo jeszcze przed dolozeniem komp sie restatrnol i pokazal ten blad - wiec ram odpada

Prosze pomozcie

adam9870 · 1 Grudzień 2006 06:33

Proszę wkleić na forum zestaw logów:

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Dodatkowo

możesz napisać gdzie ad-adware wykrył tego trojana (dokładna ścieżka)
możesz wyczyścić katalog TEMP. W trybie awaryjnym start => uruchom => cmd => w konsoli, która się otworzy wpisz:

RD /S /Q "C:\Documents and Settings\Komputer\Ustawienia lokalne\Temp"

system · 1 Grudzień 2006 06:37

wlasnie sie znow restartnol wiec znow zrobilem skan i nic nie znalazlo

boje sie ze jakis podzespol pada

Logfile of HijackThis v1.99.1 Scan saved at 07:47:06, on 2006-12-01 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avast4\aswUpdSv.exe C:\Program Files\Avast4\ashServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\Program Files\DAP\DAP.EXE C:\WINDOWS\System32\mysvcc.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\winsrcv.exe C:\WINDOWS\system32\lssrvc.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Avast4\ashMaiSv.exe C:\Program Files\Avast4\ashWebSv.exe C:\Documents and Settings\Komputer\Pulpit\Ściągnięte\hijackthis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 195.228.155.251 l2authd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [DownloadAccelerator] “C:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [mysvcig38] mysvcc.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [vssl2] C:\WINDOWS\system32\winsrcv.exe O4 - HKCU…\Run: [chsr] C:\WINDOWS\system32\lssrvc.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - Global Startup: D-Link AirPlus.lnk = ? O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip…{9CE2A4F8-B5E9-47AB-B0E7-7551A6AB539C}: NameServer = 192.168.10.68,194.204.159.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Złączono Posta : 01.12.2006 (Pią) 9:28

wylaczylem automatyczny restart kompa przy bledzie wiec teraz wywala niebieski ekran

-za 1 razem pisze ze blad spowodowal KSecDD.sys

-za 2 razem ze tcpip.sys

o co biega?

moze postawic system na nowo?

system · 1 Grudzień 2006 09:01

albo sterwoniki zle wgrane i wiesza sie resetuje albo cos sie przegzewa i dla bezpieczenstwa resetuje sie nie wiem sprawdz! wyczysc moze kompa zkurzu

Joan · 1 Grudzień 2006 09:08

Użyj narzędzia WWDC (pozwoli Ci to zamknąć robaczywe porty), zmień znaczki z Disable na Enable i zresetuj sysa.

Użyj SmitFraudFix z opcji 2 w trybie awaryjnym.

Wyłączasz przywracanie systemu (Panel sterowania -> System -> Przywracanie systemu -> zaznaczasz „Wyłącz przywracanie systemu” ).

W HJT odpalonym z trybie awaryjnym i klikasz na dole “Fix checked” , to co na czerwono usuwasz ręcznie z dysku:

I nowe logi z HJT i Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle) oraz koniecznie raport ze SmitFraudFix – plik c:\rapport.txt.

system · 1 Grudzień 2006 09:29

jak narazie “okurzylem” i cofnolem system do poniedzialku kiedy bylo wszystko dobrze i czekam

jesli to nie pomoze to zastiosuje sie do zalecen joan badz przeinstaluje system

dzieki za pomoc

Joan · 1 Grudzień 2006 09:30

Zastosuj się do zaleceń bo masz syf niestety

Monczkin · 1 Grudzień 2006 09:43

odszczep proszę używać na forum polskiej pisowni.

system · 1 Grudzień 2006 13:12

pytanie do Joan

jak? przepraszam że pytam o taki banał

aha moj win32.backdoor.sdbot powrocil wiec proboje HaxFix

Joan · 1 Grudzień 2006 13:34

Kasujesz w trybie awaryjnym, te pliki powinny być w folderze C:\Windows\system32

Nie widzę tu potrzeby zastosowania Haxa. Uzyj SmitFraudFix z opcji 2 w trybie awaryjnym i wklej raport.

system · 1 Grudzień 2006 20:31

oto logi - bardzo proszę o sprawdzenie, wszystko zrobione zgodnie z poleceiniem Joan

Logfile of HijackThis v1.99.1 Scan saved at 21:18:45, on 2006-12-01 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Komputer\Pulpit\Ściągnięte\Narzędzia\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 195.228.155.251 l2authd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [DownloadAccelerator] “C:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe O4 - HKCU…\Run: [chsr] C:\WINDOWS\system32\lssrvc.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - Global Startup: D-Link AirPlus.lnk = ? O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip…{9CE2A4F8-B5E9-47AB-B0E7-7551A6AB539C}: NameServer = 192.168.10.68,194.204.159.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

SmitFraudFix v2.126 Scan done at 21:11:24,06, 2006-12-01 Run from C:\Documents and Settings\Komputer\Pulpit\—ciĄgni©te\Narz©dzia\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End ----------------------------------------------------------------- “Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “chsr” = “C:\WINDOWS\system32\lssrvc.exe” [null data] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” [null data] “avast!” = “C:\PROGRA~1\Avast4\ashDisp.exe” [null data] “DownloadAccelerator” = ““C:\Program Files\DAP\DAP.EXE” /STARTUP” [“Speedbit Ltd.”] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” - {HKLM…CLSID} = “WinAceContext Menu Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 DragDrop Shell Extension” - {HKLM…CLSID} = “WinAceDrag-Drop Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Property Sheet Shell Extension” - {HKLM…CLSID} = “WinAceProperty Sheet Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast4\ashShell.dll” [“ALWIL Software”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast4\ashShell.dll” [“ALWIL Software”] DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Avast4\ashShell.dll” [“ALWIL Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoLogOff” = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|System|Logon/Logoff| Disable Logoff} “NoFavoritesMenu” = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Favorites menu from Start Menu} “NoRecentDocsMenu” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoHelp” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Komputer\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Komputer” “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “D-Link AirPlus” - shortcut to: “C:\Program Files\D-Link AirPlus\AirPlus.exe” [“D-Link”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{37B85A29-692B-4205-9CAD-2626E4993404}” - {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 9 domain names to IP addresses, 1 of the IP addresses is *not* localhost! All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- avast! Antivirus, avast! Antivirus, ““C:\Program Files\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Portable Media Serial Number Service, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\MsPMSNSv.dll” [MS]} SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] User Privilege Service, usprserv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {(missing data)} Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 55 seconds. ---------- (total run time: 443 seconds)

adam9870 · 1 Grudzień 2006 20:35

Poszukaj plików na dysku i usuń w trybie awaryjnym jeśli będą (powinien być tylko ostatni).

Otwórz notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

Po wykonaniu oczywiście wklej nowe logi.

system · 3 Grudzień 2006 17:16

dziś zrobiłem formata zainstalowałem windowsa i liczyłem że problem się skończy ale po 1 skanowaniu ad-awerem oczywiście win32.backdoor.rbot był obecny

oto logi zobione w awaryjnym, prosze o ocene

SmitFraudFix v2.126 Scan done at 18:05:50,85, 2006-12-03 Run from D:\Instalki\Narz©dzia\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End ---------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 18:07:05, on 2006-12-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe D:\Instalki\Narzędzia\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [DownloadAccelerator] “C:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [DiskeeperSystray] “C:\Program Files\Executive Software\Diskeeper\DkIcon.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: Download with DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O17 - HKLM\System\CCS\Services\Tcpip…{C2941404-8085-4600-B78E-2BE9392961B5}: NameServer = 192.168.10.68,194.204.159.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ----------------------------------------------------- “Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “DownloadAccelerator” = ““C:\Program Files\DAP\DAP.EXE” /STARTUP” [“Speedbit Ltd.”] “DiskeeperSystray” = ““C:\Program Files\Executive Software\Diskeeper\DkIcon.exe”” [“Executive Software International, Inc.”] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” [null data] “Resume copy” = “copyfstq.exe /startup” [null data] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” - {HKLM…CLSID} = “WinAceContext Menu Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 DragDrop Shell Extension” - {HKLM…CLSID} = “WinAceDrag-Drop Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Property Sheet Shell Extension” - {HKLM…CLSID} = “WinAceProperty Sheet Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{A4D78B20-6E05-1069-8758-4E73FD83DEAD}” = “QCopy” - {HKLM…CLSID} = “QCopy” \InProcServer32(Default) = “dropcpyr.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoLogOff” = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|System|Logon/Logoff| Disable Logoff} “NoFavoritesMenu” = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Favorites menu from Start Menu} “NoRecentDocsMenu” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoHelp” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoEditMenu” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in “Komputer” “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “D-Link AirPlus” - shortcut to: “C:\Program Files\D-Link AirPlus\AirPlus.exe” [“D-Link”] “Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Diskeeper, Diskeeper, “C:\Program Files\Executive Software\Diskeeper\DkService.exe” [“Executive Software International, Inc.”] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 30 seconds. ---------- (total run time: 112 seconds)

Bieniol · 3 Grudzień 2006 17:19

Logi są czyste

Proponuję zainstalować SP2

system · 3 Grudzień 2006 17:19

dziś zrobiłem formata zainstalowałem windowsa i liczyłem że problem się skończy ale po 1 skanowaniu ad-awerem oczywiście win32.backdoor.rbot był obecny

oto logi zobione w awaryjnym, prosze o ocene

SmitFraudFix v2.126 Scan done at 18:05:50,85, 2006-12-03 Run from D:\Instalki\Narz©dzia\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End ---------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 18:07:05, on 2006-12-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe D:\Instalki\Narzędzia\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [DownloadAccelerator] “C:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [DiskeeperSystray] “C:\Program Files\Executive Software\Diskeeper\DkIcon.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: Download with DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O17 - HKLM\System\CCS\Services\Tcpip…{C2941404-8085-4600-B78E-2BE9392961B5}: NameServer = 192.168.10.68,194.204.159.1 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe ----------------------------------------------------- “Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “DownloadAccelerator” = ““C:\Program Files\DAP\DAP.EXE” /STARTUP” [“Speedbit Ltd.”] “DiskeeperSystray” = ““C:\Program Files\Executive Software\Diskeeper\DkIcon.exe”” [“Executive Software International, Inc.”] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” [null data] “Resume copy” = “copyfstq.exe /startup” [null data] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” - {HKLM…CLSID} = “WinAceContext Menu Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 DragDrop Shell Extension” - {HKLM…CLSID} = “WinAceDrag-Drop Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Property Sheet Shell Extension” - {HKLM…CLSID} = “WinAceProperty Sheet Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{A4D78B20-6E05-1069-8758-4E73FD83DEAD}” = “QCopy” - {HKLM…CLSID} = “QCopy” \InProcServer32(Default) = “dropcpyr.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” - {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” - {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoLogOff” = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|System|Logon/Logoff| Disable Logoff} “NoFavoritesMenu” = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Favorites menu from Start Menu} “NoRecentDocsMenu” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoHelp” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} “NoEditMenu” = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in “Komputer” “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “D-Link AirPlus” - shortcut to: “C:\Program Files\D-Link AirPlus\AirPlus.exe” [“D-Link”] “Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Diskeeper, Diskeeper, “C:\Program Files\Executive Software\Diskeeper\DkService.exe” [“Executive Software International, Inc.”] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 30 seconds. ---------- (total run time: 112 seconds)

Bieniol · 3 Grudzień 2006 17:24

Przecież napisałem Ci już wyżej, że logi masz czyste :roll: po co wklejasz je jeszcze raz?

system · 3 Grudzień 2006 18:25

to nowe logi z dzisiaj po formoacie i ponownym zainstalowaniu winXP no i po ponownym pojawieniu się błędu. zainstalowalem teraz service pack 2 jak to nie pomoze to nie wiem

Bieniol · 3 Grudzień 2006 18:27

Jakiego błędu? Wklej screena

system · 3 Grudzień 2006 18:58

błąd polega na tym ze w pewnym momencie wyskakuje ekran śmierci [pokazuje że błąd spowodowały różne pliki: ntfs.sys; tcpip.sys; KSecDD.sys; smwdm.sys i inne co nie pamiętam] - restartuje kompa, uruchamia się normalnie, po czym pojawia się raport o błędach [w 1 poscie załączyłem link do obrazka]

Bieniol · 3 Grudzień 2006 19:04

Wejdź w dziennik zdarzeń:

Start -> uruchom -> eventvwr i sprawdź, czy nie masz błędów zaznaczonych kolorem czerwonym - jeżeli są to wrzuć ich screeny

Jak wstawić zrzut pulpitu?