Trojan Win32:Small-gen2[Trj]


(Moniquesz) #1

Jak usunąć to świństwo???Po uruchomieniu komputera wyskakuje komunikat ostrzegawczy Avasta( taki mam program antywirusowy) ze go znaleziono.Niestety po wszelkich próbach usunięcia go tym programem -nadal "to " siedzi.

Pomocy! !!

Z góry dziękuję za pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 13:07:44, on 2006-11-27

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

D:\Zaistalowane programy\Avast\aswUpdSv.exe

D:\Zaistalowane programy\Avast\ashServ.exe

D:\Zaistalowane programy\Spy Doctor\Spyware Doctor\sdhelp.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

D:\ZAISTA~1\Avast\ashDisp.exe

D:\Zaistalowane programy\Winamp\winampa.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

D:\Zaistalowane programy\Yava\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

D:\Zaistalowane programy\Avast\ashMaiSv.exe

D:\Zaistalowane programy\Avast\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

D:\Zaistalowane programy\Gadu-Gadu\Gadu-Gadu\gg.exe

D:\Zaistalowane programy\Winamp\winamp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Monika\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

F3 - REG:win.ini: load=d:\dc__do~1\slowniki\ydp\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Zaistalowane programy\Adobe Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Zaistalowane programy\Yava\bin\ssv.dll

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM..\Run: [avast!] D:\ZAISTA~1\Avast\ashDisp.exe

O4 - HKLM..\Run: [WinampAgent] D:\Zaistalowane programy\Winamp\winampa.exe

O4 - HKLM..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM..\Run: [sunJavaUpdateSched] "D:\Zaistalowane programy\Yava\bin\jusched.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "D:\Zaistalowane programy\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Zaistalowane programy\Adobe Reader\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Zaistalowane programy\Microsoft Office XP\Office10\OSA.EXE

O4 - Global Startup: MS_update_0610_KB72306.exe

O8 - Extra context menu item: Export to Microsoft Excel - res://D:\ZAISTA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Zaistalowane programy\Yava\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Zaistalowane programy\Yava\bin\ssv.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2730280171

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip..{B9CC794C-358D-4191-9B6F-E45EA1F0923A}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Zaistalowane programy\Avast\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Zaistalowane programy\Avast\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Zaistalowane programy\Avast\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Zaistalowane programy\Avast\ashWebSv.exe" /service (file missing)

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Zaistalowane programy\Spy Doctor\Spyware Doctor\sdhelp.exe


(Monczkin) #2

Proszę poprawić posta zgodnie z tematami w tym dziale o prawidłowym wklejaniu logów na forum.


(Bbieniol) #3

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

Po zabiegach nowy log z Hijacka + log z Silent Runners

Podaj lokalizację tego czegoś :slight_smile:


(Moniquesz) #4

Lokalizacja tego wirusa to

C:\DOCUME~1\Monika\USTAWI~1\Temp

i za nic nie da się usunąc.

Mam usunąć to co zaznaczyłes w cytacie?


(Bbieniol) #5

Usuń to, co napisałem wyżej :slight_smile: Dodatkowo użyj tego narzędzia -> http://dobreprogramy.pl/index.php?dz=2&id=1188&t=59 i usuń nim wszystko, co znajdzie :slight_smile:


(Moniquesz) #6

wiec odkurzacz sobie z tym nie poradził - a z dysku niestety nie mam jak tego usunąć niczym:((

ps.po zaisntalowaniu odkurzacza zamuliło mi komputer na maxa( to normalne?)

Jakies inne propozycje?


(adam9870) #7

W trybie awaryjnym start => uruchom => cmd => wpisz:

RD /S /Q "C:\Documents and Settings\Monika\Ustawienia lokalne\Temp"


(Moniquesz) #8

i???

pisze ze nie moze uzyskac dostepu do pliku bo jest używany przez inny proces.


(Bbieniol) #9

Użyj tego narzędzia -> http://www.idg.pl/ftp/pc_9705/ATF.Cleaner..html


(Moniquesz) #10

Cleanera uzywałam juz dużo wcześniej - nic to nie dalo....a po tym odkurzaczu mam problem z otwieraniem programów....baaaaaaaaardzo długo sie otwierają.......podejrzanie dlugo....


(Bbieniol) #11

Wrzuć nowy log z Hijacka + log z Silent Runners


(Moniquesz) #12

Logfile of HijackThis v1.99.1

Scan saved at 12:14:49, on 2006-11-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

D:\Zaistalowane programy\Avast\aswUpdSv.exe

D:\Zaistalowane programy\Avast\ashServ.exe

D:\Zaistalowane programy\Spy Doctor\Spyware Doctor\sdhelp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

D:\ZAISTA~1\Avast\ashDisp.exe

D:\Zaistalowane programy\Winamp\winampa.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

D:\Zaistalowane programy\Yava\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

D:\Zaistalowane programy\Avast\ashMaiSv.exe

D:\Zaistalowane programy\Avast\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

D:\Zaistalowane programy\Gadu-Gadu\Gadu-Gadu\gg.exe

D:\Zaistalowane programy\Winamp\winamp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Monika\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

F3 - REG:win.ini: load=d:\dc__do~1\slowniki\ydp\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Zaistalowane programy\Adobe Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Zaistalowane programy\Yava\bin\ssv.dll

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM..\Run: [avast!] D:\ZAISTA~1\Avast\ashDisp.exe

O4 - HKLM..\Run: [WinampAgent] D:\Zaistalowane programy\Winamp\winampa.exe

O4 - HKLM..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM..\Run: [sunJavaUpdateSched] "D:\Zaistalowane programy\Yava\bin\jusched.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "D:\Zaistalowane programy\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Zaistalowane programy\Adobe Reader\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Zaistalowane programy\Microsoft Office XP\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\ZAISTA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Zaistalowane programy\Yava\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Zaistalowane programy\Yava\bin\ssv.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus ... nicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2730280171

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip..{B9CC794C-358D-4191-9B6F-E45EA1F0923A}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Zaistalowane programy\Avast\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Zaistalowane programy\Avast\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Zaistalowane programy\Avast\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Zaistalowane programy\Avast\ashWebSv.exe" /service (file missing)

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Zaistalowane programy\Spy Doctor\Spyware Doctor\sdhelp.exe

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""D:\Zaistalowane programy\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\Program Files\Neostrada TP\taskbaricon.exe" ["France Télécom R&D"]

"avast!" = "D:\ZAISTA~1\Avast\ashDisp.exe" [null data]

"WinampAgent" = "D:\Zaistalowane programy\Winamp\winampa.exe" [null data]

"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]

"SunJavaUpdateSched" = ""D:\Zaistalowane programy\Yava\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32(Default) = "D:\Zaistalowane programy\Adobe Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32(Default) = "D:\Zaistalowane programy\Yava\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "D:\Zaistalowane programy\Avast\ashShell.dll" ["ALWIL Software"]

"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"

-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"

\InProcServer32(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "D:\Zaistalowane programy\Microsoft Office XP\Office10\msohev.dll" [MS]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "load" = "d:\dc__do~1\slowniki\ydp\watch.exe" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32(Default) = "D:\Zaistalowane programy\Adobe Reader\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "D:\Zaistalowane programy\Avast\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "D:\Zaistalowane programy\Avast\ashShell.dll" ["ALWIL Software"]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Monika\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

Startup items in "Monika" & "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "D:\Zaistalowane programy\Adobe Reader\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Microsoft Office" -> shortcut to: "D:\Zaistalowane programy\Microsoft Office XP\Office10\OSA.EXE -b -l" [MS]

<> "MS_update_0610_KB72306.exe" [null data]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = "Volet Wanadoo"

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = "ToolBand Class"

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = "Volet Wanadoo"

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"

\InProcServer32(Default) = "D:\Zaistalowane programy\Yava\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"

\InProcServer32(Default) = "D:\Zaistalowane programy\Yava\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

Miscellaneous IE Hijack Points


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

-> {HKLM...CLSID} = "Search Class"

\InProcServer32(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


avast! Antivirus, avast! Antivirus, ""D:\Zaistalowane programy\Avast\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""D:\Zaistalowane programy\Avast\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""D:\Zaistalowane programy\Avast\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""D:\Zaistalowane programy\Avast\ashWebSv.exe" /service" ["ALWIL Software"]

PC Tools Spyware Doctor, SDhelper, "D:\Zaistalowane programy\Spy Doctor\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]


<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 65 seconds, including 2 seconds for message boxes)


(adam9870) #13

Logi są ok.

Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Czy problem nadal występuje ??

SpywareDoctor to aplikacja wątpliwej reputacji dlatego proponuję zmienić na coś innego. Osobiście polecam AVG Anti-Spyware.


(Moniquesz) #14

porty mam juz dawno pozamykane wszystkie....idąc za rada chcialam odinstalowac dr spy i.... i nie uruchamia sie odinstalowywanie...szok - jak nie urok to sra.....


(adam9870) #15

W takim razie zajrzyj tutaj:

http://forum.dobreprogramy.pl/viewtopic ... 332#791332

podałem tam sposób na usunięcie SpywareDoctor'a.


(Moniquesz) #16

jakos udało mi sie samej usunąć.Zainstalowałam AVG- coś tam wyszukało - przeskanowałam i wrzuciłam do kwarantanny. Zrobiłam restart.... i nadal nic...trojan jak siedział podobno tak siedzi - avast ciagle pokazuje mi ten komunikat...ręce opadają.....


(Joan Sunshine) #17

Z kwarantanny AVG wszystko usuń. Na jaki plik wskazuje avast? :slight_smile:


(Moniquesz) #18

Win32:Small-gen2 [Trj]

C:\DOCUME~1\Monika\USTAWI~1\Temp\tmp27A.tmp


(Bbieniol) #19

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.BAT

W trybie awaryjnym odpal plik FIX.BAT i restart kompa :slight_smile:


(Moniquesz) #20

nic nie zrozumialam. że niby w jakim celu??? i po kolei.