R11
(R@F)
12 Luty 2007 16:03
#1
Witam kolega miał sporo wirusów, zostały chyba usunięte. Ale prosiłbym o sprawdzenie dla pewności. W HJ niepasują mi wpisy R1 i 017. Poniżej logi:
Logfile of HijackThis v1.99.1 Scan saved at 16:53:03, on 2007-02-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\LAUNCH~1\LManager.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxext.exe C:\DOCUME~1\admin\USTAWI~1\Temp\RtkBtMnt.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\admin\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antivermins.com/?aff=334 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM…\Run: [skyTel] SkyTel.EXE O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{412A3F03-AC78-4AB9-B95F-231A03CE170D}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip…{519FB64A-8EBD-4AF6-9695-34420089B24F}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip…{E46BDC09-61F9-434B-9305-05D6A02E6433}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.92 85.255.112.10 O17 - HKLM\System\CS1\Services\Tcpip…{412A3F03-AC78-4AB9-B95F-231A03CE170D}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.92 85.255.112.10 O17 - HKLM\System\CS2\Services\Tcpip…{412A3F03-AC78-4AB9-B95F-231A03CE170D}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.92 85.255.112.10 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
i silent:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “user32.dll” = “C:\Program Files\Video ActiveX Object\isamntr.exe” [file not found] “rare” = “C:\Program Files\Video ActiveX Object\pmsnrr.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SkyTel” = “SkyTel.EXE” [“Realtek Semiconductor Corp.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “LManager” = “C:\PROGRA~1\LAUNCH~1\LManager.exe” [“Dritek System Inc.”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “AzMixerSel” = “C:\Program Files\Realtek\InstallShield\AzMixerSel.exe” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “dmwfc.exe” = “C:\WINDOWS\system32\dmwfc.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll” [“RealNetworks, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “System” = “csdds.exe” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] <> partnershipreg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- C:\Documents and Settings\Rafal\Ustawienia lokalne\Historia\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Historia\History.IE5\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\0PSVWFWB\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\41K927K9\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\5K9YPLVN\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6JGRXAZI\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6RANQ1UF\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ACM02VYM\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ATWF6965\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\C5G74N4N\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\CK0ZF23H\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\CT6J4PEN\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\CTYRK9Q3\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ELKZQ5M5\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\EPDEVE5K\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ILDQJEXK\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\IXBRTE20\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\L08JLPOH\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\MPN0H8RM\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\NA0NR90L\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\OF5Z6YFP\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\P7BN5TCE\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\POSB9T89\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\RMOVZ94L\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\S1AJWLER\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\S5IJCHAN\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\S9CPIF0L\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\SJ5F2IRL\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TBBVT50E\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\TOT179LF\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\UQUX9HS2\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\UZ6ZY927\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\WHUB0DYJ\DESKTOP.INI – cannot be opened! C:\Documents and Settings\Rafal\Ustawienia lokalne\Temporary Internet Files\Content.IE5\ZR5XP51M\DESKTOP.INI – cannot be opened! Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_10” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_10” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 13 seconds. ---------- (total run time: 48 seconds)
adam9870
(adam9870)
12 Luty 2007 16:40
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\system32\dmwfc.exe
C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll
C:\WINDOWS\system32\csdds.exe
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O17 - HKLM\System\CCS\Services\Tcpip…{412A3F03-AC78-4AB9-B95F-231A03CE170D}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip…{519FB64A-8EBD-4AF6-9695-34420089B24F}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip…{E46BDC09-61F9-434B-9305-05D6A02E6433}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.92 85.255.112.10 O17 - HKLM\System\CS1\Services\Tcpip…{412A3F03-AC78-4AB9-B95F-231A03CE170D}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.92 85.255.112.10 O17 - HKLM\System\CS2\Services\Tcpip…{412A3F03-AC78-4AB9-B95F-231A03CE170D}: NameServer = 85.255.115.92,85.255.112.10 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.92 85.255.112.10 O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
Usuń wpisy HJT.
Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.
Użyj narzędzia FixWareOut .
Po wykonaniu pokaż nowy log z HijackThis, SilentRunners , zawartość pliku c:\rapport.txt oraz c:\fixwareout\report.txt
R11
(R@F)
13 Luty 2007 12:13
#3
Z HJ nie usunołem wpisów:
i
ponieważ ich niebyło. Poniżej wszystkie logi:
Logfile of HijackThis v1.99.1 Scan saved at 13:10:16, on 2007-02-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\LAUNCH~1\LManager.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxext.exe C:\DOCUME~1\admin\USTAWI~1\Temp\RtkBtMnt.exe C:\Documents and Settings\admin\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antivermins.com/?aff=334 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM…\Run: [skyTel] SkyTel.EXE O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
silent:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SkyTel” = “SkyTel.EXE” [“Realtek Semiconductor Corp.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “LManager” = “C:\PROGRA~1\LAUNCH~1\LManager.exe” [“Dritek System Inc.”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “AzMixerSel” = “C:\Program Files\Realtek\InstallShield\AzMixerSel.exe” [“Realtek Semiconductor Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll” [“RealNetworks, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_10” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_10” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 9 seconds. ---------- (total run time: 34 seconds)
SmitFraudFix
SmitFraudFix v2.141 Scan done at 13:03:59,17, 2007-02-13 Run from C:\Documents and Settings\admin\Pulpit\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{2acf3add-34a1-4f2f-99cf-cc69785d1e90}”=“exemplars” »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOCUME~1\ALLUSE~1\MENUST~1\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\MENUST~1\Security Troubleshooting.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”=“csnpc.exe” »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End fixwareout Fixwareout Last edited 2/11/2007 Post this report in the forums please … »»»»»Prerun check HKLM\SOFTWARE~\CurrentVersion\Run\ =“dmkop” HKLM\SOFTWARE~\Winlogon\ “System”=“csklp.exe” »»»»» System restarted »»»»» Postrun check HKLM\SOFTWARE~\version\Run\ “dmkop” HKLM\SOFTWARE~\Winlogon\ “system”="" … HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins “}D7DF2C5531AF-6A18-2004-1E47-0CEAFD07{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins “pokmd” Deleted HKLM~\currentversion\run “dmkop.exe” Deleted … »»»»» Misc files. C:\WINDOWS\system32{BB4513E0-78FA-4789-AFF6-14678BCABA4E}.exe Deleted … »»»»» Checking for older varients. … Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL’S for further inspection. Nie moľna odnale«† okrelonego pliku. Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other C:\WINDOWS\Temp\csklp.ren 51730 2007-01-02 C:\WINDOWS\Temp\dmkop.ren 60462 2004-08-04 »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SkyTel”=“SkyTel.EXE” “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”" “RTHDCPL”=“RTHDCPL.EXE” “LManager”=“C:\PROGRA~1\LAUNCH~1\LManager.exe” “igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” “igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” “igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” “AzMixerSel”=“C:\Program Files\Realtek\InstallShield\AzMixerSel.exe” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” … Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»»
adam9870
(adam9870)
13 Luty 2007 15:32
#4
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\Temp\csklp.ren
C:\WINDOWS\Temp\dmkop.ren
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Użyj progrmu ATF Cleaner i przeczyść TEMP’y.
Po wykonaniu możesz pokazać nowy log z fixwareout.