tak jak w temacie. prosze o sprawdzenie logów
“Silent Runners.vbs”, revision 47, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] “lrtsm” = “C:\WINDOWS\system32\qttsk.exe” [file not found] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Symantec Antivirus professional” = “flushdns.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] “Internet Security Service” = “msq32.exe” [null data] “Live-Help” = “links.exe” [null data] “Office Monitors” = “C:\WINDOWS\System32\GoogleUpdater.exe” [null data] “rasman” = “C:\WINDOWS\System32\rasman32.exe” [null data] “Microsoft Directx push” = “directxpushup.exe” [null data] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Symantec Antivirus professional” = “flushdns.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AudioDeck” = “C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1” [“VIA Technologies, Inc.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Symantec Antivirus professional” = “flushdns.exe” [null data] “msvccc66” = “svcchosst.exe” [null data] “Internet Security Service” = “msq32.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] “Messanger Read System” = “C:\WINDOWS\System32\msnrd.exe” [null data] “Live-Help” = “links.exe” [null data] “Office Monitors” = “C:\WINDOWS\System32\GoogleUpdater.exe” [null data] “rasman” = “C:\WINDOWS\System32\rasman32.exe” [null data] “Microsoft Directx push” = “directxpushup.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Symantec Antivirus professional” = “flushdns.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Bartek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Bartek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “VIA RAID TOOL” -> shortcut to: “C:\Program Files\VIA\RAID\raid_tool.exe” [“VIA Technologies”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] MicrosoftPersonalFirewall, WindowsUpdater, ““C:\WINDOWS\System32\spoolsrv.exe” -netsvcs” [null data] Network helper Service, MSDisk, ““C:\WINDOWS\System32\irdvxc.exe” /service” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Symantec Antivirus professional, Symantec Antivirus professional, ““C:\WINDOWS\System32\flushdns.exe” -netsvcs” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 59 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 13 seconds. ---------- (total run time: 121 seconds)
Logfile of HijackThis v1.99.1 Scan saved at 19:24:38, on 2004-03-27 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\irdvxc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\flushdns.exe C:\WINDOWS\System32\spoolsrv.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\svcchosst.exe C:\WINDOWS\System32\msq32.exe C:\WINDOWS\System32\msnrd.exe C:\WINDOWS\System32\links.exe C:\WINDOWS\System32\GoogleUpdater.exe C:\WINDOWS\System32\rasman32.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\directxpushup.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Documents and Settings\Bartek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\Run: [msvccc66] svcchosst.exe O4 - HKLM…\Run: [internet Security Service] msq32.exe O4 - HKLM…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\Run: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\Run: [Live-Help] links.exe O4 - HKLM…\Run: [Office Monitors] C:\WINDOWS\System32\GoogleUpdater.exe O4 - HKLM…\Run: [rasman] C:\WINDOWS\System32\rasman32.exe O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKLM…\RunServices: [internet Security Service] msq32.exe O4 - HKLM…\RunServices: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\RunServices: [Live-Help] links.exe O4 - HKLM…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [lrtsm] C:\WINDOWS\system32\qttsk.exe O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [internet Security Service] msq32.exe O4 - HKCU…\Run: [Live-Help] links.exe O4 - HKCU…\Run: [Office Monitors] C:\WINDOWS\System32\GoogleUpdater.exe O4 - HKCU…\Run: [rasman] C:\WINDOWS\System32\rasman32.exe O4 - HKCU…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Joan
(Joan Sunshine)
26 Marzec 2007 18:31
#2
Ale nałapałeś śmieci
Użyj narzędzia WWDC (pozwoli Ci to zamknąć robaczywe porty), zmień znaczki z Disable na Enable (wszystkie mają być zielone lub żółte) i zresetuj sysa.
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.BAT
W trybie awaryjnym odpal plik FIX.BAT i restart kompa
Wszystko co na czerwono w trybie awaryjnym usuwasz z dysku, wpisy kasujesz w Hijacku. Koniecznie instalujesz antywirusa i wracasz z nowymi logami HJt +SilentRunners i z ComboFix oraz z GMERA
Zakładka Rootkit > zaznacz wszystko oprócz Pokaż wszystko > kliknij Szukaj
Zakładka Rootkit > zaznacz tylko Usługi oraz Pokaż wszystko > kliknij Szukaj i w obydwu przypadkach poczekaj cierpliwie, aż skończy pracę
adam9870
(adam9870)
26 Marzec 2007 20:16
#4
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
W zakładce Procesy wybierz Gmer awaryjny >>> komputer się zrestartuje i zostanie samo okienko Gmer’a >>> w zakładce Procesy przez … (trzy kropki) wskaż plik FIX.BAT >>> po chwilce mignie ekran i reset >>> po resecie otwórz Gmer’a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:
>>> kliknij Uruchom i reset.
Usuń wpisy HJT jeśli będą.
Po wykonaniu wklej log z ComboFix, log z Gmer’a (tylko ten z usług) i log z hijacka.
no chyba wszystko zrobiłem.
Logfile of HijackThis v1.99.1 Scan saved at 20:31:58, on 2004-03-28 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Documents and Settings\Bartek\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
“Silent Runners.vbs”, revision 47, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AudioDeck” = “C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1” [“VIA Technologies, Inc.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Bartek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Bartek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “VIA RAID TOOL” -> shortcut to: “C:\Program Files\VIA\RAID\raid_tool.exe” [“VIA Technologies”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 63 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 128 seconds)
adam9870
(adam9870)
27 Marzec 2007 18:24
#6
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\System32\rpcc.dll
Klikasz X czerwony i restart kompa.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Usuń wpis HJT jeśli będzie.
Po wykonaniu wklej log z ComboFix:
http://unicorn.ksiezyc.pl/WWW/instrukcje/combofix.html