Morfina
(Zuzinka3)
13 Kwiecień 2007 14:42
#1
Witam. Ostatnio mój komputer zaczął wariować. Ulubione same się włączają i wyłaczają, ciągle wyskakują mi jakieś reklamy stron porno. Codziennie właczam skaner, ale to nic nie daje. Byłabym wdzięczna za sprawdzenie loga.
Oto on:
Logfile of HijackThis v1.99.1 Scan saved at 16:39:12, on 2007-04-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\aspi125784.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\iau1.exe C:\WINDOWS\stisvsq1.exe C:\WINDOWS\msqdevl1.exe C:\WINDOWS\svshost1.exe C:\WINDOWS\lssas1.exe C:\WINDOWS\mservice1.exe C:\WINDOWS\rhds.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Zuza\USTAWI~1\Temp\Rar$EX00.141\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {F5938714-BD46-408A-9842-4058206D37E3} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [Microsoft Office Quick Launcher] C:\WINDOWS\iau1.exe O4 - HKLM…\Run: [internet Connection Wizard] C:\WINDOWS\stisvsq1.exe O4 - HKLM…\Run: [Games Acceleration] C:\WINDOWS\svshost1.exe O4 - HKLM…\Run: [internet Mail and News] C:\WINDOWS\msqdevl1.exe O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O17 - HKLM\System\CCS\Services\Tcpip…{53D945AD-0756-42BE-9145-17EC221F5675}: NameServer = 85.255.113.148,85.255.112.86 O17 - HKLM\System\CCS\Services\Tcpip…{A16892E8-C414-49B4-855C-88235E603A71}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CCS\Services\Tcpip…{D557EAC6-567A-41F4-92BC-E54F1F7F80E2}: NameServer = 85.255.113.148,85.255.112.86 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.86 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.86 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.86 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi125784.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Z góry dziękuję.
adam9870
(adam9870)
13 Kwiecień 2007 14:50
#2
Nie trzymaj hijacka w TEMPie lub innym katalogu tymczasowym. Umieść go np. na pulpicie.
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
W trybie awaryjnym z wyłączonym przywracaniem systemu usuń:
C:\WINDOWS\lssas1.exe C:\WINDOWS\mservice1.exe C:\WINDOWS\rhds.exe O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: (no name) - {F5938714-BD46-408A-9842-4058206D37E3} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [Microsoft Office Quick Launcher] C:\WINDOWS\iau1.exe O4 - HKLM…\Run: [internet Connection Wizard] C:\WINDOWS\stisvsq1.exe O4 - HKLM…\Run: [Games Acceleration] C:\WINDOWS\svshost1.exe O4 - HKLM…\Run: [internet Mail and News] C:\WINDOWS\msqdevl1.exe O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O17 - HKLM\System\CCS\Services\Tcpip…{53D945AD-0756-42BE-9145-17EC221F5675}: NameServer = 85.255.113.148,85.255.112.86 O17 - HKLM\System\CCS\Services\Tcpip…{D557EAC6-567A-41F4-92BC-E54F1F7F80E2}: NameServer = 85.255.113.148,85.255.112.86 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.86 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.86 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.148 85.255.112.86
Pliki usuń ręcznie z dysku natomiast wpisy w HijackThis.
Użyj narzędzia FixWareOut .
Użyj programu ATF Cleaner w trybie awaryjnym i przeczyść TEMP’y.
Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\fixwareout\report.txt
Morfina
(Zuzinka3)
13 Kwiecień 2007 15:57
#3
Nie mam pojęcia co się dzieje. Wszystko zrobiłam co trzeba a nadal wyskakują te reklamy. Mimo usunięcia podanych plików z loga, nadal wygląda tak samo.
Nowy log HijackThis:
Logfile of HijackThis v1.99.1 Scan saved at 17:52:23, on 2007-04-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\aspi125784.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\iau1.exe C:\WINDOWS\stisvsq1.exe C:\WINDOWS\svshost1.exe C:\WINDOWS\msqdevl1.exe C:\WINDOWS\lssas1.exe C:\WINDOWS\mservice1.exe C:\WINDOWS\rhds.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Zuza\USTAWI~1\Temp\Rar$EX01.312\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {F5938714-BD46-408A-9842-4058206D37E3} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp (file missing) O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp (file missing) O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing) O4 - HKLM…\Run: [Microsoft Office Quick Launcher] iau1.exe O4 - HKLM…\Run: [internet Connection Wizard] stisvsq1.exe O4 - HKLM…\Run: [Games Acceleration] svshost1.exe O4 - HKLM…\Run: [internet Mail and News] msqdevl1.exe O4 - HKLM…\Run: [Microsoft Management Console] lssas1.exe O4 - HKLM…\Run: [Multimedia extensions] mservice1.exe O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O17 - HKLM\System\CCS\Services\Tcpip…{53D945AD-0756-42BE-9145-17EC221F5675}: NameServer = 85.255.116.69,85.255.112.110 O17 - HKLM\System\CCS\Services\Tcpip…{A16892E8-C414-49B4-855C-88235E603A71}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CCS\Services\Tcpip…{D557EAC6-567A-41F4-92BC-E54F1F7F80E2}: NameServer = 85.255.116.69,85.255.112.110 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.110 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.110 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.110 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi125784.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
Silent runners:
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Komunikator” = ““C:\Program Files\Tlen.pl\tlen.exe” --confdir=home” [“o2.pl Sp. z o.o.”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “isamonitor.exe” = “C:\Program Files\VideoCompressionCodec\isamonitor.exe” [null data] “pmsngr.exe” = “C:\Program Files\VideoCompressionCodec\pmsngr.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\VideoCompressionCodec\isaddon.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{dfa61db1-388e-4c87-8d56-540fa229bcb4}” = “contrabandists” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\dpfwu.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “contrabandists” = “{dfa61db1-388e-4c87-8d56-540fa229bcb4}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\dpfwu.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoBandCustomize” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbars} “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Zuza\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{37B85A29-692B-4205-9CAD-2626E4993404}” -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{8AED5DF3-6E0B-4930-B1A5-F8AA8D757497}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\VideoCompressionCodec\iesplugin.dll” [null data] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 109 seconds, including 17 seconds for message boxes)
FixWareOut:
»»»»» Postrun check HKLM\SOFTWARE~\Winlogon\ “system”="" … HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls “0mdm” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}9A3B2517EFC1-AD38-9CB4-7E72-778AF621{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}473F61447DB5-430B-7074-231E-6B36DF0D{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}3E7D48445603-8F8B-D674-E053-2A40D326{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}B7CB49D6DF5F-4EDB-9E74-CF7C-951F2D91{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}A15EA7D14B5D-03D8-EEA4-DB26-A381D8E9{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}7E2D6B35403C-925A-C274-3DCF-8D68CB48{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}46E01C7227C9-001B-C994-4A5B-86FACCB7{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}866F2CAC19ED-28CA-6964-491D-62750F9D{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}F25A530D5EF6-20D9-EC14-86F7-1654C915{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}85AADCAE2E30-F899-E674-3944-79B94AA7{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}634A4609F206-500B-5374-B074-DA02F26F{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}7E0FA704CC4B-F97A-CFB4-1917-485CCB16{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}FADE6BE23C3F-FA28-8124-25E5-C44984AC{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}963D07AD6509-B2B8-8E84-C764-2AE88F79{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}A45FDDFE6DAC-5539-BD94-FEC1-2DDA7BC3{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}040C67458B28-D2CA-0844-EF4F-9AAA014E{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}947FD13D5A91-F4AB-7434-8876-FEF50103{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}0C76DAA5AA72-8C59-1B54-D52E-857DFA4A{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}547ECCB1BF2A-7FFA-D734-5782-F9B08DEF{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}99B1B5714D72-D559-A324-3077-6280EB63{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}7238FEE603C0-46BB-AB54-6705-876473E5{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}4A6DE0F5B3F1-5DAB-2074-3CF6-7945C05E{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}239AABBC947A-A269-0AE4-6A1C-FE9B9879{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}083E45F76C21-E22B-1034-83B9-0BD8912E{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}89B8FC9A975B-2D29-2474-C100-DCA03A8C{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}A6377F5FF81D-9EAA-67F4-C350-95E5198B{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}44352AAA2CFE-F8D8-25A4-FE4A-9165942B{” Deleted … »»»»» Misc files. C:\WINDOWS\system32{F62F20AD-470B-4735-B005-602F9064A436}.exe Deleted C:\WINDOWS\system32{61BCC584-7191-4BFC-A79F-B4CC407AF0E7}.exe Deleted C:\WINDOWS\system32{CA48944C-5E52-4218-82AF-F3C32EB6EDAF}.exe Deleted C:\WINDOWS\system32{97F88EA2-467C-48E8-8B2B-9056DA70D369}.exe Deleted C:\WINDOWS\system32{9E8D183A-62BD-4AEE-8D30-D5B41D7AE51A}.exe Deleted C:\WINDOWS\system32{84BC86D8-FCD3-472C-A529-C30453B6D2E7}.exe Deleted C:\WINDOWS\system32{7BCCAF68-B5A4-499C-B100-9C7227C10E64}.exe Deleted C:\WINDOWS\system32{FED80B9F-2875-437D-AFF7-A2FB1BCCE745}.exe Deleted C:\WINDOWS\system32{D9F05726-D194-4696-AC82-DE91CAC2F668}.exe Deleted C:\WINDOWS\system32{519C4561-7F68-41CE-9D02-6FE5D035A52F}.exe Deleted C:\WINDOWS\system32{7AA49B97-4493-476E-998F-03E2EACDAA58}.exe Deleted C:\WINDOWS\system32{3CB7ADD2-1CEF-49DB-9355-CAD6EFDDF54A}.exe Deleted C:\WINDOWS\system32{E410AAA9-F4FE-4480-AC2D-82B85476C040}.exe Deleted C:\WINDOWS\system32{A4AFD758-E25D-45B1-95C8-27AA5AAD67C0}.exe Deleted C:\WINDOWS\system32{36BE0826-7703-423A-955D-27D4175B1B99}.exe Deleted C:\WINDOWS\system32{5E374678-5076-45BA-BB64-0C306EEF8327}.exe Deleted C:\WINDOWS\system32{E50C5497-6FC3-4702-BAD5-1F3B5F0ED6A4}.exe Deleted C:\WINDOWS\system32{9789B9EF-C1A6-4EA0-962A-A749CBBAA932}.exe Deleted C:\WINDOWS\system32{E2198DB0-9B38-4301-B22E-12C67F54E380}.exe Deleted C:\WINDOWS\system32{C8A30ACD-001C-4742-92D2-B579A9CF8B98}.exe Deleted C:\WINDOWS\system32{B8915E59-053C-4F76-AAE9-D18FF5F7736A}.exe Deleted C:\WINDOWS\system32{B2495619-A4EF-4A52-8D8F-EFC2AAA25344}.exe Deleted C:\WINDOWS\System32\kernel32.exe Deleted … »»»»» Checking for older varients. … Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL’S for further inspection. C:\WINDOWS\system32\csels.exe 52800 2007-04-12 Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Microsoft Office Quick Launcher”=“C:\WINDOWS\iau1.exe” “Internet Connection Wizard”=“C:\WINDOWS\stisvsq1.exe” “Games Acceleration”=“C:\WINDOWS\svshost1.exe” “Internet Mail and News”=“C:\WINDOWS\msqdevl1.exe” “Microsoft Management Console”=“C:\WINDOWS\lssas1.exe” “Multimedia extensions”=“C:\WINDOWS\mservice1.exe” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] … Hosts file was reset, If you use a custom hosts file please replace it Rustock pe386 is present »»»»» End report »»»»»
adam9870
(adam9870)
13 Kwiecień 2007 16:06
#4
Pobierz i odpal LSP-Fix zaznacz " I know what I’m doing " następnie w okienku Keep zaznacz bibliotekę tmwsock.dll i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing) O2 - BHO: (no name) - {F5938714-BD46-408A-9842-4058206D37E3} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp (file missing) O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\DOCUME~1\Zuza\USTAWI~1\Temp~00754.tmp (file missing) O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing) O4 - HKLM…\Run: [Microsoft Office Quick Launcher] iau1.exe O4 - HKLM…\Run: [internet Connection Wizard] stisvsq1.exe O4 - HKLM…\Run: [Games Acceleration] svshost1.exe O4 - HKLM…\Run: [internet Mail and News] msqdevl1.exe O4 - HKLM…\Run: [Microsoft Management Console] lssas1.exe O4 - HKLM…\Run: [Multimedia extensions] mservice1.exe O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O17 - HKLM\System\CCS\Services\Tcpip…{53D945AD-0756-42BE-9145-17EC221F5675}: NameServer = 85.255.116.69,85.255.112.110 O17 - HKLM\System\CCS\Services\Tcpip…{D557EAC6-567A-41F4-92BC-E54F1F7F80E2}: NameServer = 85.255.116.69,85.255.112.110 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.110 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.110 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.110
Folder i pliki usuń ręcznie w trybie awaryjnym natomiast wpisy HijackThis.
Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Po wykonaniu wklej nowy log z Hijacka, Silenta plus log z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.