Your privacy is in danger

Heta · 2 Listopad 2007 09:13

Na pomoc! Od pewnego czasu na pulpicie pojawia się czerwona tapeta z napisem “Your privacy is in danger”. Nie mam pojęcia jak ją usunąć. Mam avasta!4.7 Professional. Oto log z HijackThis.

Logfile of HijackThis v1.99.1 Scan saved at 10:04:48, on 2007-11-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Web Accelerator\webxl.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe D:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Gosi\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspksgp.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: MSVPS System - {7A22D62B-562F-4D55-8B1E-3AAA6C2BA688} - C:\WINDOWS\advreprwd.dll O2 - BHO: (no name) - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - (no file) O2 - BHO: MSVPS System - {C4F4DBBD-4A4C-4B40-97DA-2FE06DBB2901} - C:\WINDOWS\bndsrsqo.dll O3 - Toolbar: (no name) - {D1413F77-5B69-4562-84E1-78F997794E9D} - (no file) O3 - Toolbar: (no name) - {F17B1418-2C0C-4295-BD55-BCDD3C730FBE} - (no file) O3 - Toolbar: The htunistock - {B02534D7-8D91-49BE-A864-97DFB8E0BAB4} - C:\WINDOWS\optnet.dll O3 - Toolbar: The htunistock - {C58A4487-4C2E-45E4-9E3A-52B3A23CC396} - C:\WINDOWS\htunistock.dll O3 - Toolbar: The sdrmod - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - C:\WINDOWS\sdrmod.dll O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [WebAccelerator] “C:\Program Files\Web Accelerator\webxl.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip…{DF4B4630-4BAF-41DB-8AF2-32E873B0CFDC}: NameServer = 194.204.159.1 217.98.63.164 O21 - SSODL: sysdx - {B2F99385-217D-4BFD-B29A-D9541FB4A0D2} - (no file) O21 - SSODL: msmhost - {5AF336C4-874F-46F3-9F64-09C51EA6F013} - C:\WINDOWS\msmhost.dll (file missing) O21 - SSODL: msvb - {6B59436D-D438-4AA7-9C53-890343E54F09} - C:\WINDOWS\msvb.dll O21 - SSODL: hostctrl - {48EBE543-A523-457F-B9AB-D2E7CB2173DA} - C:\WINDOWS\hostctrl.dll O21 - SSODL: hstsys - {9CA57F0F-8230-4333-9651-9240F1B349CE} - C:\WINDOWS\hstsys.dll (file missing) O21 - SSODL: hupsrv - {29BE99B7-D551-42DD-B6F0-EB5290EF1C6A} - C:\WINDOWS\hupsrv.dll O21 - SSODL: bindmod - {E351D4AA-1E8A-44B0-AF37-5E9B404CDDFD} - C:\WINDOWS\bindmod.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe

JNJN · 2 Listopad 2007 09:33

Przeczytaj tematy przyklejone w tym dziale i popraw posta.JNJN

LostWorld · 2 Listopad 2007 10:29

Trochę syfu jest , automat :

Pobierz : SmitFraudFix

Tryb numer 2 i wklejasz raport **(C:\SmitfraudFix.txt).**Oczywiście w trybie awaryjnym.

Heta · 2 Listopad 2007 10:46

A jak jeśli można wiedzieć uruchamia się tryb awaryjny ? Bo ja początkujący jestem w tych sprawach

mrok15 · 2 Listopad 2007 10:54

Resnij kompa i naciskaj F8 jak sie bedzie wlaczal xD Chyba musisz nacisnac przed tym jak laduje cdroomy ( boost czy jakos tak )

Heta · 2 Listopad 2007 11:05

Dobra udało mi się uruchomić w trybie awaryjnym. Oto raport z SmitfraudFix. (Sorki poprzednim razem wybrałem tryb 1 zamiast 2).

SmitFraudFix v2.246 Scan done at 12:19:52,37, 2007-11-02 Run from D:\Moje\Inne\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri’s WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip…{DF4B4630-4BAF-41DB-8AF2-32E873B0CFDC}: NameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS1\Services\Tcpip…{DF4B4630-4BAF-41DB-8AF2-32E873B0CFDC}: NameServer=194.204.159.1 217.98.63.164 HKLM\SYSTEM\CS2\Services\Tcpip…{DF4B4630-4BAF-41DB-8AF2-32E873B0CFDC}: NameServer=194.204.159.1 217.98.63.164 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning not selected. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End

LostWorld · 2 Listopad 2007 13:01

Tryb 1 nic nie daje bo on tylko skanuje system w poszukiwaniu zainfekowanych plików.Odpal jeszcze raz programik i tryb numer 2.

Jeśli nie masz jakiegoś narzędzia usuwającego, to ściągnij OTMoveIt

Do pola Paste List of Files/Folders to be Moved wklej poniższe ścieżki:

C:\WINDOWS\msmhost.dll

C:\WINDOWS\msvb.dll

C:\WINDOWS\hostctrl.dll

C:\WINDOWS\hstsys.dll

C:\WINDOWS\hupsrv.dll

C:\WINDOWS\bindmod.dll

C:\WINDOWS\advreprwd.dll

C:\WINDOWS\bndsrsqo.dll

C:\WINDOWS\sdrmod.dll

Następnie wciśnij przycisk MoveIt!

Pojawi się komunikat, że jest potrzebny restart do usunięcia podanych plików/folderów- wciśnij Yes.

Po restarcie usuń ręcznie folder C:** _OTMoveIt** (Prawoklik >>> Usuń >>> Opróżnij Kosz).

Heta:

O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspksgp.dll O2 - BHO: MSVPS System - {7A22D62B-562F-4D55-8B1E-3AAA6C2BA688} - C:\WINDOWS\advreprwd.dll O2 - BHO: (no name) - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - (no file) O2 - BHO: MSVPS System - {C4F4DBBD-4A4C-4B40-97DA-2FE06DBB2901} - C:\WINDOWS\bndsrsqo.dll O3 - Toolbar: (no name) - {D1413F77-5B69-4562-84E1-78F997794E9D} - (no file) O3 - Toolbar: (no name) - {F17B1418-2C0C-4295-BD55-BCDD3C730FBE} - (no file) O3 - Toolbar: The htunistock - {B02534D7-8D91-49BE-A864-97DFB8E0BAB4} - C:\WINDOWS\optnet.dll O3 - Toolbar: The htunistock - {C58A4487-4C2E-45E4-9E3A-52B3A23CC396} - C:\WINDOWS\htunistock.dll O3 - Toolbar: The sdrmod - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - C:\WINDOWS\sdrmod.dll O21 - SSODL: sysdx - {B2F99385-217D-4BFD-B29A-D9541FB4A0D2} - (no file) O21 - SSODL: msmhost - {5AF336C4-874F-46F3-9F64-09C51EA6F013} - C:\WINDOWS\msmhost.dll (file missing) O21 - SSODL: msvb - {6B59436D-D438-4AA7-9C53-890343E54F09} - C:\WINDOWS\msvb.dll O21 - SSODL: hostctrl - {48EBE543-A523-457F-B9AB-D2E7CB2173DA} - C:\WINDOWS\hostctrl.dll O21 - SSODL: hstsys - {9CA57F0F-8230-4333-9651-9240F1B349CE} - C:\WINDOWS\hstsys.dll (file missing) O21 - SSODL: hupsrv - {29BE99B7-D551-42DD-B6F0-EB5290EF1C6A} - C:\WINDOWS\hupsrv.dll O21 - SSODL: bindmod - {E351D4AA-1E8A-44B0-AF37-5E9B404CDDFD} - C:\WINDOWS\bindmod.dll (file missing)

Uruchamiasz Hijackthis>>Do a system scan>> Zaznaczasz poniższe wpisy i wciskasz Fix Checked

Daj log z Combofix

Opis użycia ComboFix jest na tej stronie z linku.

Log może być długi, więc zapisz go sobie gdzieś, a potem wklej na http://wklej.org/, a tu daj tylko link.

Czyli : Log z Combofix , Oto raport z SmitfraudFix.(numer 2) , nowy log z z HiJackThis.

Heta · 2 Listopad 2007 13:28

Jak klikam na movelt! to nie ma żadnego komunikatu. Pojawia się takie coś :

LostWorld · 2 Listopad 2007 14:00

Nowy log z HiJackThis , log z Combofix i raport z SmitfraudFix z trybem numer 2!

Heta · 2 Listopad 2007 14:28

HijackThis

Logfile of HijackThis v1.99.1 Scan saved at 15:07:51, on 2007-11-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Web Accelerator\webxl.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe D:\Moje\Inne\hijackthis\HijackThis.exe C:\WINDOWS\system32\dumprep.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM…\Run: [iSUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start O4 - HKLM…\Run: [WebAccelerator] “C:\Program Files\Web Accelerator\webxl.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip…{DF4B4630-4BAF-41DB-8AF2-32E873B0CFDC}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS2\Services\Tcpip…{093A6ADB-24A9-4E0E-8986-415506A155B9}: NameServer = 194.204.159.1 217.98.63.164 O21 - SSODL: hupsrv - {C49A5E01-ACC1-4E3C-B9F1-794A96E22ABA} - C:\WINDOWS\hupsrv.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe

Combo Fix

ComboFix 07-11-01.1** - Gosi 2007-11-02 15:10:01.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.255 [GMT 1:00] Running from: C:\Documents and Settings\Gosi\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 ))))))))))))))))))))))))))))))) . 2007-11-02 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 11:57 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-11-02 11:57 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-02 11:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-11-02 11:40 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-11-02 11:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-02 11:40 2,822 --a------ C:\WINDOWS\system32\tmp.reg 2007-11-01 21:45 286,720 --a------ C:\WINDOWS\advrepvto.dll 2007-10-31 23:18 116,224 --a------ C:\WINDOWS\wtopmod.exe 2007-10-31 23:14 2007-10-31 23:09 2007-10-27 20:06 2007-10-27 19:13 2007-10-27 19:12 2007-10-23 20:08 274,432 --a------ C:\WINDOWS\movctrlknq.dll 2007-10-22 19:57 253,952 --a------ C:\WINDOWS\movctrlflm.dll 2007-10-20 22:40 253,952 --a------ C:\WINDOWS\ntspkfxt.dll 2007-10-20 22:40 75,264 --a------ C:\WINDOWS\htunistock.dll 2007-10-20 07:30 122,884 --a------ C:\WINDOWS\UnGins.exe 2007-10-19 12:52 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2007-10-18 15:55 2007-10-18 15:49 2007-10-18 15:42 2007-10-18 15:41 8,704 --a------ C:\WINDOWS\system32\sporder.dll 2007-10-18 15:04 307,200 --a------ C:\WINDOWS\ntspkmxl.dll 2007-10-18 14:28 2007-10-09 08:56 2007-10-09 08:56 2007-10-09 08:56 2007-10-09 08:52 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-02 14:06 --------- d-----w C:\Program Files\Neostrada TP 2007-11-02 14:03 --------- d-----w C:\Program Files\Opera 2007-11-02 13:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-02 13:18 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-22 06:41 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\Wildfire 2007-10-18 14:42 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji.Beniamin 2007-10-11 18:29 --------- d-----w C:\Program Files\Gadu-Gadu 2007-10-08 15:01 --------- d-----w C:\Program Files\Java 2007-09-23 18:37 --------- d-----w C:\Program Files\Google 2007-09-22 21:04 --------- d-----w C:\Program Files\Tlen.pl 2007-09-20 11:32 --------- d-----w C:\Program Files\DAEMON Tools 2007-09-19 17:32 --------- d-----w C:\Program Files\Alcohol Soft 2007-09-19 17:29 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-09-16 18:01 --------- d-----w C:\Program Files\Common Files\Java 2007-09-08 18:08 --------- d-----w C:\Program Files\Web Accelerator 2007-09-08 16:46 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\Tlen.pl 2007-09-08 13:09 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-09-08 09:33 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\Gadu-Gadu 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-09-06 05:16 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\AdobeUM 2007-09-03 15:15 --------- d-----w C:\Program Files\Ares 2007-09-01 15:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll 2007-09-01 15:41 45,056 ----a-w C:\WINDOWS\system32\ogg.dll 2007-09-01 15:41 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll 2007-09-01 15:41 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll 2007-09-01 15:41 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll 2007-09-01 15:40 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll 2007-09-01 15:40 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 10:38] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 11:06] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 19:24] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-01-30 20:13] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40] “ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe” [2004-04-17 12:41] “ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-04-13 05:07] “WebAccelerator”=“C:\Program Files\Web Accelerator\webxl.exe” [2005-08-27 04:16] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-09-13 10:12] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] “hupsrv”= {C49A5E01-ACC1-4E3C-B9F1-794A96E22ABA} - C:\WINDOWS\hupsrv.dll [] S3 jnv4_mib;jnv4_mib;??\C:\DOCUME~1\Gosi\USTAWI~1\Temp\jnv4_mib.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8b27a49f-58a6-11dc-b5aa-806d6172696f}] \Shell\AutoRun\command - F:\AutoRun.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-02 15:11:22 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-02 15:12:10 C:\ComboFix2.txt … 2007-11-02 14:51 . — E O F —

SmitFraudFix

SmitFraudFix v2.246 Scan done at 15:17:14,34, 2007-11-02 Run from D:\Moje\Inne\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri’s WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CS2\Services\Tcpip…{093A6ADB-24A9-4E0E-8986-415506A155B9}: NameServer=194.204.159.1 217.98.63.164 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End A właśnie jak wykasowałem loga O21 - SSODL: hstsys - {9CA57F0F-8230-4333-9651-9240F1B349CE} - C:\WINDOWS\hstsys.dll (file missing) to net mi przestał działać.

jessica · 2 Listopad 2007 15:35

Co ma piernik do wiatraka?

Internet na pewno przestał Ci działać z innej przyczyny, a nie z powodu sfiksowania wpisu szkodnika!

Wklej do Notatnika :

File::

C:\WINDOWS\advrepvto.dll

C:\WINDOWS\wtopmod.exe

C:\WINDOWS\movctrlknq.dll 

C:\WINDOWS\movctrlflm.dll 

C:\WINDOWS\ntspkfxt.dll 

C:\WINDOWS\htunistock.dll

C:\WINDOWS\ntspkmxl.dll


Folder::

C:\Documents and Settings\Gosi\Dane aplikacji\YourPrivacyGuard 

C:\Program Files\Common Files\YourPrivacyGuard

C:\Program Files\SystemDefender


Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 

"hupsrv"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b27a49f-58a6-11dc-b5aa-806d6172696f}]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log z ComboFixa.

jessi

Heta · 2 Listopad 2007 15:53

Oto log :

ComboFix 07-11-01.1** - Gosi 2007-11-02 16:49:54.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.285 [GMT 1:00] Running from: C:\Documents and Settings\Gosi\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Gosi\Pulpit\CFScript_used_2007-11-02@16.39.txt * Created a new restore point FILE:: C:\WINDOWS\advrepvto.dll C:\WINDOWS\htunistock.dll C:\WINDOWS\movctrlflm.dll C:\WINDOWS\movctrlknq.dll C:\WINDOWS\ntspkfxt.dll C:\WINDOWS\ntspkmxl.dll C:\WINDOWS\wtopmod.exe . ((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 ))))))))))))))))))))))))))))))) . 2007-11-02 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 11:57 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-11-02 11:57 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-11-02 11:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-11-02 11:40 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-11-02 11:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-11-02 11:40 2,822 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-27 20:06 2007-10-27 19:13 2007-10-27 19:12 2007-10-20 07:30 122,884 --a------ C:\WINDOWS\UnGins.exe 2007-10-19 12:52 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2007-10-18 15:55 2007-10-18 15:49 2007-10-18 15:42 2007-10-18 15:41 8,704 --a------ C:\WINDOWS\system32\sporder.dll 2007-10-18 14:28 2007-10-09 08:56 2007-10-09 08:56 2007-10-09 08:56 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-02 15:46 --------- d-----w C:\Program Files\Neostrada TP 2007-11-02 14:23 --------- d-----w C:\Program Files\Opera 2007-11-02 13:19 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-02 13:18 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-22 06:41 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\Wildfire 2007-10-18 14:42 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji.Beniamin 2007-10-11 18:29 --------- d-----w C:\Program Files\Gadu-Gadu 2007-10-08 15:01 --------- d-----w C:\Program Files\Java 2007-09-23 18:37 --------- d-----w C:\Program Files\Google 2007-09-22 21:04 --------- d-----w C:\Program Files\Tlen.pl 2007-09-20 11:32 --------- d-----w C:\Program Files\DAEMON Tools 2007-09-19 17:32 --------- d-----w C:\Program Files\Alcohol Soft 2007-09-19 17:29 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-09-16 18:01 --------- d-----w C:\Program Files\Common Files\Java 2007-09-08 18:08 --------- d-----w C:\Program Files\Web Accelerator 2007-09-08 16:46 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\Tlen.pl 2007-09-08 13:09 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-09-08 09:33 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\Gadu-Gadu 2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr 2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-09-06 05:16 --------- d-----w C:\Documents and Settings\Gosi\Dane aplikacji\AdobeUM 2007-09-03 15:15 --------- d-----w C:\Program Files\Ares 2007-09-01 15:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll 2007-09-01 15:41 45,056 ----a-w C:\WINDOWS\system32\ogg.dll 2007-09-01 15:41 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll 2007-09-01 15:41 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll 2007-09-01 15:41 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll 2007-09-01 15:40 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll 2007-09-01 15:40 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 18:07] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 10:38] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 18:07] “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 18:07] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 11:06] “RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-02 19:24] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-01-30 20:13] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2006-01-12 15:40] “ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe” [2004-04-17 12:41] “ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-04-13 05:07] “WebAccelerator”=“C:\Program Files\Web Accelerator\webxl.exe” [2005-08-27 04:16] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-09-13 10:12] S3 jnv4_mib;jnv4_mib;??\C:\DOCUME~1\Gosi\USTAWI~1\Temp\jnv4_mib.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-02 16:51:08 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-02 16:51:49 C:\ComboFix2.txt … 2007-11-02 15:12 C:\ComboFix3.txt … 2007-11-02 14:51 . — E O F —

jessica · 2 Listopad 2007 15:59

Wg mnie - jest OK.

jessi

Heta · 2 Listopad 2007 16:26

Wielkie dzięki Jess