NEC
(Momg)
8 Grudzień 2006 15:54
#1
Witam proszę o sprawdzenie logów:
Spybot wykrywa mi zmiany rejestru ktorych nie moge usunac,
mam także problemy z jakims trojanem przy uruchomieniu sytemu i przegladaniu stron internetowych.
Logfile of HijackThis v1.99.1 Scan saved at 16:47:11, on 2006-12-08 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\System32\lxctcoms.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\Mixer.exe C:\Program Files\Lexmark 5400 Series\lxctmon.exe C:\Program Files\Lexmark 5400 Series\ezprint.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\WhatPulse\WhatPulse.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Documents and Settings\xxx\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) O2 - BHO: (no name) - {169136C5-5CED-47D0-A587-0D0B19F57BF8} - C:\Program Files\Internet Explorer\niwyhaxi.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [keyboard] C:\kybrdff_e41.exe O4 - HKLM…\Run: [kav] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [lxctmon.exe] “C:\Program Files\Lexmark 5400 Series\lxctmon.exe” O4 - HKLM…\Run: [Lexmark 5400 Series Fax Server] “C:\Program Files\Lexmark 5400 Series\fm3032.exe” /s O4 - HKLM…\Run: [EzPrint] “C:\Program Files\Lexmark 5400 Series\ezprint.exe” O4 - HKLM…\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [Microsoft Directx clicks] directxclickers.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\RunServices: [Wins Network ks32] netwkrs32.exe O4 - HKLM…\RunServices: [Microsoft Directx clicks] directxclickers.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe O4 - HKCU…\Run: [Microsoft Directx clicks] directxclickers.exe O4 - HKCU…\RunServices: [Microsoft Directx clicks] directxclickers.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O17 - HKLM\System\CCS\Services\Tcpip…{ED9C1A19-7356-4436-AD45-73DE84C15593}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: lxct_device - - C:\WINDOWS\System32\lxctcoms.exe
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “WhatPulse” = “C:\Program Files\WhatPulse\WhatPulse.exe” [null data] “Microsoft Directx clicks” = “directxclickers.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “keyboard” = “C:\kybrdff_e41.exe” [file not found] “kav” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”” [“Kaspersky Lab”] “(Default)” = “(empty string)” [file not found] “C-Media Mixer” = “Mixer.exe /startup” [“C-Media Electronic Inc. (http://www.cmedia.com.tw )”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “lxctmon.exe” = ““C:\Program Files\Lexmark 5400 Series\lxctmon.exe”” [null data] “Lexmark 5400 Series Fax Server” = ““C:\Program Files\Lexmark 5400 Series\fm3032.exe” /s” [empty string] “EzPrint” = ““C:\Program Files\Lexmark 5400 Series\ezprint.exe”” [“Lexmark International Inc.”] “LXCTCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16” [MS] “Microsoft Directx clicks” = “directxclickers.exe” [file not found] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {169136C5-5CED-47D0-A587-0D0B19F57BF8}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Internet Explorer\niwyhaxi.dll” [file not found] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {C08DF07A-3E49-4E25-9AB0-D3882835F153}(Default) = (no title provided) -> {HKLM…CLSID} = “QUICKfind BHO Object” \InProcServer32(Default) = “C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Ochrona WWW” -> {HKLM…CLSID} = “Ochrona WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = “C:\WINDOWS\System32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “xxx” & “All Users” startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Ochrona WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Ochrona WWW” Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Kaspersky Anti-Virus 6.0, AVP, “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r” [“Kaspersky Lab”] lxct_device, lxct_device, “C:\WINDOWS\System32\lxctcoms.exe -service” [" “] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 5400 Series Port\Driver = “lxctlmpm.dll” [” "] Fax Lexmark 5400 Series Port\Driver = “lxctpmon.dll” [empty string] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 136 seconds. ---------- (total run time: 401 seconds)
Bieniol
(Bbieniol)
8 Grudzień 2006 16:00
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.
Użyj narzędzia -> SmitFraudFix (w trybie awaryjnym z opcji 2 )
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
Po zabiegach nowy log z Hijacka + log z Silent Runners + raport ze SmitFraudFix
NEC
(Momg)
8 Grudzień 2006 16:47
#3
Zajmuje sie takim problemem 1 raz
Nie bardzo rozumiem o co chodzi, mam na mysli uruchomienie (w trybie awaryjnym z opcji 2) czyli?
Bieniol
(Bbieniol)
8 Grudzień 2006 16:51
#4
Wszystko masz opisane tutaj -> http://forum.dobreprogramy.pl/viewtopic … 329#539329
Przeczytaj dokładnie, a sytuacja stanie się jasna