Znikający pulpit + problemy z zamykaniem systemu

Dla specjalistów Bezpieczeństwo
#1

http://nuclearworldconflict.com/iran.html

Witam, mam problem tak jak w temacie, komp skanowałem avastem,ad-aware’m, pousuwałem różne badziewia (wirusy i inne) jednak problem jest nadal… poniżej podaję log z prośbą o sprawdzenie:

Logfile of HijackThis v1.99.1 

Scan saved at 09:32:43, on 2007-03-18 

Platform: Windows XP (WinNT 5.01.2600) 

MSIE: Internet Explorer v6.00 (6.00.2600.0000) 


Running processes: 

C:\WINDOWS\System32\smss.exe 

C:\WINDOWS\system32\csrss.exe 

C:\WINDOWS\system32\winlogon.exe 

C:\WINDOWS\system32\services.exe 

C:\WINDOWS\system32\lsass.exe 

C:\WINDOWS\system32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\system32\spoolsv.exe 

C:\WINDOWS\explorer.exe 

D:\avast\ashDisp.exe 

C:\Program Files\Gadu-Gadu\gg.exe 

D:\Spyware Doctor\swdoctor.exe 

D:\avast\aswUpdSv.exe 

D:\avast\ashServ.exe 

D:\Spyware Doctor\sdhelp.exe 

D:\avast\setup\avast.setup 

D:\avast\ashMaiSv.exe 

D:\avast\ashWebSv.exe 

C:\WINDOWS\system32\adirka.exe 

C:\Program Files\Internet Explorer\iexplore.exe 

C:\Documents and Settings\Adam\Pulpit\hijackthis\HijackThis.exe 


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza 

F2 - REG:system.ini: Shell=explorer.exe regchk.exe 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34742~1\Bar888.dll 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx 

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34742~1\Bar888.dll 

O4 - HKLM\..\Run: [WindowsUpdateR] C:\WINDOWS\System\regserv.exe /s 

O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\System32\adirss.exe 

O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe 

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k 

O4 - HKLM\..\Run: [avast!] D:\avast\ashDisp.exe 

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray 

O4 - HKCU\..\Run: [Spyware Doctor] "D:\Spyware Doctor\swdoctor.exe" /Q 

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\Office\OFFICE11\EXCEL.EXE/3000 

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office\OFFICE11\REFIEBAR.DLL 

O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing 

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173487371564 

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173487791923 

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEFB7A67-9A22-4D92-A5B7-6024BCDC1D61}: NameServer = 194.204.159.1,194.204.152.34 

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll (file missing) 

O21 - SSODL: QdyOkodwh - {F47427B1-5EDE-8D1B-2A4D-F132C3D016AA} - C:\WINDOWS\System32\piry.dll (file missing) 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\avast\aswUpdSv.exe 

O23 - Service: avast! Antivirus - Unknown owner - D:\avast\ashServ.exe 

O23 - Service: avast! Mail Scanner - Unknown owner - D:\avast\ashMaiSv.exe" /service (file missing) 

O23 - Service: avast! Web Scanner - Unknown owner - D:\avast\ashWebSv.exe" /service (file missing) 

O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000271 (file missing) 

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\sdhelp.exe

.

#2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

Użyj narzędzia SmitFraudFix (wybierz opcję 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Pobierz i odpal LSP-Fix zaznacz " I know what I’m doing" następnie w okienku Keep zaznacz bibliotekę rsvp32_2.dll i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.

Spyware Doctor jest programem wątpliwej reputacji dlatego proponuję go usunąć. Sposób usunięcia jest podany tutaj:

http://forum.dobreprogramy.pl/viewtopic … 332#791332

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt

#3

Nowe Logi:

  1. HijackThis:

    Logfile of HijackThis v1.99.1

    Scan saved at 18:49:24, on 2007-03-19

    Platform: Windows XP (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    D:\avast\ashDisp.exe

    C:\Program Files\Gadu-Gadu\gg.exe

    D:\avast\aswUpdSv.exe

    D:\avast\ashServ.exe

    D:\avast\ashWebSv.exe

    D:\avast\ashMaiSv.exe

    D:\avast\setup\avast.setup

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Documents and Settings\Adam\Ustawienia lokalne\Temporary Internet Files\Content.IE5\JRYXXXPU\ie6setup[1].exe

    C:\DOCUME~1\Adam\USTAWI~1\Temp\IXP000.TMP\ie6wzd.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Documents and Settings\Adam\Pulpit\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O4 - HKLM…\Run: [WindowsUpdateR] C:\WINDOWS\System\regserv.exe /s

    O4 - HKLM…\Run: [sysinter] C:\WINDOWS\System32\adirss.exe

    O4 - HKLM…\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe

    O4 - HKLM…\Run: [avast!] D:\avast\ashDisp.exe

    O4 - HKLM…\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU “C:\WINDOWS\TEMP\E_S559.tmp” /EF “HKLM”

    O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM…\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 “C:\DOCUME~1\Adam\USTAWI~1\Temp\IXP000.TMP”

    O4 - HKLM…\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

    O4 - HKLM…\RunOnce: [Regsister WScript] wscript -regserver

    O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

    O4 - HKCU…\Run: [Spyware Doctor] “D:\Spyware Doctor\swdoctor.exe” /Q

    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\Office\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office\OFFICE11\REFIEBAR.DLL

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173487371564

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173487791923

    O17 - HKLM\System\CCS\Services\Tcpip…{BEFB7A67-9A22-4D92-A5B7-6024BCDC1D61}: NameServer = 194.204.159.1,194.204.152.34

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\avast\aswUpdSv.exe

    O23 - Service: avast! Antivirus - Unknown owner - D:\avast\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - D:\avast\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - D:\avast\ashWebSv.exe" /service (file missing)

  2. plik “raport.txt”:

    SmitFraudFix v2.148

    Scan done at 17:34:50,98, 2007-03-18

    Run from C:\Documents and Settings\Adam\Pulpit\SmitfraudFix\SmitfraudFix

    OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

    The filesystem type is FAT32

    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !Attention, following keys are not inevitably infected!

    SrchSTS.exe by S!Ri

    Search SharedTaskScheduler’s .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\zlbw.dll Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !Attention, following keys are not inevitably infected!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

    “System”=""

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !Attention, following keys are not inevitably infected!

    SrchSTS.exe by S!Ri

    Search SharedTaskScheduler’s .dll

    »»»»»»»»»»»»»»»»»»»»»»»» End

    [/code]

    1. Silent Runners:

[code]“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{F47427B0-031F-1045-1208-040518990030}” = ““C:\Program Files\Common Files{F47427B0-031F-1045-1208-040518990030}\Update.exe” te-110-12-0000271” [null data] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “Spyware Doctor” = ““D:\Spyware Doctor\swdoctor.exe” /Q” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “WindowsUpdateR” = “C:\WINDOWS\System\regserv.exe /s” [null data] “sysinter” = “C:\WINDOWS\System32\adirss.exe” [file not found] “lnwin.exe” = “C:\WINDOWS\System32\lnwin.exe” [file not found] “avast!” = “D:\avast\ashDisp.exe” [null data] “EPSON Stylus D78 Series” = “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU “C:\WINDOWS\TEMP\E_S559.tmp” /EF “HKLM”” [“SEIKO EPSON CORPORATION”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “wextract_cleanup0” = “rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 “C:\DOCUME~1\Adam\USTAWI~1\Temp\IXP000.TMP”” [MS] “BrandClearStubs” = “RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS” [MS] “Regsister WScript” = “wscript -regserver” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} “Flags” = hex:0x00000A38 “Title” = “Windows Update” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\101\ {++} “(Default)” = “Usługi przeglądania” [file not found] “002” = “C:\WINDOWS\System32\mlang.dll|DllRegisterServer” [file not found] “004” = “C:\WINDOWS\System32\browseui.dll|DllRegisterServer” [file not found] “005” = “C:\WINDOWS\System32\browseui.dll|DllInstall|I” [file not found] “007” = “C:\WINDOWS\System32\shdocvw.dll|DllRegisterServer” [file not found] “008” = “C:\WINDOWS\System32\shdocvw.dll|DllInstall|I” [file not found] “009” = “C:\WINDOWS\System32\urlmon.dll|DllRegisterServer” [file not found] “010” = “C:\WINDOWS\System32\browsewm.dll|DllRegisterServer” [file not found] “012” = “C:\WINDOWS\System32\mshtml.dll|DllRegisterServer” [file not found] “013” = “C:\WINDOWS\System32\msrating.dll|DllRegisterServer” [file not found] “017” = “C:\WINDOWS\System32\plugin.ocx|DllRegisterServer” [file not found] “018” = “C:\WINDOWS\System32\sendmail.dll|DllRegisterServer” [file not found] “020” = “C:\WINDOWS\System32\asctrls.ocx|DllRegisterServer” [file not found] “021” = “C:\WINDOWS\System32\inetcpl.cpl|DllInstall|I” [file not found] “022” = “C:\WINDOWS\System32\mshtml.dll|DllInstall|I” [file not found] “027” = “C:\WINDOWS\System32\mshtmled.dll|DllRegisterServer” [file not found] “033” = “C:\WINDOWS\System32\proctexe.ocx|DllRegisterServer” [file not found] “034” = “C:\WINDOWS\System32\mshta.exe /register” [MS] “036” = “C:\WINDOWS\System32\dxtrans.dll|DllRegisterServer” [file not found] “037” = “C:\WINDOWS\System32\dxtmsft.dll|DllRegisterServer” [file not found] “035” = “C:\WINDOWS\System32\mstime.dll|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\102\ {++} “(Default)” = “Narzędzia internetowe” [file not found] “002” = “C:\WINDOWS\System32\imgutil.dll|DllRegisterServer” [file not found] “003” = “C:\WINDOWS\System32\pngfilt.dll|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\103\ {++} “019” = “C:\WINDOWS\System32\csseqchk.dll|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\104\ {++} “(Default)” = “Usługi systemowe” [file not found] “002” = “C:\WINDOWS\System32\actxprxy.dll|DllRegisterServer” [file not found] “004” = “C:\WINDOWS\System32\cdfview.dll|DllRegisterServer” [file not found] “007” = “C:\WINDOWS\System32\inseng.dll|DllRegisterServer” [file not found] “008” = “C:\WINDOWS\System32\iesetup.dll|DllInstall|i” [file not found] “013” = “C:\WINDOWS\System32\webcheck.dll|DllRegisterServer” [file not found] “014” = “C:\WINDOWS\System32\occache.dll|DllRegisterServer” [file not found] “015” = “C:\WINDOWS\System32\occache.dll|DllInstall|i” [file not found] “024” = “C:\WINDOWS\System32\iepeers.dll|DllRegisterServer” [file not found] “030” = “C:\Program Files\Common Files\Microsoft Shared\MSInfo\ieinfo5.ocx|DllRegisterServer” [file not found] “079” = “C:\WINDOWS\System32\msident.dll|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\500\ {++} “002” = “C:\WINDOWS\System32\digest.dll|DllInstall|i,HKLM” [file not found] “003” = “C:\WINDOWS\System32\wininet.dll|DllInstall|i,HKLM” [file not found] “010” = “C:\WINDOWS\System32\urlmon.dll|DllInstall|i,HKLM” [file not found] “019” = “C:\WINDOWS\System32\msieftp.dll|DllRegisterServer” [file not found] “087” = “C:\WINDOWS\System32\tdc.ocx|DllRegisterServer” [file not found] “088” = “C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\800\ {++} “000” = “C:\WINDOWS\System32\inetcomm.dll|DllRegisterServer” [file not found] “001” = “C:\Program Files\Outlook Express\msoe.dll|DllRegisterServer” [file not found] “002” = “C:\Program Files\Outlook Express\oeimport.dll|DllRegisterServer” [file not found] “003” = “C:\Program Files\Outlook Express\oemiglib.dll|DllRegisterServer” [file not found] “004” = “C:\Program Files\Common Files\System\directdb.dll|DllRegisterServer” [file not found] “005” = “C:\WINDOWS\System32\msoeacct.dll|DllRegisterServer” [file not found] “006” = “C:\Program Files\Common Files\System\wab32.dll|DllRegisterServer” [file not found] “007” = “C:\Program Files\Outlook Express\wabimp.dll|DllRegisterServer” [file not found] “008” = “C:\Program Files\Outlook Express\wabfind.dll|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\801\ {++} “000” = “C:\WINDOWS\System32\jscript.dll|DllRegisterServer” [file not found] “001” = “C:\WINDOWS\System32\vbscript.dll|DllRegisterServer” [file not found] “002” = “C:\WINDOWS\System32\scrrun.dll|DllRegisterServer” [file not found] “003” = “C:\WINDOWS\System32\scrobj.dll|DllRegisterServer” [file not found] “004” = “C:\WINDOWS\System32\wshext.dll|DllRegisterServer” [file not found] “005” = “C:\WINDOWS\System32\wshcon.dll|DllRegisterServer” [file not found] “006” = “C:\WINDOWS\System32\wshom.ocx|DllRegisterServer” [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS(Default) = “Dostosowanie przeglądarki” \StubPath = “RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP” [MS] {22d6f312-b0f6-11d0-94ab-0080c74c7e95}(Default) = “Windows Media Player” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT” [MS] {44BBA840-CC51-11CF-AAFA-00AA00B6015C}(Default) = “Microsoft Outlook Express 6” \StubPath = ““C:\Program Files\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install” [MS] {7790769C-0471-11d2-AF11-00C04FA35D02}(Default) = “Książka adresowa 5” \StubPath = ““C:\Program Files\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install” [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}(Default) = “Internet Explorer 6” \StubPath = “C:\WINDOWS\System32\ie4uinit.exe” [MS] {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}(Default) = “CRLUpdate” \StubPath = “C:\WINDOWS\System32\updcrl.exe -e -u C:\WINDOWS\System32\verisignpub1.crl” [MS] {ACC563BC-4266-43f0-B6ED-9D38C4202C7E}(Default) = “Dostęp do programu Internet Explorer” \StubPath = “rundll32 iesetup.dll,IEAccessUserInst” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Office\OFFICE11\msohev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\avast\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\avast\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\avast\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\Office\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““D:\avast\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““D:\avast\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““D:\avast\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\avast\ashWebSv.exe” /service” [“ALWIL Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON Stylus D78 Series 32MonitorBE\Driver = “E_FLBBGE.DLL” [“SEIKO EPSON CORPORATION”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 67 seconds. ---------- (total run time: 398 seconds)

#4

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\System\regserv.exe

Klikasz X czerwony i restart kompa.

Będąc w trybie awaryjnym usuń z dysku ręcznie folder:

Otwórz Notatnik i wklej w nim to (przy okazji usunę wszystkie [not found]):

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Użyj progrmu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp.

Usuń wpisy HJT jeśli będą.

Po wykonaniu wklej nowe logi.

#5 
Logfile of HijackThis v1.99.1

Scan saved at 22:21:54, on 2007-03-19

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\avast\ashDisp.exe

C:\Program Files\Gadu-Gadu\gg.exe

D:\avast\aswUpdSv.exe

D:\avast\ashServ.exe

D:\avast\setup\avast.setup

D:\avast\ashMaiSv.exe

D:\avast\ashWebSv.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Adam\Pulpit\Nowy folder\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [avast!] D:\avast\ashDisp.exe

O4 - HKLM\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_S559.tmp" /EF "HKLM"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Spyware Doctor] "D:\Spyware Doctor\swdoctor.exe" /Q

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\Office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173487371564

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173487791923

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEFB7A67-9A22-4D92-A5B7-6024BCDC1D61}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\avast\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\avast\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\avast\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\avast\ashWebSv.exe" /service (file missing)
#6

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.