witam!
złapałem jakieś wirusy, usunąłem je ręcznie, ale po restarcie połączenie z neostradą jest martwe, nie działa www, poczta, nie robi pinga, a połączenie jest ustanowione, na drugim kompie jest ok. poza tym nie mogę zmienić tła puplitu, okno z tymi opcjami jest nieaktywne.logi:
Logfile of HijackThis v1.99.1 Scan saved at 21:34:32, on 2007-03-15 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ntvdm.exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\WINDOWS\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Documents and Settings\Cezary\Pulpit\naprawa\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F3 - REG:win.ini: load=C:\YDPDict\watch.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll O2 - BHO: (no name) - {435DBFC5-BF5B-8FF7-B8B8-780126B8D2CD} - (no file) O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing) O2 - BHO: (no name) - {762F008D-0013-BA85-F007-0A346E07A0F8} - (no file) O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{38358~1\Bar888.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{38358~1\Bar888.dll (file missing) O4 - HKLM…\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM…\Run: [PadTouch] “C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe O4 - HKLM…\Run: [sYSTEMS] C:\Program Files\Common Files\rundll32.exe O4 - HKLM…\Run: [load] C:\WINDOWS\uninstall\rundl132.exe O4 - HKLM…\Run: [wsye] C:\WINDOWS\WINLOGON.EXE O4 - HKLM…\Run: [wsvbs] C:\WINDOWS\RUNDLL32.exe O4 - HKLM…\Run: [synu] C:\WINDOWS\svchost.exe O4 - HKLM…\Run: [ipWins] C:\Program Files\Ipwindows\ipwins.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [system] C:\WINDOWS\System32\kernels32.exe O4 - HKLM…\Run: [uvnx] c:\windows\system32\uvnx.exe O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing) O9 - Extra ‘Tools’ menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O10 - Broken Internet access because of LSP provider ‘c:\windows\system32\msnetax.dll’ missing O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://217.118.110.47/SysCamInst.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.com/TVUAx.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.trafficredlight.net/10257-69.exe O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: 235780M.BMP O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe” -e te-110-12-0000338 (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: GEARSecurity GEARSecurityCryptSvc (GEARSecurityCryptSvc) - Unknown owner - C:\WINDOWS\System32\ActSkn43x.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{08358D74-0BF3-1045-1218-030218200030}” = ““C:\Program Files\Common Files{08358D74-0BF3-1045-1218-030218200030}\Update.exe” te-110-12-0000271” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Windows update loader” = “C:\Windows\xpupdate.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “TouchED” = “C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [“TOSHIBA Corporation”] “PadTouch” = "“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” [file not found] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “rundll32” = “C:\Program Files\Common Files\rundll32.exe” [file not found] “SYSTEMS” = “C:\Program Files\Common Files\rundll32.exe” [file not found] “load” = “C:\WINDOWS\uninstall\rundl132.exe” [null data] “wsye” = “C:\WINDOWS\WINLOGON.EXE” [file not found] “wsvbs” = “C:\WINDOWS\RUNDLL32.exe” [file not found] “synu” = “C:\WINDOWS\svchost.exe” [MS] “IpWins” = “C:\Program Files\Ipwindows\ipwins.exe” [file not found] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “System” = “C:\WINDOWS\System32\kernels32.exe” [file not found] “uvnx” = “c:\windows\system32\uvnx.exe” [file not found] “spoolsvv” = “C:\WINDOWS\System32\spoolsvv.exe” [file not found] “Zone Labs Client” = ““C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “UserFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -u” [MS] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll” [“BitComet”] {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}(Default) = (no title provided) -> {HKLM…CLSID} = “CdnForIE Class” \InProcServer32(Default) = “C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll” [file not found] {C1B4DEC2-2623-438e-9CA2-C9043AB28508}(Default) = (no title provided) -> {HKLM…CLSID} = “Bar888” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1{38358~1\Bar888.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{C4213067-97B3-4929-9B98-B5600FBBBA13}” = “TouchED” -> {HKLM…CLSID} = “TouchShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll” [“TOSHIBA Corporation”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}” = “ShellPlusContextMenu” -> {HKLM…CLSID} = “Burn4Freecontext menu” \InProcServer32(Default) = “C:\WINDOWS\system32\B4FM.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}” = “Context Menu Shell Extension” -> {HKLM…CLSID} = “Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TAGREN~1\TRshell.dll” [“Softpointer Inc”] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\System32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\System32\dfshim.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “load” = “C:\YDPDict\watch.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “AppInit_DLLs” = “235780M.BMP” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! A3dxq\DLLName = “C:\WINDOWS\System32\a3dxq.dll” [file not found] INFECTION WARNING! rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {66742402-F9B9-11D1-A202-0000F81FEDEE}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DiskChecker(Default) = “{1FE33981-7BF7-11d3-97B7-0020AF892ACF}” -> {HKLM…CLSID} = “Disk Checker Extension” \InProcServer32(Default) = “chckshll.dll” [empty string] ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] TagRename_ContextMenu(Default) = “{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}” -> {HKLM…CLSID} = “Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TAGREN~1\TRshell.dll” [“Softpointer Inc”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ DiskChecker(Default) = “{1FE33981-7BF7-11d3-97B7-0020AF892ACF}” -> {HKLM…CLSID} = “Disk Checker Extension” \InProcServer32(Default) = “chckshll.dll” [empty string] TagRename_ContextMenu(Default) = “{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}” -> {HKLM…CLSID} = “Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TAGREN~1\TRshell.dll” [“Softpointer Inc”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] Group Policies [Description]: ----------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “ForceActiveDesktopOn”=dword:00000001 [enables Active Desktop and prevents disabling it] HIJACK WARNING! “Wallpaper” = “C:\WINDOWS\desktop.html” [disables the Display Properties|Desktop (tab) (except the “Customize Desktop…” button); selects wallpaper if Active Desktop is enabled] Active Desktop and Wallpaper: ----------------------------- Active Desktop enabled via Group Policy. Wallpaper selected via Group Policy. Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Cezary” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Adobe Reader Synchronizer” -> shortcut to: “C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe” [null data] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “Szybkie uruchamianie programu Microsoft Office OneNote 2003” -> shortcut to: “C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr” [MS] Enabled Scheduled Tasks: ------------------------ “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\msnetax.dll [file not found], 01 - 24, 49 %SystemRoot%\system32\mswsock.dll [MS], 25 - 27, 30 - 48 %SystemRoot%\system32\rsvpsp.dll [MS], 28 - 29 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{C1B4DEC2-2623-438E-9CA2-C9043AB28508}” = (no title provided) -> {HKLM…CLSID} = “Bar888” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1{38358~1\Bar888.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ “ButtonText” = “Chinese Navigation” “MenuText” = “Chinese Navigation” “CLSIDExtension” = “{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}” -> {HKLM…CLSID} = “CdnForIE Class” \InProcServer32(Default) = “C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll” [file not found] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html Missing lines (compared with English-language version): [strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Agent SAP, NwSapAgent, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} ConfigFree Service, CFSvcs, “C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe” [“TOSHIBA CORPORATION”] DVD-RAM_Service, DVD-RAM_Service, “C:\WINDOWS\System32\DVDRAMSV.exe” [“Matsushita Electric Industrial Co., Ltd.”] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] GEARSecurity, GEARSecurity, “C:\WINDOWS\System32\GEARSec.exe” [“GEAR Software”] Norton Ghost, Norton Ghost, “C:\Program Files\Norton Ghost\Agent\VProSvc.exe” [“Symantec Corporation”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON V4 Monitor3SA\Driver = “EBPMON3.DLL” [“SEIKO EPSON CORPORATION”] hpzlnt05\Driver = “hpzlnt05.dll” [“HP”] Monitor 2 języka BJ\Driver = “CNBJMON2.DLL” [MS] Monitor języka PJL\Driver = “PJLMON.DLL” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 771 seconds, including 18 seconds for message boxes)
proszę o pomoc
adam9870
(adam9870)
15 Marzec 2007 21:11
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\uninstall\rundl132.exe
Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
Usuń wpisy HJT.
Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.
Pobierz i odpal LSP-Fix zaznacz " I know what I’m doing " następnie w okienku Keep zaznacz bibliotekę msnetax.dll i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.
Po wykonaniu wklej komplet nowych logów:
sdar
(sdar)
16 Marzec 2007 09:20
#4
Jeśli to wszystko co masz do powiedzenia w tym dziale to możesz sobie smiało darować.
OT -> KOSZ
adam9870
(adam9870)
16 Marzec 2007 10:27
#5
Pożegnaj się z programami do oglądania meczyków takich jak TVAnts.
W dodań/usuń programy odinstaluj Bar888, IpWins, Outerinfo, Playboy Screensaver, PPLive, PPMateÍřÂçľçĘÓ, TVAnts, TVUPlayer, Video ActiveX Object.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT
Pobierz Gmer’a .
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
Po resecie otwórz Gmer’a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:
Kliknij Uruchom i reset.
Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.
Użyj szczepionki przeciwko Jeefo:
http://wirusy.antivirenkit.pl/pl/szczepionki/Jeefo.html
Przeskanuj system:
http://www.kaspersky.pl/virusscanner.html
http://www.ewido.net/en/
I usuń wszystko, co zostanie znalezione.
Wykonaj tą radę: KLIK .
Po wykonaniu wklej nowy log z Comboscan i dwa logi z Gmer’a bez względu na to czy w Gmerze podczas usuwania pokaże się jakiś błąd, czy nie.
Doszedłem do momentu gdzie mam zrobić skany online ale komp chodzi tak wolno że można zwątpić, większość programów nie chce się otwierać, w tym żadna przeglądarka, a w awaryjnym nie da się odpalić neostrady mimo że w normalnym trybie chodzi dobrze, praktycznie po kilku minutach komp sie zawiesza, robię restart i tak w kółko…
adam9870
(adam9870)
16 Marzec 2007 13:42
#7
Czy podczas gdy masz listę systemów do wyboru wybierasz, aby na pewno Tryb awaryjny z obsługą sieci?
Jeśli uda Ci się chociaż zrobić log z Comboscan i log z Gmer’a wykonany przy ustawieniu usługi + pokazuj wszystko to je wklej.
tak, wybierałem tryb z obsługą sieci. udało mi się tylko zrobić skan jeefo, który chciał wyrzucić prawie wszystkie pliki exe z dysku, niżej logi z comboscan i gmera
ComboScan v20070306.20 run by Cezary on 2007-03-16 at 16:08:52 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as Cezary.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 16:12:14, on 2007-03-16 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\taskbaricon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Documents and Settings\Cezary\Pulpit\naprawa\comboscan.exe C:\WINDOWS\svchost.exe C:\DOCUME~1\Cezary\Pulpit\HIJACK~1\Cezary.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F2 - REG:system.ini: Shell=explorer.exe F3 - REG:win.ini: load=C:\YDPDict\watch.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM…\Run: [PadTouch] “C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\taskbaricon.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://217.118.110.47/SysCamInst.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.com/TVUAx.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: GEARSecurity GEARSecurityCryptSvc (GEARSecurityCryptSvc) - Unknown owner - C:\WINDOWS\System32\ActSkn43x.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe – Files created between 2007-02-16 and 2007-03-16 ----------------------------- 2007-03-16 14:32:16 0 --a------ C:\WINDOWS\System32\OUTLWAB.dat 2007-03-16 14:32:16 0 --a------ C:\WINDOWS\System32\lmhsvnv.dat 2007-03-16 13:31:09 1761 --a------ C:\WINDOWS\gmer.reg 2007-03-16 13:04:50 167 --a------ C:\WINDOWS\System32\routvtab.dat 2007-03-16 13:04:50 744 --a------ C:\WINDOWS\System32\mdwmdgsp.dat 2007-03-16 13:04:50 0 --a------ C:\WINDOWS\System32\kbdlvgm.dat 2007-03-16 13:04:50 0 --a------ C:\WINDOWS\System32\IntegNic.dat 2007-03-16 13:04:50 0 --a------ C:\WINDOWS\System32\FM20TG.dat 2007-03-16 01:40:38 2 --a------ C:\WINDOWS\System32\wnsintit.exe 2007-03-16 01:10:43 20480 --a------ C:\WINDOWS\System32\msnetax.dll 2007-03-16 00:42:50 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-03-15 23:41:29 0 d-------- C:!KillBox 2007-03-15 11:53:34 4212 —h----- C:\WINDOWS\System32\zllictbl.dat 2007-03-15 11:52:45 0 d-------- C:\WINDOWS\System32\ZoneLabs 2007-03-15 11:52:06 0 d-------- C:\WINDOWS\Internet Logs 2007-03-13 16:53:20 0 d-------- C:\WINDOWS\ServicePackFiles 2007-03-12 14:37:27 10752 --a------ C:\WINDOWS\System32\ff_vfw.dll 2007-03-12 14:19:00 0 d-------- C:\Program Files\QuickTime Alternative 2007-03-12 14:19:00 0 d-------- C:\Program Files\Media Player Classic 2007-03-07 12:26:29 0 d-------- C:\Program Files\Azureus 2007-03-05 20:52:56 0 --a------ C:\WINDOWS\System32\Thcixm.dat 2007-03-05 20:52:56 56247 --a------ C:\WINDOWS\System32\safrwdlg.dat 2007-03-05 20:52:56 26225 --a------ C:\WINDOWS\System32\psapo.dat 2007-03-05 20:52:56 0 --a------ C:\WINDOWS\System32\ddrawqx.dat 2007-03-02 19:31:11 0 d-------- C:\Program Files\LanMon 2007-02-27 17:57:12 1168 --a------ C:\WINDOWS\mozver.dat 2007-02-21 21:55:23 0 --a------ C:\WINDOWS\nsreg.dat 2007-02-21 21:54:42 0 d-------- C:\Program Files\Mozilla Firefox – Find3M Report --------------------------------------------------------------- 2007-03-16 16:00:58 0 d-------- C:\Program Files\Neostrada TP 2007-03-16 13:47:01 0 d-------- C:\Program Files\DC++ 2007-03-16 01:51:03 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\Azureus 2007-03-16 01:43:30 0 d-a------ C:\Program Files\TVAnts 2007-03-15 02:31:05 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\ppStream 2007-03-13 16:53:20 60928 --a------ C:\WINDOWS\System32\mswsock.dll 2007-03-12 14:37:27 0 d-------- C:\Program Files\ffdshow 2007-03-12 14:20:47 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\Media Player Classic 2007-03-12 14:19:00 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\Apple Computer 2007-03-12 14:03:56 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\MPEG Streamclip 2007-03-10 22:12:08 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\Skype 2007-03-07 01:05:29 0 d-------- C:\Program Files\BitComet 2007-03-06 16:36:45 0 d-------- C:\Program Files\eMule 2007-03-06 02:08:35 0 d-------- C:\Program Files\Common Files\Adobe 2007-02-21 21:55:10 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji\Mozilla 2007-02-16 20:31:42 2560 --a------ C:\WINDOWS\System32\BitCometRes.dll 2007-02-12 18:30:32 0 d-------- C:\Program Files\SkanerOnline 2007-02-12 18:01:27 0 d-------- C:\Program Files\ArcaOnline 2007-02-12 01:15:11 192000 -----n— C:\WINDOWS\System32\RAMASST.exe 2007-02-12 01:13:53 192000 --a------ C:\WINDOWS\System32\igfxtray.exe 2007-02-12 01:13:48 187904 --a----c- C:\WINDOWS\System32\igfxdiag.exe 2007-02-11 21:47:56 151040 --a------ C:\WINDOWS\System32\hkcmd.exe 2007-02-11 16:55:29 146944 --a----c- C:\WINDOWS\System32\cselect.exe 2007-02-11 16:53:06 175616 --a------ C:\WINDOWS\TChkCDRW.exe 2007-02-11 16:53:05 175616 --a------ C:\WINDOWS\TChkDVDRWonly.exe 2007-02-11 16:50:54 192000 --a------ C:\WINDOWS\System32\NeroCheck.exe 2007-02-11 16:50:52 211736 --a------ C:\WINDOWS\System32\wuauclt1.exe 2007-02-11 16:46:55 175616 --a------ C:\WINDOWS\System32\ArcaOnlineUninstall.exe 2007-02-11 16:46:14 167424 --a------ C:\WINDOWS\ChgRXPWT.exe 2007-02-03 17:01:47 0 d-------- C:\Program Files\InetGet2 2007-02-03 14:51:18 57344 --a------ C:\WINDOWS\System32\mmtask.dll 2007-02-03 14:51:18 49664 --a------ C:\WINDOWS\System32\MCI32.dll 2007-01-24 19:35:01 0 d-------- C:\Program Files\Common Files\Logitech 2007-01-24 16:00:56 0 d-------- C:\Program Files\Skype 2007-01-24 16:00:56 0 d-------- C:\Program Files\Common Files\Skype 2007-01-22 12:00:36 719088 --a------ C:\WINDOWS\System32\SkanerOnline.dll 2007-01-20 13:36:53 0 d-------- C:\Documents and Settings\Cezary\Dane aplikacji.ABC 2007-01-19 09:40:42 89088 --a------ C:\WINDOWS\System32\SkanerOnlineUninstall.exe 2007-01-17 14:45:53 0 d-------- C:\Program Files\GetRight 2007-01-04 14:36:16 848 --ahs---- C:\WINDOWS\System32\KGyGaAvL.sys – Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” “PadTouch”=”“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” “SpeedTouch USB Diagnostics”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “Zone Labs Client”="“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”" “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\taskbaricon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“ewido anti-spyware 4.0” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoCDBurning”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d3fd488b-d538-11d8-9860-806d6172696f}] shell\play\command “C:\Program Files\InterVideo\WinDVD4\WinDVD.exe” %1 – End of ComboScan: finished at 2007-03-16 at 16:12:41 ------------------------
adam9870
(adam9870)
16 Marzec 2007 16:20
#9
Przeskanuj plik C:\WINDOWS\System32\mmtask.dll na stronie http://www.virustotal.com/ a jeśli okaże się szkodliwy to na początku pliku FIX.BAT dodaj linijkę:
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
W zakładce Procesy kliknij Gmer awaryjny >>> nastąpi reset i pozostanie samo okienko Gmer’a >>> w zakładce Procesy przez … (trzy kropki) wskaż plik FIX.BAT >>> przez chwilkę mignie ekran i nastąpi reset.
Użyj WinSockFix .
Użyj szczepionki przeciwko Jeefo:
http://wirusy.antivirenkit.pl/pl/szczepionki/Jeefo.html
Przeskanuj system:
http://www.kaspersky.pl/virusscanner.html
http://www.ewido.net/en/
I usuń wszystko, co zostanie znalezione.
Po wykonaniu wklej nowy log z Gmer’a wykonany przy ustawieniu usługi + pokazuj wszystko i log z ComboFix .
UWAGA: Jeśli nie będziesz mógł przeskanować którymś ze skanerów on-line ponieważ komputer będzie się restartował to spróbuj skorzystać z metody opisanej tutaj:
http://www.gmer.net/antivirus.php?lang=pl
skanu na stronie mi sie nie udało zrobić w żadnym trybie, nawet w Gmerze, bo się szybko zawieszał albo nawet ze skanem nie mógł wystartować
“Cezary” - 07-03-16 21:01:52 Dodatek Service Pack. 1 ComboFix 07-03-15.2 - Running from: “C:\Documents and Settings\Cezary\Pulpit\naprawa” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32.exe C:_desktop.ini C:\DOCUME~1\Cezary\DANEAP~1\Sskcwrd.dll C:\DOCUME~1\Cezary\DANEAP~1\Sskknwrd.dll C:\DOCUME~1\Cezary\DANEAP~1\Sskuknwrd.dll C:\Program Files\Video ActiveX Object\uninst.exe C:\WINDOWS\system32\iexp_log.txt C:\WINDOWS\system32\mm.ini C:\WINDOWS\emdat.tm C:\WINDOWS\emdat.tmp C:\WINDOWS\system32\drivers\npf.sys C:\DOCUME~1\LOCALS~1\DANEAP~1\NetMon C:\DOCUME~1\Cezary\USTAWI~1\DANEAP~1.\Baidu C:\DOCUME~1\Cezary\USTAWI~1\DANEAP~1.\Baidu\bar C:\DOCUME~1\Cezary\USTAWI~1\DANEAP~1.\Baidu\bar\Custom Buttons C:\Program Files\InetGet2 C:\Program Files\Video ActiveX Object C:\WINDOWS\svchost.exe C:\WINDOWS\system32\mswsock_infected.dll C:\WINDOWS\system32\msnetax.dll ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\DOCUME~1 C:\qoobox\purity\DOCUME~1\Cezary C:\qoobox\purity\DOCUME~1\Cezary\DANEAP~1 C:\qoobox\purity\DOCUME~1\Cezary\DANEAP~1\from.txt C:\qoobox\purity\DOCUME~1\Cezary\DANEAP~1\MANTEC~1 ((((((((((((((((((((((((((((((( Files Created from 2007-02-16 to 2007-03-16 )))))))))))))))))))))))))))))))))) 2007-03-16 18:34 538 --a------ C:\WINDOWS\system32\devequmc.dat 2007-03-16 18:34 157 --a------ C:\WINDOWS\system32\routvtab.dat 2007-03-16 18:34 0 --a------ C:\WINDOWS\system32\wiadefyi.dat 2007-03-16 18:34 0 --a------ C:\WINDOWS\system32\usrcvina.dat 2007-03-16 18:34 0 --a------ C:\WINDOWS\system32\fmifkdp.dat 2007-03-16 16:24 184 --a------ C:\WINDOWS\system32\icmpjvfq.dat 2007-03-16 16:24 0 --a------ C:\WINDOWS\system32\txflodn.dat 2007-03-16 16:24 0 --a------ C:\WINDOWS\system32\MSHTMLU.dat 2007-03-16 16:24 0 --a------ C:\WINDOWS\system32\adsldqq.dat 2007-03-16 13:04 0 --a------ C:\WINDOWS\system32\FM20TG.dat 2007-03-16 10:13 50,176 --ahs---- C:\WINDOWS\system32\irdvxc.exe 2007-03-15 23:41 2007-03-15 11:53 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-03-15 11:52 2007-03-15 11:52 2007-03-13 16:53 2007-03-12 14:37 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-12 14:20 2007-03-12 14:19 2007-03-12 14:19 2007-03-12 14:03 2007-03-07 12:26 2007-03-07 12:26 2007-03-02 19:31 2007-02-27 17:57 1,168 --a------ C:\WINDOWS\mozver.dat 2007-02-21 21:55 0 --a------ C:\WINDOWS\nsreg.dat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-16 20:45 -------- d-------- C:\Program Files\neostrada tp 2007-03-16 13:47 -------- d-------- C:\Program Files\dc++ 2007-03-16 01:43 -------- d-a------ C:\Program Files\tvants 2007-03-15 02:31 -------- d-------- C:\DOCUME~1\Cezary\DANEAP~1\ppstream 2007-03-13 16:53 265988 --a------ C:\WINDOWS\system32\drivers\ndis.sys 2007-03-12 14:37 -------- d-------- C:\Program Files\ffdshow 2007-03-10 22:12 -------- d-------- C:\DOCUME~1\Cezary\DANEAP~1\skype 2007-03-07 01:05 -------- d-------- C:\Program Files\bitcomet 2007-03-06 16:36 -------- d-------- C:\Program Files\emule 2007-02-16 20:31 2560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-02-12 18:30 -------- d-------- C:\Program Files\skaneronline 2007-02-12 01:15 192000 --------- C:\WINDOWS\system32\ramasst.exe 2007-02-12 01:13 192000 --a------ C:\WINDOWS\system32\igfxtray.exe 2007-02-12 01:13 187904 --a–c— C:\WINDOWS\system32\igfxdiag.exe 2007-02-11 21:47 151040 --a------ C:\WINDOWS\system32\hkcmd.exe 2007-02-11 16:55 146944 --a–c— C:\WINDOWS\system32\cselect.exe 2007-02-11 16:53 175616 --a------ C:\WINDOWS\tchkdvdrwonly.exe 2007-02-11 16:53 175616 --a------ C:\WINDOWS\tchkcdrw.exe 2007-02-11 16:50 211736 --a------ C:\WINDOWS\system32\wuauclt1.exe 2007-02-11 16:50 192000 --a------ C:\WINDOWS\system32\nerocheck.exe 2007-02-11 16:46 175616 --a------ C:\WINDOWS\system32\arcaonlineuninstall.exe 2007-02-11 16:46 167424 --a------ C:\WINDOWS\chgrxpwt.exe 2007-02-03 14:51 57344 --a------ C:\WINDOWS\system32\mmtask.dll 2007-02-03 14:51 49664 --a------ C:\WINDOWS\system32\mci32.dll 2007-01-24 16:00 -------- d-------- C:\Program Files\skype 2007-01-24 16:00 -------- d-------- C:\Program Files\Common Files\skype 2007-01-22 12:00 719088 --a------ C:\WINDOWS\system32\skaneronline.dll 2007-01-19 09:40 89088 --a------ C:\WINDOWS\system32\skaneronlineuninstall.exe 2007-01-17 14:45 -------- d-------- C:\Program Files\getright 2007-01-04 14:36 848 --ahs---- C:\WINDOWS\system32\kgygaavl.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” “PadTouch”="“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” “SpeedTouch USB Diagnostics”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “Zone Labs Client”="“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”" “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\taskbaricon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“ewido anti-spyware 4.0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoCDBurning”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d3fd488b-d538-11d8-9860-806d6172696f}] shell\play\command “C:\Program Files\InterVideo\WinDVD4\WinDVD.exe” %1 Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-16 21:51:32
adam9870
(adam9870)
16 Marzec 2007 21:44
#11
Pobierz The avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:
=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avengera i skasuj plik backup.zip czyli np. c:\avenger\backup.zip.
Po wykonaniu wklej nowy log z combofixa, gmera (usługi + pokazuj wszystko) oraz zawartość pliku c:\avenger.txt
po wszystkim w katalogu avengera nie było pliku backup.zip, ogólnie już jest dużo lepiej, programy i przeglądarki chodzą tylko neostrada się sama rozłącza
po parunastu sekundach albo kilku minutach
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mwshvmpt ******************* Script file located at: ??\C:\WINDOWS\mgdgcojr.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver MSDisk unloaded successfully. Registry key \Registry\Machine\System\CurrentControlSet\Services\NPF not found! Unload of driver NPF failed! Could not process line: NPF Status: 0xc0000034 Folder C:\Program Files\tvants deleted successfully. Folder C:\qoobox deleted successfully. Folder C:!KillBox deleted successfully. File C:\WINDOWS\system32\devequmc.dat deleted successfully. File C:\WINDOWS\system32\routvtab.dat deleted successfully. File C:\WINDOWS\system32\wiadefyi.dat deleted successfully. File C:\WINDOWS\system32\usrcvina.dat deleted successfully. File C:\WINDOWS\system32\fmifkdp.dat deleted successfully. File C:\WINDOWS\system32\icmpjvfq.dat deleted successfully. File C:\WINDOWS\system32\txflodn.dat deleted successfully. File C:\WINDOWS\system32\MSHTMLU.dat deleted successfully. File C:\WINDOWS\system32\adsldqq.dat deleted successfully. File C:\WINDOWS\system32\FM20TG.dat deleted successfully. File C:\WINDOWS\system32\irdvxc.exe deleted successfully. File C:\WINDOWS\System32\DRIVERS\npf.sys not found! Deletion of file C:\WINDOWS\System32\DRIVERS\npf.sys failed! Could not process line: C:\WINDOWS\System32\DRIVERS\npf.sys Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.
“Cezary” - 07-03-16 23:06:40 Dodatek Service Pack. 1 ComboFix 07-03-15.2 - Running from: “C:\Documents and Settings\Cezary\Pulpit\naprawa” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\svchost.exe C:\WINDOWS\system32\msnetax.dll ((((((((((((((((((((((((((((((( Files Created from 2007-02-16 to 2007-03-16 )))))))))))))))))))))))))))))))))) 2007-03-16 23:02 2007-03-16 23:01 58 --a------ C:\WINDOWS\system32\msihnj.dat 2007-03-16 23:01 155 --a------ C:\WINDOWS\system32\routvtab.dat 2007-03-16 23:01 0 --a------ C:\WINDOWS\system32\MSHTMLAZ.dat 2007-03-16 23:01 0 --a------ C:\WINDOWS\system32\jgsd40za.dat 2007-03-16 23:01 0 --a------ C:\WINDOWS\system32\cnbjmov.dat 2007-03-16 21:58 132 --a------ C:\WINDOWS\system32\batmeter.dat 2007-03-16 21:58 0 --a------ C:\WINDOWS\system32\vsutii.dat 2007-03-16 21:58 0 --a------ C:\WINDOWS\system32\ff_vfvh.dat 2007-03-16 21:58 0 --a------ C:\WINDOWS\system32\dsdmcaiv.dat 2007-03-15 11:53 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-03-15 11:52 2007-03-15 11:52 2007-03-13 16:53 2007-03-12 14:37 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-12 14:20 2007-03-12 14:19 2007-03-12 14:19 2007-03-12 14:03 2007-03-07 12:26 2007-03-07 12:26 2007-03-02 19:31 2007-02-27 17:57 1,168 --a------ C:\WINDOWS\mozver.dat 2007-02-21 21:55 0 --a------ C:\WINDOWS\nsreg.dat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-16 22:52 -------- d-------- C:\Program Files\dc++ 2007-03-16 22:50 -------- d-------- C:\Program Files\neostrada tp 2007-03-15 02:31 -------- d-------- C:\DOCUME~1\Cezary\DANEAP~1\ppstream 2007-03-13 16:53 265988 --a------ C:\WINDOWS\system32\drivers\ndis.sys 2007-03-12 14:37 -------- d-------- C:\Program Files\ffdshow 2007-03-10 22:12 -------- d-------- C:\DOCUME~1\Cezary\DANEAP~1\skype 2007-03-07 01:05 -------- d-------- C:\Program Files\bitcomet 2007-03-06 16:36 -------- d-------- C:\Program Files\emule 2007-02-16 20:31 2560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-02-12 18:30 -------- d-------- C:\Program Files\skaneronline 2007-02-12 01:15 192000 --------- C:\WINDOWS\system32\ramasst.exe 2007-02-12 01:13 192000 --a------ C:\WINDOWS\system32\igfxtray.exe 2007-02-12 01:13 187904 --a–c— C:\WINDOWS\system32\igfxdiag.exe 2007-02-11 21:47 151040 --a------ C:\WINDOWS\system32\hkcmd.exe 2007-02-11 16:55 146944 --a–c— C:\WINDOWS\system32\cselect.exe 2007-02-11 16:53 175616 --a------ C:\WINDOWS\tchkdvdrwonly.exe 2007-02-11 16:53 175616 --a------ C:\WINDOWS\tchkcdrw.exe 2007-02-11 16:50 211736 --a------ C:\WINDOWS\system32\wuauclt1.exe 2007-02-11 16:50 192000 --a------ C:\WINDOWS\system32\nerocheck.exe 2007-02-11 16:46 175616 --a------ C:\WINDOWS\system32\arcaonlineuninstall.exe 2007-02-11 16:46 167424 --a------ C:\WINDOWS\chgrxpwt.exe 2007-02-03 14:51 57344 --a------ C:\WINDOWS\system32\mmtask.dll 2007-02-03 14:51 49664 --a------ C:\WINDOWS\system32\mci32.dll 2007-01-24 16:00 -------- d-------- C:\Program Files\skype 2007-01-24 16:00 -------- d-------- C:\Program Files\Common Files\skype 2007-01-22 12:00 719088 --a------ C:\WINDOWS\system32\skaneronline.dll 2007-01-19 09:40 89088 --a------ C:\WINDOWS\system32\skaneronlineuninstall.exe 2007-01-17 14:45 -------- d-------- C:\Program Files\getright 2007-01-04 14:36 848 --ahs---- C:\WINDOWS\system32\kgygaavl.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” “PadTouch”="“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” “SpeedTouch USB Diagnostics”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “Zone Labs Client”="“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”" “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\taskbaricon.exe” “UserFaultCheck”=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\ 6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“ewido anti-spyware 4.0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoCDBurning”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d3fd488b-d538-11d8-9860-806d6172696f}] shell\play\command “C:\Program Files\InterVideo\WinDVD4\WinDVD.exe” %1 Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-16 23:16:33 C:\ComboFix2.txt … 07-03-16 21:51
adam9870
(adam9870)
16 Marzec 2007 22:35
#13
W Gmerze:
W zakładce Procesy kliknij Gmer awaryjny. Nastąpi reset i zostanie samo okienko Gmer’a
W zakładce Usługi skasuj z prawokliku usługę PowerManager
W zakładce Procesy kliknij Pliki i usuń:
Zrestartuj komputer przyciskiem na obudowie
Przeskanuj się on-line i szczepionką przeciwko Jeefo, tak jak radziłem wcześniej.
Sprawdź właściwości tego drivera C:\windows\system32\drivers\ProcPt.sys i przeskanuj go na http://virusscan.jotti.org/ oraz http://www.virustotal.com/
Po wykonaniu zdaj relacje i pokaż nowy log z Combo i dwa logi z Gmer’a.
udało mi się w końcu zrobić skan online, ale pliku który miałem wysłać do analizy nie mam w tym katalogu. wydaje się że wszystko już jest ok, oprócz neostrady, która wyłącza się samoczynnie po 30 minutach i nie da się jej uruchomić bez restartu. logi:
GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-03-17 18:04:09 Windows 5.1.2600 Dodatek Service Pack. 1 ---- System - GMER 1.0.12 ---- SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!ZwCallbackReturn + 2044 804FBCD4 12 Bytes [B0, 7E, 03, EE, C0, E6, 03, …] ? C:\WINDOWS\system32\drivers\NDIS.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? srescan.sys Nie można odnaleźć określonego pliku. .text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA .text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445 .text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329 .text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8 .text ntoskrnl.exe!ZwYieldExecution + 2390 804FBCD4 12 Bytes [B0, 7E, 03, EE, C0, E6, 03, …] ---- Devices - GMER 1.0.12 ---- Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN ECAB57CB Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP ECAB23DF Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP ECAB23DF Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible ECAB5733 ---- Modules - GMER 1.0.12 ---- Module (noname) (*** hidden *** ) BAB7C000 Module (noname) (*** hidden *** ) F6330000 ---- EOF - GMER 1.0.12 ----
“Cezary” - 07-03-17 18:05:41 Dodatek Service Pack. 1 ComboFix 07-03-15.2 - Running from: “C:\Documents and Settings\Cezary\Pulpit\naprawa” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\svchost.exe C:\WINDOWS\system32\msnetax.dll ((((((((((((((((((((((((((((((( Files Created from 2007-02-17 to 2007-03-17 )))))))))))))))))))))))))))))))))) 2007-03-17 13:07 2007-03-17 00:16 6,209,536 --a------ C:\DOCUME~1\Cezary\ntuser.dat 2007-03-16 23:58 198 --a------ C:\WINDOWS\system32\htuiiue.dat 2007-03-16 23:58 0 --a------ C:\WINDOWS\system32\wuauenz1.dat 2007-03-16 23:58 0 --a------ C:\WINDOWS\system32\VSFilHer.dat 2007-03-16 23:58 0 --a------ C:\WINDOWS\system32\initbkia.dat 2007-03-16 23:54 928 --a------ C:\WINDOWS\system32\rpcnsk.dat 2007-03-16 23:54 294 --a------ C:\WINDOWS\system32\routvtab.dat 2007-03-16 23:54 0 --a------ C:\WINDOWS\system32\wmasf.dat 2007-03-16 23:54 0 --a------ C:\WINDOWS\system32\lpkqhs.dat 2007-03-16 23:54 0 --a------ C:\WINDOWS\system32\d3dx9_D8.dat 2007-03-16 23:02 2007-03-16 21:58 0 --a------ C:\WINDOWS\system32\ff_vfvh.dat 2007-03-15 11:53 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-03-15 11:52 2007-03-15 11:52 2007-03-13 16:53 2007-03-12 14:37 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-03-12 14:20 2007-03-12 14:19 2007-03-12 14:19 2007-03-12 14:03 2007-03-07 12:26 2007-03-07 12:26 2007-03-02 19:31 2007-02-27 17:57 1,168 --a------ C:\WINDOWS\mozver.dat 2007-02-21 21:55 0 --a------ C:\WINDOWS\nsreg.dat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-17 17:03 -------- d-------- C:\Program Files\neostrada tp 2007-03-17 13:13 -------- d-------- C:\Program Files\dc++ 2007-03-17 01:03 79606 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-17 01:03 458260 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-15 02:31 -------- d-------- C:\DOCUME~1\Cezary\DANEAP~1\ppstream 2007-03-13 16:53 265988 --a------ C:\WINDOWS\system32\drivers\ndis.sys 2007-03-12 14:37 -------- d-------- C:\Program Files\ffdshow 2007-03-10 22:12 -------- d-------- C:\DOCUME~1\Cezary\DANEAP~1\skype 2007-03-07 01:05 -------- d-------- C:\Program Files\bitcomet 2007-03-06 16:36 -------- d-------- C:\Program Files\emule 2007-02-16 20:31 2560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-02-12 18:30 -------- d-------- C:\Program Files\skaneronline 2007-02-12 01:15 192000 --------- C:\WINDOWS\system32\ramasst.exe 2007-02-12 01:13 192000 --a------ C:\WINDOWS\system32\igfxtray.exe 2007-02-12 01:13 187904 --a–c— C:\WINDOWS\system32\igfxdiag.exe 2007-02-11 21:47 151040 --a------ C:\WINDOWS\system32\hkcmd.exe 2007-02-11 16:55 146944 --a–c— C:\WINDOWS\system32\cselect.exe 2007-02-11 16:53 175616 --a------ C:\WINDOWS\tchkdvdrwonly.exe 2007-02-11 16:53 175616 --a------ C:\WINDOWS\tchkcdrw.exe 2007-02-11 16:50 211736 --a------ C:\WINDOWS\system32\wuauclt1.exe 2007-02-11 16:50 192000 --a------ C:\WINDOWS\system32\nerocheck.exe 2007-02-11 16:46 175616 --a------ C:\WINDOWS\system32\arcaonlineuninstall.exe 2007-02-11 16:46 167424 --a------ C:\WINDOWS\chgrxpwt.exe 2007-02-03 14:51 49664 --a------ C:\WINDOWS\system32\mci32.dll 2007-01-24 16:00 -------- d-------- C:\Program Files\skype 2007-01-24 16:00 -------- d-------- C:\Program Files\Common Files\skype 2007-01-22 12:00 719088 --a------ C:\WINDOWS\system32\skaneronline.dll 2007-01-19 09:40 89088 --a------ C:\WINDOWS\system32\skaneronlineuninstall.exe 2007-01-17 14:45 -------- d-------- C:\Program Files\getright 2007-01-04 14:36 848 --ahs---- C:\WINDOWS\system32\kgygaavl.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “TouchED”=“C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” “PadTouch”="“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” “SpeedTouch USB Diagnostics”="“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon" “TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot" “Zone Labs Client”="“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”" “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“ewido anti-spyware 4.0” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoCDBurning”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{d3fd488b-d538-11d8-9860-806d6172696f}] shell\play\command “C:\Program Files\InterVideo\WinDVD4\WinDVD.exe” %1 *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_POWERMANAGER Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-03-17 18:15:31 C:\ComboFix2.txt … 07-03-16 23:16 C:\ComboFix3.txt … 07-03-16 21:51
adam9870
(adam9870)
17 Marzec 2007 19:42
#15
W Gmerze w zakładce Procesy wybierz Gmer awaryjny >>> po resecie w zakładce usługi skasuj z prawokliku usługę PowerManager >>> reset >>> skan skanerami on-line i usunięcie WSZYSTKIEGO (nawet jeśli to będą Twoje programy),co zostanie znalezione.
Sprobuj skasować te pliki poprzez Gmer’a (sposób usuwania już znasz - Gmer awaryjny, zakładka Procesy, opcja Pliki, reset).
Przeczyść TEMP’y programem ATF Cleaner .
Pousuwałem co mogłem, ale antywiry chcą mi wyrzucić wszystkie exe-ki, nawet do antywirów, neostrady, stery do drukarki, programy preinstalowane przez toshibę
po ostatnim poście już wszystko było ok, aż po około 100 minutach połaczenie z neostradą znów samoczynnie się zerwało…zauważyłem wtedy w TaskInfo że proces C:\windows\system32\svchost.exe -k netsvc zajmował ponad 80% mocy procka…no i wrócił c:\windows\svchost.exe, co to właściwie jest??? aha i w tym samym momencie kiedy neostrada się urwała lsass.exe poprosił o puszczenie go w Zone Alarm…
adam9870
(adam9870)
18 Marzec 2007 09:35
#17
Usuń wszystko to, co znajdują programy zabezpieczające, nawet instalowane przez Ciebie programy. Potem je zainstalujesz na nowo Miałeś albo w dalszym ciągu masz (o czym świadczy usługa Power Menager i proces c:\windows\svchost.exe) wirusa Jeefo. Jak każdy wirus, także i on charakteryzuje się tym, że infekuje pliki wykonywalne *.exe.
Otwórz Notatnik i wklej:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT i uruchom go w trybie awaryjnym.
Rozumiem, z tym że wynika z tego że zakażone są wszystkie instalki, czy jest jakiś sposób żeby je oczyścić? bo nie uśmiecha mi się ściąganie ponad 30 różnych programów…
adam9870
(adam9870)
18 Marzec 2007 12:11
#19
Użyj szczepionki przeciwko Jeefo, tak jak radziłem i przeskanuj system skanerami on-line. Najwyżej będziesz musiał usunąć kilka programów…