OTO LOGO DO SPRAWDZENIA

IP: *.stenhamra.adminor.net 20.05.05, 18:30
Logfile of HijackThis v1.99.1
Scan saved at 6:29:44 PM, on 5/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Camilla\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial
Utility\JogServ2.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000
\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000
\WebTrapNT.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program
files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AGBMonitor] C:\Program Files\Antiy Labs\AGB4\Monitor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\New Folder\Gadu-
Gadu\gg.exe" /tray
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-
00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.aflashcounter.com
O15 - Trusted Zone: *.razespyware.com
O16 - DPF: ING Bank Online -
ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115472777619
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. -
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

    • Gość: Kolobos Re: OTO LOGO DO SPRAWDZENIA IP: *.warszawa.sdi.tpnet.pl 20.05.05, 18:52
      Po co napisalas to w osobnym watku? W tamtym bylo zle? Nie mowiac juz o tych
      wczesniejszych.

      Ten CWS dziala tak:

      CoolWebSearch/InetDoor: a homepage- and search hijacker and backdoor controlled
      and distributed by crdrcr.com, currently targeted at the related domains
      findtop.net, redtr.com and find-it-easy.org. Stored as a DLL in the System
      folder with a name of the form msNNNNNN.dll, where NNNNNN is a hexadecimal
      number which varies; so far, ms0b920b.dll and ms9b1d3f.dll have been seen.
      InetDoor ‘infects’ legitimate executable files by adding its DLL to their built-
      in ‘import tables’ of dependencies, ensuring that the DLL will be loaded
      whenever they are run. InetDoor targets programs that are set to run on Windows
      startup, so that it will be run on startup too. Removal is tricky; deleting
      just the DLL will leave the ‘infected’ programs unable to run.

      Nie wiem jak to naprawic, nawet jak usuniesz te pliki dll to pliki exe, ktore
      zainfekowal przestana sie uruchamiac.
      • Gość: Kolobos Re: OTO LOGO DO SPRAWDZENIA IP: *.warszawa.sdi.tpnet.pl 20.05.05, 18:54
        No tak jestem slepy i nie zobaczylem, ze na dole jest podane rozwiazanie:

        InetDoor variant
        Unless you have an anti-virus program that specifically knows how to remove the
        import table entries from startup programs affected by InetDoor, removal is
        difficult. You can delete the file, but then any of the affected programs will
        refuse to run.

        A short term workaround is to replace the InetDoor DLL with a dummy version
        that does nothing. You can then uninstall and reinstall each program with a
        component set to run on startup.

        To do this, download InetDummy.dll and restart the computer in Safe Mode. To
        get the menu for Safe Mode, press F8 just as Windows starts to boot — on the NT
        boot loader menu if you have one, else just hammer it as the computer starts
        up.

        Open the System32 folder (inside the Windows folder; called just ‘System’ on
        Windows 95/98/Me) and find the InetDoor file. It will be called msNNNNNN.dll,
        where NNNNNN is a six-digit hexadecimal number. There will also be .cfg
        and .da0 files with the same name.

        Rename msNNNNNN.dll to msNNNNN.bak, then drop the InetDummy.dll file into this
        folder and rename it msNNNNNN.dll (the same name as the original DLL). Reboot
        the computer and if all goes well you can delete msNNNNNN.bak, .cfg and .da0.

        Ale to tylko podmiana plikow, przydalby sie antyvirus, ktory umie to naprawic
        co zreszta jest napisane w tym tekscie.

        • Gość: Kolobos Re: OTO LOGO DO SPRAWDZENIA IP: *.warszawa.sdi.tpnet.pl 20.05.05, 18:57
          Tutaj masz opisane to samo po polsku:
          www.searchengines.pl/phpbb203/index.php?showtopic=14185&st=50&#entry138537
          • Gość: JK Re: OTO LOGO DO SPRAWDZENIA IP: *.stenhamra.adminor.net 20.05.05, 22:19
            Dzieki za "lekarstwo" - wlasnie probuje leczyc tego kompa. Jestem laikiem i
            prosze podpowiedziec mi jak to mam zrobic:
            Oraz stworzyć plik rejestru doczyszczający resztki. Otwórz Notatnik i wklej w
            nim to:
            • Gość: Kolobos Re: OTO LOGO DO SPRAWDZENIA IP: *.warszawa.sdi.tpnet.pl 21.05.05, 00:43
              Mam Ci napisac to samo co juz zostalo napisane, do tego na dwoch stronach?
              Wszystko masz napisane:
              Ręczne usuwanie polega na oszukaniu programów:

              1. Ściągacie pusty plik oszusta msxxxxxx.zip i rozpakowujecie by otrzymać plik
              msxxxxxx.dll:
              msxxxxxx.zip ( 523bajtów )
              Plik masz tutaj:
              www.searchengines.pl/phpbb203/index.php?act=Attach&type=post&id=771
              2. Startujecie do trybu awaryjnego

              3. Przechodzicie do folderu systemowego C:\WINDOWS\system (Windows 98/Me) lub
              C:\WINDOWS\system32 (Windows 2000/XP/2003) i zmieniacie nazwę pliku trojana z
              ms??????.dll na ms??????.bad. Następnie podstawiacie tam ściągnięty ode mnie
              fałszywy i nie działający plik msxxxxxx.dll, który musi mieć DOKŁADNIE TAKĄ
              SAMĄ NAZWĘ JAK NAZWA PLIKU TROJANA = pod "iksy" wpisujecie tą 6 znakową
              kombinację.

              4. Resetujecie komputer i jeśli programy zastartują bez błędu można skasować
              plik ms??????.bad oraz towarzyszące my pliki *.cfg i *.da0 o tej samej nazwie.

              Czy to naprawde takie trudne? :(
Pełna wersja