Proszę o sprawdzemnie loga - PROBLEM

IP: *.neoplus.adsl.tpnet.pl 30.11.05, 09:03
Jest problem z Spyaxe oraz jakims natretnym spywarem
Prosze o pomoc, jakos skonczyly mi sie pomysly

Logfile of HijackThis v1.99.1
Scan saved at 01:06:28, on 2005-11-30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Philips\LightFrame 3\LightFrameV3.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marcin\Pulpit\Progs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"
-lang 1033
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st
800-840\dslmon.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: LightFrame 3.lnk = ?
O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Program Files\Webroot\Spy
Sweeper\SpySweeperFix.bat
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software,
Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    • Gość: k Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.warszawa.sdi.tpnet.pl 30.11.05, 11:50
      W logu nic nie widac.
      • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 30.11.05, 12:03
        no właśnie!

        a na pasku ładuje vitus alert (ostrzeżenie przed spyware i zacheta do instalacji
        oprogramowania anty-). po odpaleniu IE instaluje sie spyaxe.

        Trace siły
        • Gość: k Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.warszawa.sdi.tpnet.pl 30.11.05, 13:01
          Sciagnij i zrob log tym:
          www.silentrunners.org/Silent%20Runners.vbs
          W trybie awaryjnym.
          Jaka tresc ma to okienko alertu? (mozesz zrobic screen).
          • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 30.11.05, 13:15
            tu masz skan:
            "Silent Runners.vbs", revision 41, www.silentrunners.org/
            Operating System: Windows XP
            Output limited to non-default values, except where indicated by "{++}"


            Startup items buried in registry:
            ---------------------------------

            HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
            "CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
            "nvctrl.exe" = (empty string)

            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
            "MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
            "SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"
            /startintray" ["Webroot Software, Inc."]
            "DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033"
            ["DAEMON'S HOME"]

            HKLM\Software\Microsoft\Active Setup\Installed Components\
            {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
            \StubPath =
            ""C:\WINDOWS\System32\rundll32.exe" "C:\Program
            Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
            "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
            wyświetlania"
            -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
            "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
            -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
            ["Hilgraeve, Inc."]
            "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
            -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
            Office\Office10\OLKFSTUB.DLL" [MS]
            "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
            -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
            Office\Office10\msohev.dll" [MS]
            "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
            -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
            [null data]
            "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu
            Integration"
            -> {CLSID}\InProcServer32\(Default) =
            "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
            INFECTION WARNING! "{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}" = "st3"
            -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q6421156.dll" [file not found]

            HKLM\System\CurrentControlSet\Control\Session Manager\
            INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not
            found], [MS], [file not found], [file not found]

            HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
            WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
            -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
            [null data]

            HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
            WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
            -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
            [null data]

            HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
            SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
            -> {CLSID}\InProcServer32\(Default) =
            "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
            WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
            -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
            [null data]


            Active Desktop and Wallpaper:
            -----------------------------

            Active Desktop is disabled at this entry:
            HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

            HKCU\Control Panel\Desktop\
            "Wallpaper" = "C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane
            aplikacji\Microsoft\Wallpaper1.bmp"


            Enabled Screen Saver:
            ---------------------

            HKCU\Control Panel\Desktop\
            "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


            Startup items in "Marcin" & "All Users" startup folders:
            --------------------------------------------------------

            C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
            "hp officejet 4100 series" -> shortcut to: "C:\Program
            Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe" ["Hewlett-Packard Co."]


            Enabled Scheduled Tasks:
            ------------------------

            "FRU Task #Hewlett-Packard#hp officejet 4100 series#1107527891" -> launches:
            "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I
            "#Hewlett-Packard#hp officejet 4100 series#1107527891"" [empty string]


            Winsock2 Service Provider DLLs:
            -------------------------------

            Namespace Service Providers

            HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
            {++}
            000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
            000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
            000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

            Transport Service Providers

            HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
            {++}
            0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
            %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
            %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


            All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
            ---------------------------------------------------------------------------

            InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common
            Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
            Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
            Usługa administracyjna Menedżera dysków logicznych, dmadmin,
            "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
            Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy
            Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]


            Print Monitors:
            ---------------

            HKLM\System\CurrentControlSet\Control\Print\Monitors\
            hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]


            ----------
            + This report excludes default entries except where indicated.
            + To see *everywhere* the script checks and *everything* it finds,
            launch it from a command prompt or a shortcut with the -all parameter.
            + To search all directories of local fixed drives for DESKTOP.INI
            DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
            use the -supp parameter or answer "No" at the first message box.
            --------
            • Gość: k Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.warszawa.sdi.tpnet.pl 30.11.05, 14:05
              Masz Zloba ;-)

              Uruchom sobie regedit, przejdz do:
              HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
              i usun tam:
              "nvctrl.exe"
              nastepnie w:
              HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
              usun:
              "{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}" = "st3"

              Usun z dysku te pliki:
              mscornet.exe
              mssearch.exe
              nvctrl.exe
              ld????.tmp
              ncompat.tlb
              msvol.tlb
              hp????.tmp
              Wszystkie powinny byc w katalogu system32 (??? to losowe znaki).

              Sprawdz tez plik explorer.exe tym skanerem:
              virusscan.jotti.org/ i napisz czy cos znalazl.



              • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 30.11.05, 18:16
                No i jest problem bo scan nic nie znalazł.
                Zrobiłem tak jak we wskazówkach i dupa! brak poprawy sytuacji. Okienko nadal
                jest. Po odpaleniu IE instaluje spyaxe'a.
                • Gość: k Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.warszawa.sdi.tpnet.pl 30.11.05, 21:41
                  Jaki skan? Usunales pliki?
                  • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 01.12.05, 00:47
                    pliki usunalem,virusscan.jotti.org/ nic nie znalazl w explorer.exe

                    Problem pozostal bez zmian
                    • Gość: k Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.warszawa.sdi.tpnet.pl 01.12.05, 07:21
                      Tutaj masz opis usuwania:
                      www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=45&p=235091&#entry235091
                      • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 01.12.05, 11:02
                        Udało się,

                        Dzięki.
          • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 30.11.05, 13:19
            Treść okienka:

            "Your computer is infected!
            Windows has detected spyware infection.

            It is recommended to use special antispyware tools to prevent
            data loss.
            Windows will now down load and instal the most
            up-to-date antispyware for you.

            Click here to protect your computer from spyware"


            I sam instaluje spyaxe'a
          • Gość: Gigi Re: Proszę o sprawdzemnie loga - PROBLEM IP: *.neoplus.adsl.tpnet.pl 30.11.05, 13:24
            Skanowanie znajduje

            "Antivirus gold"
Pełna wersja