Prosze o sprawdzenie loga

IP: *.stk.net.pl 12.02.06, 21:42
Logfile of HijackThis v1.99.1
Scan saved at 21:41:25, on 2006-02-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MMenu\MagicMenu.exe
C:\Program Files\DEMON\daemon.exe
D:\eDonkey2000\eDonkey2000.exe
D:\Avast4\ashDisp.exe
C:\Zegarynka\Zegarynka.exe
D:\Konnekt\konnekt.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
D:\Avast4\aswUpdSv.exe
D:\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Pax-\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} -
D:\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia
Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [RobosMagicMenu3] C:\Program Files\MMenu\MagicMenu.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\DEMON\daemon.exe" -
lang 1033
O4 - HKLM\..\Run: [eDonkey2000] D:\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [avast!] D:\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Zegarynka] C:\Zegarynka\Zegarynka.exe
O4 - HKCU\..\Run: [Konnekt] "D:\Konnekt\konnekt.exe" /autostart
O8 - Extra context menu item: Download with GetRight -
D:\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser -
D:\GetRight\GRbrowse.htm
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
www.mks.com.pl/skaner/SkanerOnline.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
D:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Avast4
\ashMaiSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program
Files\Netropa\Multimedia Keyboard\nhksrv.exe

    • Gość: k Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 12.02.06, 22:04
      Dlaczego zasmiecasz forum? Juz raz wklejales log i napisalem Ci co masz zrobic!
      • Gość: Pax Re: Prosze o sprawdzenie loga IP: *.stk.net.pl 12.02.06, 22:08
        Wklejałem zrobiłem według wskazówek no i wszystko było ok niestety po godzinie
        wrócił wirus dlatego wklejiłem na nowo loga bo nie wiem co z tym dalej
        • Gość: k Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 12.02.06, 22:15
          Widac nie zrobiles wszystkiego albo znowu sie zainfekowales ;-)
          Do tego nie zaklada sie nowych watkow tylko pisze w jednym!

          Wklej log z:
          www.silentrunners.org/Silent%20Runners.vbs
          • Gość: Pax Re: Prosze o sprawdzenie loga IP: *.stk.net.pl 12.02.06, 22:21
            przepraszam za problemy to jest log z Silent Runners

            "Silent Runners.vbs", revision 43, www.silentrunners.org/
            Operating System: Windows XP SP2
            Output limited to non-default values, except where indicated by "{++}"


            Startup items buried in registry:
            ---------------------------------

            HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
            "Zegarynka" = "C:\Zegarynka\Zegarynka.exe" [null data]
            "Konnekt" = ""D:\Konnekt\konnekt.exe" /autostart" ["Stamina"]

            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
            "MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia
            Keyboard\MMKeybd.exe" ["Netropa Corp."]
            "RobosMagicMenu3" = "C:\Program Files\MMenu\MagicMenu.exe" ["Robo's Soft"]
            "DAEMON Tools-1033" = ""C:\Program Files\DEMON\daemon.exe" -lang 1033"
            ["DAEMON'S HOME"]
            "eDonkey2000" = "D:\eDonkey2000\eDonkey2000.exe -t" [null data]
            "avast!" = "D:\Avast4\ashDisp.exe" [null data]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
            {31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*g" (unwritable string)
            -> {CLSID}\InProcServer32\(Default) = "D:\GetRight\xx2gr.dll" ["Headlight
            Software, Inc."]

            HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
            "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
            wyświetlania"
            -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
            • Gość: k Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 12.02.06, 22:21
              Wklej caly log, a nie tylko kawalek ;-)
              • Gość: Pax Re: Prosze o sprawdzenie loga IP: *.stk.net.pl 12.02.06, 22:23
                "Silent Runners.vbs", revision 43, www.silentrunners.org/
                Operating System: Windows XP SP2
                Output limited to non-default values, except where indicated by "{++}"


                Startup items buried in registry:
                ---------------------------------

                HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                "Zegarynka" = "C:\Zegarynka\Zegarynka.exe" [null data]
                "Konnekt" = ""D:\Konnekt\konnekt.exe" /autostart" ["Stamina"]

                HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                "MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia
                Keyboard\MMKeybd.exe" ["Netropa Corp."]
                "RobosMagicMenu3" = "C:\Program Files\MMenu\MagicMenu.exe" ["Robo's Soft"]
                "DAEMON Tools-1033" = ""C:\Program Files\DEMON\daemon.exe" -lang 1033"
                ["DAEMON'S HOME"]
                "eDonkey2000" = "D:\eDonkey2000\eDonkey2000.exe -t" [null data]
                "avast!" = "D:\Avast4\ashDisp.exe" [null data]

                HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
                {31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*g" (unwritable string)
                -> {CLSID}\InProcServer32\(Default) = "D:\GetRight\xx2gr.dll" ["Headlight
                Software, Inc."]

                HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
                "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
                wyświetlania"
                -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
                "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll"
                ["Hilgraeve, Inc."]
                "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop
                Icon Handler"
                -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11
                \MLSHEXT.DLL" [MS]
                "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom
                Icon Handler"
                -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11
                \OLKFSTUB.DLL" [MS]
                "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                Office\OFFICE11\msohev.dll" [MS]
                "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                [null data]
                "{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
                -> {CLSID}\InProcServer32\(Default) = "D:\dBpowerAMP\dBShell.dll" [empty
                string]
                "{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
                -> {CLSID}\InProcServer32\(Default) = "D:\dBpowerAMP\dMCShell.dll" [empty
                string]
                "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
                "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
                "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}" = "ContextMenuExt Extension"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null
                data]
                "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application
                References"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
                "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application
                References"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
                "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
                "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program
                Files\Unlocker\UnlockerCOM.dll" [null data]
                "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common
                Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
                "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common
                Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
                "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
                -> {CLSID}\InProcServer32\(Default) = "D:\Avast4\ashShell.dll" ["ALWIL
                Software"]

                HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
                INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell
                guard"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-
                malware\shellhook.dll" ["TODO: <Firmenname>"]

                HKLM\System\CurrentControlSet\Control\Session Manager\
                INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.exe" [file not
                found], [MS], [file not found], [file not found]

                HKLM\Software\Classes\PROTOCOLS\Filter\
                INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common
                Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

                HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
                avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                -> {CLSID}\InProcServer32\(Default) = "D:\Avast4\ashShell.dll" ["ALWIL
                Software"]
                CopyMoveTo\(Default) = "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null
                data]
                ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-
                malware\context.dll" ["ewido networks"]
                WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                [null data]

                HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
                CopyMoveTo\(Default) = "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null
                data]
                ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-
                malware\context.dll" ["ewido networks"]
                WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                [null data]

                HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
                avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                -> {CLSID}\InProcServer32\(Default) = "D:\Avast4\ashShell.dll" ["ALWIL
                Software"]
                CopyMoveTo\(Default) = "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"
                -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null
                data]
                UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program
                Files\Unlocker\UnlockerCOM.dll" [null data]
                WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                [null data]


                Active Desktop and Wallpaper:
                -----------------------------

                Active Desktop is disabled at this entry:
                HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

                HKCU\Control Panel\Desktop\
                "Wallpaper" = "C:\Documents and Settings\Pax-\Ustawienia lokalne\Dane
                aplikacji\Microsoft\Wallpaper1.bmp"


                Winsock2 Service Provider DLLs:
                -------------------------------

                Namespace Service Providers

                HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
                \Catalog_Entries\ {++}
                000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
                000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
                000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

                Transport Service Providers

                HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
                \Catalog_Entries\ {++}
                0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
                %SystemRoot%\system32\mswsock.dll [MS],
                • Gość: k Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 12.02.06, 22:48
                  Doklej brakujaca czesc w nastepnym poscie bo sie nie zmiescilo w jednym.
                  • Gość: Pax Re: Prosze o sprawdzenie loga IP: *.stk.net.pl 12.02.06, 23:05
                    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
                    \Catalog_Entries\ {++}
                    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
                    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
                    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


                    Toolbars, Explorer Bars, Extensions:
                    ------------------------------------

                    Explorer Bars

                    Dormant Explorer Bars in "View, Explorer Bar" menu

                    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Badanie"
                    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
                    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

                    Extensions (Tools menu items, main toolbar menu buttons)

                    HKLM\Software\Microsoft\Internet Explorer\Extensions\
                    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
                    "ButtonText" = "Badanie"

                    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
                    "ButtonText" = "Messenger"
                    "MenuText" = "Windows Messenger"
                    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


                    Running Services (Display Name, Service Name, Path {Service DLL}):
                    ------------------------------------------------------------------

                    avast! Antivirus, avast! Antivirus, ""D:\Avast4\ashServ.exe"" [null data]
                    avast! iAVS4 Control Service, aswUpdSv, ""D:\Avast4\aswUpdSv.exe"" [null data]
                    avast! Mail Scanner, avast! Mail Scanner, ""D:\Avast4\ashMaiSv.exe" /service"
                    ["ALWIL Software"]
                    ewido security suite control, ewido security suite control, "C:\Program
                    Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
                    ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido
                    anti-malware\ewidoguard.exe" ["ewido networks"]
                    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft
                    Shared\VS7DEBUG\MDM.EXE"" [MS]
                    Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia
                    Keyboard\nhksrv.exe" [null data]
                    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


                    Keyboard Driver Filters:
                    ------------------------

                    HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-
                    08002BE10318}\
                    "UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


                    Print Monitors:
                    ---------------

                    HKLM\System\CurrentControlSet\Control\Print\Monitors\
                    hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]
                    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


                    ----------
                    + This report excludes default entries except where indicated.
                    + To see *everywhere* the script checks and *everything* it finds,
                    launch it from a command prompt or a shortcut with the -all parameter.
                    + The search for DESKTOP.INI DLL launch points on all local fixed drives
                    took 46 seconds.
                    + The search for all Registry CLSIDs containing dormant Explorer Bars
                    took 38 seconds.
                    --------
                    • Gość: k Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 12.02.06, 23:27
                      W logu nic nie widac, do zakonczenia tylko to:
                      C:\WINDOWS\wupdmgr.exe
                      C:\WINDOWS\osaupd.exe

                      Sprobuj uruchomic sobie to:
                      linhadefensiva.uol.com.br/files/beta/osaupd.reg
                      I zresetuj komputer po dodaniu.
Pełna wersja