prosze o pomoc

[Gość: michal]

Czesc, co 5 minut mam taki komunikat z avasta:

85.255.117.124/users/rainy/web/images/three.jpg
Nazwa pasozyta: Win32:Adan-078[Adw]
Typ pasozyta: Reklamiarz

Log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\mssvcc.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kidzer\Desktop\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) =
targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
szukaj.wp.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
TP
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no
file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BRedObj Class - {665ACD90-4541-4836-9FE4-062386BB8F05} - c:\Program
Files\Flt\Flt.dll
O2 - BHO: (no name) - {75728C92-8218-4FE8-9966-2302D52C4DEF} -
C:\WINDOWS\System32\dskrfuoui.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} -
C:\WINDOWS\System32\docntrop.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe
c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKLM\..\Run: [bunjj.exe] C:\WINDOWS\System32\bunjj.exe
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [KillAndClean] "C:\Program
Files\KillAndClean\KillAndClean.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: ING Bank Online -
ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: komentator - sport.onet.pl/komentator.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{103A4410-1C68-45DA-92F4-
12536047D225}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E6ADDCA-8D90-4CCD-BB4E-
310B95D4CDFE}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{82E1A60F-DD9B-4491-9CAE-
A8A9A9F2360D}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{C367AF9E-80C8-4CEF-A49F-
8220D4330DA1}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{C774E865-3CB8-41C6-B81D-
A5CA9ECFB88C}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.132
85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{103A4410-1C68-45DA-92F4-
12536047D225}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.132
85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\..\{103A4410-1C68-45DA-92F4-
12536047D225}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.132
85.255.112.84
O18 - Filter: text/html - {1C432CBA-1E32-43E7-9BC1-D7EB6B25BCDC

[Gość: Kolobos]

Wywal aplikacje od neostrady (opis masz w przyklejonym poscie).

Uzyj:
downloads.subratam.org/Fixwareout.exe
Log z usuwania wklej na forum.

W menadzerze zadan zakoncz:
C:\WINDOWS\System32\mssvcc.exe
Plik usun z dysku.

W hjt usun:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) =
targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
TP
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no
file)
O2 - BHO: BRedObj Class - {665ACD90-4541-4836-9FE4-062386BB8F05} - c:\Program
Files\Flt\Flt.dll <- katalog Flt usun z dysku.
O2 - BHO: (no name) - {75728C92-8218-4FE8-9966-2302D52C4DEF} -
C:\WINDOWS\System32\dskrfuoui.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} -
C:\WINDOWS\System32\docntrop.dll (file missing)
O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKLM\..\Run: [bunjj.exe] C:\WINDOWS\System32\bunjj.exe <- plik usun z
dysku.
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe" <- katalog
WareOut usun z dysku.
O4 - HKCU\..\Run: [KillAndClean] "C:\Program
Files\KillAndClean\KillAndClean.exe" <- katalog KillAndClean usun z dysku.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{103A4410-1C68-45DA-92F4-
12536047D225}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E6ADDCA-8D90-4CCD-BB4E-
310B95D4CDFE}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{82E1A60F-DD9B-4491-9CAE-
A8A9A9F2360D}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{C774E865-3CB8-41C6-B81D-
A5CA9ECFB88C}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.132
85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{103A4410-1C68-45DA-92F4-
12536047D225}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.132
85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\..\{103A4410-1C68-45DA-92F4-
12536047D225}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.132
85.255.112.84

Doklej brakujaca czesc log'a od:
O18 - Filter: text/html - {1C432CBA-1E32-43E7-9BC1-D7EB6B25BCDC

Przeskanuj system przy pomocy ewido (link znajdziesz w przyklejonym poscie lub
na google).

[Gość: michal]

Witam!
Brakujaca czesc loga:

O18 - Filter: text/html - {1C432CBA-1E32-43E7-9BC1-D7EB6B25BCDC} -
C:\WINDOWS\System32\dskrfuoui.dll
O18 - Filter: text/plain - {1C432CBA-1E32-43E7-9BC1-D7EB6B25BCDC} -
C:\WINDOWS\System32\dskrfuoui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development -
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development
LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Gość: Kolobos]

Do kasacji jeszcze:
O18 - Filter: text/html - {1C432CBA-1E32-43E7-9BC1-D7EB6B25BCDC} -
C:\WINDOWS\System32\dskrfuoui.dll <- plik usun z dysku.
O18 - Filter: text/plain - {1C432CBA-1E32-43E7-9BC1-D7EB6B25BCDC} -
C:\WINDOWS\System32\dskrfuoui.dll

Sam instalowales ten program:
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development -
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development
LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

Jezeli nie to go odinstaluj, uslugi usun (opis usuwania uslug masz w
przyklejonym poscie), pliki usun.

[Gość: michal]

Log z Fixwareout.exe


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cvvsic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\vdnml
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\uittr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rtcdaol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fcjcg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cjcgn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\gasny
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\asnyt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\lcvjb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cvjbw
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\viwzn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\iwznp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
214C95D6BF5D-48EB-6864-94E5-502A1277{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
22CEDAD0ACC6-9958-F3F4-5EE5-6042FEE5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
22054BF7C236-688A-6314-ED5A-79AC8FFE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
27DFE26A0E36-68DA-6F44-BE53-03A093AB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
504065C5A710-4E29-9824-C335-82B9B005{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
C64A6931ED88-263A-CCB4-3930-612D8F53{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
784FC5AE3D81-4498-5EA4-4D01-AA3A6DBC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
F9ED4D57108A-D3B8-1C14-95EE-929E61CD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
AB3003D56C78-F128-CB64-E5B0-4CDAF4FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
D3E61F2523E3-4F2B-0FF4-5E3E-F728A540{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
74FF5F27F603-035A-F154-2EF6-0D0BEBB4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
A25BC4912896-27C8-AEB4-9CED-E3647D36{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
90F06D1C46A9-0179-B2D4-F938-FBF409C1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
CC12D6287B3D-CAF8-6974-0071-C2B84D9C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
C65317ED7214-B21B-3774-444E-CA7BBA74{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
4DFC4CC899BD-61B9-55C4-17B1-62C7E38B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
597459415374-C88B-CD44-7B74-DAF7EE7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
5EF0DCAF947C-AFAA-FD54-38AB-D9E07644{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
4E26D3939EAA-EB48-7174-FAFD-564864CB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
F03ECC17DA3E-F328-17D4-AF6C-1AA99EE7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
E3D1AE0A08EB-7ABB-09A4-4D50-30440B9C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
D95362912DA7-B9A9-6964-0E56-0B41B137{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
04A9328DF4A9-C088-3334-0B6E-4687C89B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
950DFDCDAC67-3F8A-AC64-52F0-A20B4EFE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
C045295A6973-19FA-1EC4-E88C-C920D07E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
10B716401A35-86B9-37F4-05C7-9FCC06EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}
F89C72C79C25-2E0B-E444-A980-40BB0FA3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\gbumd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/lodctrpd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/diantzpt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/dosxpd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/audissrp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/fixmapirs.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/autodmfp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
61.13/users/paul/web/chkntfsfat.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\69.50.1
66.92/private/x/302.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\cvvsic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\X
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\recaps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ytpme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\rtcdaol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tnepxps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\46aycpxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmubg.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS
LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSUZL.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSUZL.EXE 51 283 2006-06-30
C:\WINDOWS\SYSTEM32\DMUBG.EXE 62 022 2002-08-29
Other suspects
Directory of C:\WINDOWS\system32
{3AF0BB04-089A-444E-B0E2-52C97C27C98F}.exe
{CE60CCF9-7C50-4F73-9B68-53A104617B01}.exe
{E70D029C-C88E-4CE1-AF91-3796A592540C}.exe
{EFE4B02A-0F25-46CA-A8F3-76CADCDFD059}.exe
{B98C7864-E6B0-4333-880C-9A4FD8239A40}.exe
{731B14B0-65E0-4696-9A9B-7AD21926359D}.exe
{C9B04403-05D4-4A90-BBA7-BE80A0EA1D3E}.exe
{7EE99AA1-C6FA-4D71-823F-E3AD71CCE30F}.exe
{44670E9D-BA83-45DF-AAFA-C749FACD0FE5}.exe
{F7EE7FAD-47B7-44DC-B88C-473514954795}.exe
{B83E7C26-1B71-4C55-9B16-DB998CC4CFD4}.exe
{47ABB7AC-E444-4773-B12B-4127DE71356C}.exe
{1C904FBF-839F-4D2B-9710-9A64C1D60F09}.exe
{63D7463E-D

[Gość: Kolobos]

Log sie nie zmiescil jak zapewne widzisz wiec mogles juz sam dokleic reszte.

Plik usun z dysku:
C:\WINDOWS\System32\CSUZL.EXE
C:\WINDOWS\SYSTEM32\DMUBG.EXE
Do kasacji tez:
z C:\WINDOWS\system32
{3AF0BB04-089A-444E-B0E2-52C97C27C98F}.exe
{CE60CCF9-7C50-4F73-9B68-53A104617B01}.exe
{E70D029C-C88E-4CE1-AF91-3796A592540C}.exe
{EFE4B02A-0F25-46CA-A8F3-76CADCDFD059}.exe
{B98C7864-E6B0-4333-880C-9A4FD8239A40}.exe
{731B14B0-65E0-4696-9A9B-7AD21926359D}.exe
{C9B04403-05D4-4A90-BBA7-BE80A0EA1D3E}.exe
{7EE99AA1-C6FA-4D71-823F-E3AD71CCE30F}.exe
{44670E9D-BA83-45DF-AAFA-C749FACD0FE5}.exe
{F7EE7FAD-47B7-44DC-B88C-473514954795}.exe
{B83E7C26-1B71-4C55-9B16-DB998CC4CFD4}.exe
{47ABB7AC-E444-4773-B12B-4127DE71356C}.exe
{1C904FBF-839F-4D2B-9710-9A64C1D60F09}.exe

Od tego doklej:
{63D7463E-D

[Gość: michal]

{63D7463E-DEC9-4BEA-8C72-6982194CB52A}.exe
{4BBEB0D0-6FE2-451F-A530-306F72F5FF47}.exe
{DC16E929-EE59-41C1-8B3D-A80175D4DE9F}.exe
{CBD6A3AA-10D4-4AE5-8944-18D3EA5CF487}.exe
{35F8D216-0393-4BCC-A362-88DE1396A46C}.exe
{500B9B28-533C-4289-92E4-017A5C560405}.exe
{BA390A30-35EB-44F6-AD86-63E0A62EFD72}.exe
{EFF8CA97-A5DE-4136-A886-632C7FB45022}.exe
{5EEF2406-5EE5-4F3F-8599-6CCA0DADEC22}.exe

[Gość: Kolobos]

Te tez do kasacji, czy to napewno caly log z fixwareout?

[Gość: michal]

Tak, to caly log.

[Gość: Kolobos]

Jak juz wszystko zrobisz to wklej nowy log z hijackthis.

[Gość: michal]

Zrobilem wszystko oprocz usuwania apl.neostrady

Logfile of HijackThis v1.99.1
Scan saved at 20:53:05, on 2006-07-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\Kidzer\Desktop\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kidzer\Desktop\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe
c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [szmsy.exe] C:\WINDOWS\System32\szmsy.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: ING Bank Online - ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: komentator - sport.onet.pl/komentator.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C367AF9E-80C8-4CEF-A49F-8220D4330DA1}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -
C:\Documents and Settings\Kidzer\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Gość: Kolobos]

Jeszcze to do kasacji w hjt:
O4 - HKLM\..\Run: [szmsy.exe] C:\WINDOWS\System32\szmsy.exe

[Gość: michal]

Zrobione.

Logfile of HijackThis v1.99.1
Scan saved at 21:14:14, on 2006-07-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\Kidzer\Desktop\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kidzer\Desktop\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe
c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: ING Bank Online - ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 - DPF: komentator - sport.onet.pl/komentator.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C367AF9E-80C8-4CEF-A49F-8220D4330DA1}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -
C:\Documents and Settings\Kidzer\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Gość: michal]

Wielkie dzieki!!!
Mam jeszcze podejrzanie duzo dziwnych procesow, ktore wlasnie sprawdzam na
processlibrary.com/.

Pzdr.

[neder]

o które 'podejrzane procesy' Ci chodzi?

[Gość: michal]

Sprawdzilem i wszystkie musza zostac:)

Pzdr.