Help - proszę o sprawdzenie loga!

[Gość: Zagubiona]

Matko boska! Mam problem z trojanem o nazwie Trojan.Proxy Dlena.an :((

Mimo, że go usuwam - ciągle powraca. W tej chwili skanuję system poraz n-ty
MKS-em. Proszę o sprawdzenie loga HJ.

Logfile of HijackThis v1.99.0
Scan saved at 18:39:47, on 2006-12-02
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\mks_vir_2007\bin\mks_scan.exe
D:\Program Files\mks_vir_2007\bin\mks2007.exe
I:\PROGRAMY\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
(no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
(no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MKS_VIR_2006] E:\Program Files\MKS_VIR_2006\mks2006.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKCU\..\Run: [MailScanner] E:\Program Files\MKS_VIR_2006\Mks_mail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -
file://D:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
file://D:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
file://D:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment
1.4.1_07) -
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
file://D:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: LexBce Server - Lexmark International, Inc. -
D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MksFwall - Unknown - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS sp. z O. O. - D:\Program
Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor - Unknown - D:\Program
Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC -
D:\WINDOWS\system32\ZONELABS\vsmon.exe

-------
Z góry dzięki za pomoc!!!

[Gość: Kolobos]

> Mam problem z trojanem o nazwie Trojan.Proxy Dlena.an :((

Moze lepiej podaj nazwe zainfekowanego pliku zamiast nazwy trojana.

> Mimo, że go usuwam - ciągle powraca.

Przeskanuj system przy pomocy ewido.

W hjt usun tylko:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
(no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
(no file)

[Gość: Zagubiona]

Ooo dzięki!

Jeśli chodzi o nazwę pliku to ona za każdym razem jest inna. Plik gnieździ się w
katalogu Windows. Oto ścieżka: Windows/sys32/35166292Id.exe

O masakra!!! :(

[Gość: Kolobos]

Wklej na forum log z SilentRunners, do tego uzyj tez:
siri.urz.free.fr/Fix/SmitfraudFix_En.php zrob to co masz opisane na stronie pod "Clean", po uzyciu wygeneruje sie log, ktory wklej na forum.

silent runners

[Gość: Zagubiona]

Oto log z "silent runners", zaraz użyje tego drugiego:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MailScanner" = "E:\Program Files\MKS_VIR_2006\Mks_mail.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun
Microsystems, Inc."]
"MKS_VIR_2006" = "E:\Program Files\MKS_VIR_2006\mks2006.exe" [file not found]
"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k"
"Zone Labs Client" = ""D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe""
["Zone Labs, LLC"]
"mkstray" = "D:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]
"MKSRegmon" = "D:\Program Files\mks_vir_2007\bin\mksregmon.exe" [null data]
"mks_mail" = "D:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MKS sp. z o. o."]
"!AVG Anti-Spyware" = ""D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
/minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll"
["Hilgraeve, Inc."]

silent runners

[Gość: Zagubiona]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MailScanner" = "E:\Program Files\MKS_VIR_2006\Mks_mail.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun
Microsystems, Inc."]
"MKS_VIR_2006" = "E:\Program Files\MKS_VIR_2006\mks2006.exe" [file not found]
"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k"
"Zone Labs Client" = ""D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe""
["Zone Labs, LLC"]
"mkstray" = "D:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]
"MKSRegmon" = "D:\Program Files\mks_vir_2007\bin\mksregmon.exe" [null data]
"mks_mail" = "D:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MKS sp. z o. o."]
"!AVG Anti-Spyware" = ""D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
/minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll"
["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) =
"D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program
Files\WinRAR\rarext.dll" [null data]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) =
"D:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> rpcc\DLLName = "D:\WINDOWS\system32\rpcc.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat
7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "D:\Program
Files\mks_vir_2007\bin\mksshell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program
Files\WinRAR\rarext.dll" [null data]
XPTools\(Default) = "{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}"
-> {HKLM...CLSID} = "Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\WINDOWS\system32\context.dll"
["SuperLogix"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program
Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "D:\Program
Files\mks_vir_2007\bin\mksshell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program
Files\WinRAR\rarext.dll" [null data]
XPTools\(Default) = "{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}"
-> {HKLM...CLSID} = "Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\WINDOWS\system32\context.dll"
["SuperLogix"]


Default executables:
--------------------

HKLM\Software\Classes\.scr\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local
Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local
Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Kingisko\Dane
aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
D:\Program Files\mks_vir_2007\bin\\mkslsp.dll [null data], 01 - 03, 20
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Inte

smitfraudFix

[Gość: Zagubiona]

SmitFraudFix v2.126

Scan done at 20:15:05,93, 2006-12-02
Run from D:\Documents and Settings\Kingisko\Pulpit\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Gość: Kolobos]

Forum ma limit jak zapewne widzisz, wiec doklej brakujaca czesc log'a z SilentRunners zamiast wklejac znowu caly, ktory w jednym poscie sie nie zmiesci.

<<!>> rpcc\DLLName = "D:\WINDOWS\system32\rpcc.dll" [null data]
Plik usun z dysku, po usunieciu zobacz w logu z hjt, wpidac ten wpis dotyczacy rpcc.dll, jezeli widac to go usun.

[Gość: Zagubiona]

Niestety pliku nie da rady usunąć :( wyłączyłam wszystko co się dało, a w
dalszym ciągu wyswietla się komunikat, że pliku nie można usunąć, ponieważ jest
używany przez inną osobę lub program.
:((((

Zaraz wkleję koncówkę logu z Silent Runners <bo teraz piszę z innego kompa>

BTW - Wielkie dzięki za pomoc!!

Acha, w Hijacku nie widać rpcc.dll...

[Gość: Kolobos]

Jak sie nie czyta przyklejonych postow (ten dotyczacy Gadu-Gadu i/lub ten glowny w ktorym jest opis uzywania killbox'a) to faktycznie pliku nie da sie usunac. Uzyj killbox z wlaczona opcja delete on reboot i plik zniknie.

> Acha, w Hijacku nie widać rpcc.dll...

Nie usunelas wiec nie widac.

brakujaca czesc silent runners

[Gość: Zagubiona]

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "D:\Program
Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
LexBce Server, LexBceS, "D:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark
International, Inc."]
MkS_Scan, MkS_Scan, "D:\Program Files\mks_vir_2007\bin\mks_scan.exe" [empty string]
mks_vir file monitor, MksVirMonSvc, "D:\Program
Files\mks_vir_2007\bin\mksvirmonsvc.exe" [null data]
MksFwall, MksFwall, ""D:\Program Files\mks_vir_2007\bin\MksFwall.exe"" [null data]
MksPC, MksPC, ""D:\Program Files\mks_vir_2007\bin\MksPC.exe"" [null data]
MksUpdate, MksUpdate, ""D:\Program Files\mks_vir_2007\bin\mksupdate.exe"" ["MKS
sp. z O. O."]
TrueVector Internet Monitor, vsmon, "D:\WINDOWS\system32\ZONELABS\vsmon.exe
-service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 507 seconds.
--------

[Gość: Kolobos]

Koncowka jest ok.

Nowy log z Hajdżeka ;)

[Gość: Zagubiona]

Witam mam nadzieję poraz ostatni. Usunęłam ten rpcc.dll killboxem. W hijacku nie
było go widać <???>

Oto log:


Logfile of HijackThis v1.99.0
Scan saved at 23:33:45, on 2006-12-02
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\mks_vir_2007\bin\mkstray.exe
D:\Program Files\mks_vir_2007\bin\mksregmon.exe
D:\Program Files\mks_vir_2007\bin\mks_mail.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\mks_vir_2007\bin\MksFwall.exe
D:\Program Files\mks_vir_2007\bin\MksPC.exe
D:\Program Files\mks_vir_2007\bin\mksupdate.exe
D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\mks_vir_2007\bin\mks_scan.exe
I:\PROGRAMY\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MKS_VIR_2006] E:\Program Files\MKS_VIR_2006\mks2006.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe
O4 - HKLM\..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe
O4 - HKLM\..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware
7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MailScanner] E:\Program Files\MKS_VIR_2006\Mks_mail.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\\mkslsp.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -
file://D:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
file://D:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
file://D:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment
1.4.1_07) -
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
file://D:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server - Lexmark International, Inc. -
D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MksFwall - Unknown - D:\Program Files\mks_vir_2007\bin\MksFwall.exe
O23 - Service: MksPC - Unknown - D:\Program Files\mks_vir_2007\bin\MksPC.exe
O23 - Service: MksUpdate - MKS sp. z O. O. - D:\Program
Files\mks_vir_2007\bin\mksupdate.exe
O23 - Service: mks_vir file monitor - Unknown - D:\Program
Files\mks_vir_2007\bin\mksvirmonsvc.exe
O23 - Service: MkS_Scan - Unknown - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC -
D:\WINDOWS\system32\ZONELABS\vsmon.exe

[Gość: Kolobos]

Nie widac bo wklejasz log ze starej wersji hijackthis! Wklej log z najnowszwej wersji.

Nie wierzę :)

[Gość: Zagubiona]

Wszystko się poprawiło... i nawet komputerek zaczął szybciej działać.

Bardzo DZIĘKUJĘ za POMOC Kolobosie!!!!

Pozdrawiam serdecznie!!!