Wirus

IP: *.ssnet.pl 20.12.06, 18:07
Mam problem. Avast pokazał mi, że mam kilka wirusów i je usunąłem tam. Tapeta
sama mi się zmieniła na całą czarną, a w prawym dolnym rogu pisze mi po
angielsku, że mój komputer jest w niebezpieczeństwie i że należy uzyć
specjalnych programów, aby usunąć tą infekcję. Nie da się zmienić tej tapety.
Gdy chcę wciskam ctrl+alt+del wyskakuje mi okno, wktórym pisze: "Menadżer
zadań został wyłączony przez administratora". Mój log:
Logfile of HijackThis v1.99.1
Scan saved at 18:02:14, on 2006-12-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\start\net\progsy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32
\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program
Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-
Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1
\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1
\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-
00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Utwórz łącze Ulubione dla urządzenia
przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3
\INetRepl.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-
0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner -
C:\WINDOWS\system32:svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32
\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    • Gość: Kolobos Re: Wirus IP: *.crowley.pl 20.12.06, 20:04
      Usun ta usluge:
      O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner -
      C:\WINDOWS\system32:svchost.exe
      Opis usuwania masz w przyklejonym poscie, ale pliku nie ruszaj!

      Nastepnie uzyj:
      siri.urz.free.fr/Fix/SmitfraudFix_En.php zrob to co masz napisane pod "Clean" po uzyciu utworzy sie log, ktory wklej na forum.
      • Gość: Ebi Re: Wirus IP: *.ssnet.pl 20.12.06, 22:31
        Ten opis usuwania w przyklejonym poście, to chodzi o temat: "Problem z Generic
        Host Process... Rozwiazanie!" ?
        • Gość: Kolobos Re: Wirus IP: *.crowley.pl 20.12.06, 22:35
          Nie, ten wyzej to samo masz tez w naglowu forum.
          • Gość: Ebi Re: Wirus IP: *.ssnet.pl 21.12.06, 14:41
            Nie da się teg usunąć. Usunąłem to i odtazu ponownie zrobiłem skan, i znowu się
            to tam pojawia.
            Wobec tego mam już uzyć tego programu SmitfraudFix, czy mam najpierw zrobić
            jeszcze coś innego?
            • kolobos Re: Wirus 21.12.06, 14:45
              Uzyj Smit (i wklej log z niego). Oraz wklej log z Silent Runners (w nowym poscie, oba w jednym sie nie zmieszcza z racji na limit).
              • Gość: Ebi Re: Wirus IP: *.ssnet.pl 22.12.06, 00:10
                SmitFraudFix v2.131

                Scan done at 0:07:07,89, 2006-12-22
                Run from C:\Documents and Settings\Dawid\Pulpit\SmitfraudFix
                OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
                The filesystem type is NTFS
                Fix run in normal mode

                »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
                !!!Attention, following keys are not inevitably infected!!!

                SrchSTS.exe by S!Ri
                Search SharedTaskScheduler's .dll

                »»»»»»»»»»»»»»»»»»»»»»»» Killing process


                »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

                GenericRenosFix by S!Ri


                »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


                »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


                »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
                !!!Attention, following keys are not inevitably infected!!!

                [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
                "System"=""


                »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

                Registry Cleaning done.

                »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
                !!!Attention, following keys are not inevitably infected!!!

                SrchSTS.exe by S!Ri
                Search SharedTaskScheduler's .dll


                »»»»»»»»»»»»»»»»»»»»»»»» End
                • Gość: Ebi Re: Wirus IP: *.ssnet.pl 22.12.06, 00:18
                  "Silent Runners.vbs", revision 49, www.silentrunners.org/
                  Operating System: Windows XP SP2
                  Output limited to non-default values, except where indicated by "{++}"


                  Startup items buried in registry:
                  ---------------------------------

                  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                  "{B4048084-07DA-1045-0407-051230200030}" = ""C:\Program Files\Common
                  Files\{B4048084-07DA-1045-0407-051230200030}\Update.exe" te-110-12-0000219"
                  [file not found]

                  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
                  "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
                  "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
                  "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]
                  "H/PC Connection Agent" = ""C:\Program Files\Microsoft
                  ActiveSync\wcescomm.exe"" [MS]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
                  "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
                  "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
                  "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
                  "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit"
                  [MS]
                  "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
                  "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
                  "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer,
                  Inc."]
                  "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
                  ["Apple Computer, Inc."]
                  "HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
                  ["Hewlett-Packard Co."]
                  "CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s"
                  ["SlySoft, Inc."]
                  "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
                  \avgas.exe" /minimized" ["Anti-Malware Development a.s."]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
                  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
                  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat
                  7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
                  {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\(Default) = (no title provided)
                  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32
                  \ndhrtnhh.dll" [null data]
                  {3FD6B99C-A275-46ea-8FD1-3D63986E51E4}\(Default) = (no title provided)
                  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32
                  \nrkpmyve.dll" [null data]
                  {46A4E9D9-B30E-452A-8157-DBBEC8573B03}\(Default) = (no title provided)
                  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-
                  in.dll" [file not found]
                  {7D14A28E-A2F1-45C1-9C0F-52F8A59F389F}\(Default) = (no title provided)
                  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\ssqrs.dll"
                  [null data]
                  {A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
                  -> {HKLM...CLSID} = "IeCatch2 Class"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \FlashGet\jccatch.dll" ["Amaze Soft"]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
                  "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
                  wyświetlania"
                  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
                  "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
                  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\System32
                  \hticons.dll" ["Hilgraeve, Inc."]
                  "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
                  -> {HKLM...CLSID} = "DesktopContext Class"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll"
                  ["NVIDIA Corporation"]
                  "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
                  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll"
                  ["NVIDIA Corporation"]
                  "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
                  -> {HKLM...CLSID} = "Desktop Explorer"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32
                  \nvshell.dll" ["NVIDIA Corporation"]
                  "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
                  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32
                  \nvshell.dll" ["NVIDIA Corporation"]
                  "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
                  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32
                  \nvshell.dll" ["NVIDIA Corporation"]
                  "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
                  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Program
                  Files\WinRAR\rarext.dll" [null data]
                  "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
                  "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
                  "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
                  "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
                  "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
                  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Program Files\Microsoft
                  Office\Office10\msohev.dll" [MS]
                  "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
                  -> {HKLM...CLSID} = "avast"
                  \InProcServer32\(Default) = "C:\Program Files\Alwil
                  Software\Avast4\ashShell.dll" ["ALWIL Software"]
                  "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
                  -> {HKLM...CLSID} = "iTunes"
                  \InProcServer32\(Default) = "C:\Program
                  Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
                  "{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
                  -> {HKLM...CLSID} = "Urządzenie przenośne"
                  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3
                  \Wcesview.dll" [MS]
                  "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
                  -> {HKLM...CLSID} = "AlcoholShellEx"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1
                  \AXShlEx.dll" ["Alcohol Soft Development Team"]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
                  <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
                  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
                  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
                  Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

                  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
                  <<!>> rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [file not found]
                  <<!>> ssqrs\DLLName = "C:\WINDOWS\system32\ssqrs.dll" [null data]

                  HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
                  {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
                  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat
                  7.0\ActiveX\PDFShel
                • Gość: Ebi Re: Wirus IP: *.ssnet.pl 22.12.06, 00:21
                  HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
                  {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
                  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat
                  7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

                  HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
                  avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                  -> {HKLM...CLSID} = "avast"
                  \InProcServer32\(Default) = "C:\Program Files\Alwil
                  Software\Avast4\ashShell.dll" ["ALWIL Software"]
                  AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
                  -> {HKLM...CLSID} = "CContextScan Object"
                  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
                  Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
                  WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Program
                  Files\WinRAR\rarext.dll" [null data]
                  WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

                  HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
                  AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
                  -> {HKLM...CLSID} = "CContextScan Object"
                  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG
                  Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
                  WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Program
                  Files\WinRAR\rarext.dll" [null data]
                  WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

                  HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
                  avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                  -> {HKLM...CLSID} = "avast"
                  \InProcServer32\(Default) = "C:\Program Files\Alwil
                  Software\Avast4\ashShell.dll" ["ALWIL Software"]
                  WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Program
                  Files\WinRAR\rarext.dll" [null data]
                  WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
                  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1
                  \WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


                  Group Policies {GPedit.msc branch and setting}:
                  -----------------------------------------------

                  Note: detected settings may not have any effect.

                  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

                  "DisableRegistryTools" = (REG_DWORD) hex:0x00000000
                  {User Configuration|Administrative Templates|System|
                  Prevent access to registry editing tools}

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

                  "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
                  {Computer Configuration|Windows Settings|Security Settings|Local
                  Policies|Security Options|
                  Shutdown: Allow system to be shut down without having to log on}

                  "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
                  {Computer Configuration|Windows Settings|Security Settings|Local
                  Policies|Security Options|
                  Devices: Allow undock without having to log on}


                  Active Desktop and Wallpaper:
                  -----------------------------

                  Active Desktop may be disabled at this entry:
                  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

                  Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
                  HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
                  "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane
                  aplikacji\Microsoft\Wallpaper1.bmp"

                  Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
                  HKCU\Control Panel\Desktop\
                  "Wallpaper" = "C:\Documents and Settings\Dawid\Ustawienia lokalne\Dane
                  aplikacji\Microsoft\Wallpaper1.bmp"


                  Enabled Screen Saver:
                  ---------------------

                  HKCU\Control Panel\Desktop\
                  "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
                • Gość: Ebi Re: Wirus IP: *.ssnet.pl 22.12.06, 00:22
                  Startup items in "Dawid" & "All Users" startup folders:
                  -------------------------------------------------------

                  C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
                  "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0
                  \Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
                  "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital
                  Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
                  "HP Image Zone - szybkie uruchamianie" -> shortcut to: "C:\Program
                  Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
                  "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10
                  \OSA.EXE -b -l" [MS]


                  Winsock2 Service Provider DLLs:
                  -------------------------------

                  Namespace Service Providers

                  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
                  \Catalog_Entries\ {++}
                  000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
                  000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
                  000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

                  Transport Service Providers

                  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
                  \Catalog_Entries\ {++}
                  0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
                  %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16
                  %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


                  Toolbars, Explorer Bars, Extensions:
                  ------------------------------------

                  Toolbars

                  HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
                  "{74DD705D-6834-439C-A735-A6DBE2677452}"
                  -> {HKLM...CLSID} = "&VSAdd-in"
                  \InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-
                  in.dll" [file not found]

                  Extensions (Tools menu items, main toolbar menu buttons)

                  HKLM\Software\Microsoft\Internet Explorer\Extensions\
                  {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
                  "ButtonText" = "Create Mobile Favorite"
                  "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
                  -> {HKLM...CLSID} = "Create Mobile Favorite"
                  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3
                  \INetRepl.dll" [MS]

                  {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
                  "MenuText" = "Utwórz łącze Ulubione dla urządzenia przenośnego..."
                  "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
                  -> {HKLM...CLSID} = "Create Mobile Favorite"
                  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3
                  \INetRepl.dll" [MS]

                  {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
                  "ButtonText" = "FlashGet"
                  "MenuText" = "&FlashGet"
                  "Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]

                  {FB5F1910-F110-11D2-BB9E-00C04F795683}\
                  "ButtonText" = "Messenger"
                  "MenuText" = "Windows Messenger"
                  "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


                  Running Services (Display Name, Service Name, Path {Service DLL}):
                  ------------------------------------------------------------------

                  avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
                  \ashServ.exe"" [null data]
                  avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
                  \aswUpdSv.exe"" [null data]
                  avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
                  Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
                  avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
                  \ashWebSv.exe" /service" ["ALWIL Software"]
                  AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG
                  Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
                  iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple
                  Computer, Inc."]
                  NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe"
                  ["NVIDIA Corporation"]
                  Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]


                  Print Monitors:
                  ---------------

                  HKLM\System\CurrentControlSet\Control\Print\Monitors\
                  HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
                  hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]


                  ----------
                  <<!>>: Suspicious data at a malware launch point.

                  + This report excludes default entries except where indicated.
                  + To see *everywhere* the script checks and *everything* it finds,
                  launch it from a command prompt or a shortcut with the -all parameter.
                  + The search for DESKTOP.INI DLL launch points on all local fixed drives
                  took 12 seconds.
                  --------
                  • Gość: Kolobos Re: Wirus IP: *.crowley.pl 22.12.06, 01:24
                    Uruchom regedit, przejdz do:
                    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                    i usun tam:
                    "{B4048084-07DA-1045-0407-051230200030}" = ""C:\Program Files\Common
                    Files\{B4048084-07DA-1045-0407-051230200030}\Update.exe" te-110-12-0000219"
                    [file not found]

                    Nastepnie przejdz do:
                    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
                    i usuwasz tam:
                    {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\(Default) = (no title provided)
                    -> {HKLM...CLSID} = (no title provided)
                    \InProcServer32\(Default) = "C:\WINDOWS\system32
                    \ndhrtnhh.dll" [null data] <- plik usun z dysku.

                    {3FD6B99C-A275-46ea-8FD1-3D63986E51E4}\(Default) = (no title provided)
                    -> {HKLM...CLSID} = (no title provided)
                    \InProcServer32\(Default) = "C:\WINDOWS\system32
                    \nrkpmyve.dll" [null data] <- plik usun z dysku.

                    {46A4E9D9-B30E-452A-8157-DBBEC8573B03}\(Default) = (no title provided)
                    -> {HKLM...CLSID} = (no title provided)
                    \InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-
                    in.dll" [file not found]

                    {7D14A28E-A2F1-45C1-9C0F-52F8A59F389F}\(Default) = (no title provided)
                    -> {HKLM...CLSID} = (no title provided)
                    \InProcServer32\(Default) = "C:\WINDOWS\system32\ssqrs.dll" <- plik usun z dysku.

                    Pozniej przechodzisz do:
                    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
                    usuwasz tam:
                    <<!>> rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [file not found]
                    <<!>> ssqrs\DLLName = "C:\WINDOWS\system32\ssqrs.dll" [null data]
                    Lub po usunieciu wspomnianego pliku kasujesz oba wpisy w hijackthis.

                    W HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
                    kasujesz:
                    "DisableRegistryTools" = (REG_DWORD) hex:0x00000000

                    Jezeli tapeta dalej jest zepsuta to usun jeszcze w:
                    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
                    Ten wpis:
                    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane
                    aplikacji\Microsoft\Wallpaper1.bmp"
                    oraz w HKCU\Control Panel\Desktop\ ten wpis:
                    "Wallpaper" = "C:\Documents and Settings\Dawid\Ustawienia lokalne\Dane
                    aplikacji\Microsoft\Wallpaper1.bmp"

                    W HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ usun:
                    "{74DD705D-6834-439C-A735-A6DBE2677452}"
                    -> {HKLM...CLSID} = "&VSAdd-in"
                    \InProcServer32\(Default) = "C:\Program Files\VSAdd-in\VSAdd-
                    in.dll" [file not found]

                    Wyslij mi tez na mail'a log z gmera z zakladki rootkit.
                    • Gość: Ebi Re: Wirus IP: *.ssnet.pl 22.12.06, 18:48
                      Pousuwałem już wszystko tak jak mi napisałeś. Myślę, że teraz wszystko już jest
                      ok. Mój log w HijackThis wygląda teraz tak jak poprzedni, ale nie ma już tej
                      usługi co nie dało się jej usunąć. Napisz jeżeli mam jeszcze wkleić jakiś log
                      do sprawdzenia.
                      Serdeczne dzięki za pomoc. Jestem bardzo wdzięczny. Pozdrawiam.
                      • Gość: Kolobos Re: Wirus IP: *.crowley.pl 22.12.06, 19:48
                        Jezeli podanych plikow juz nie ma, wpisow w SilentRunners oraz gmerze rowniez to nie musisz juz nic wiecej robic.
Pełna wersja