kerio zgłasza próbę ataku

**Posty:** 16 · przez **Szalony-Mateo** 17 Cze 2007, 15:06

Kerio zgłasza próbę ataku.
Skanowania; NOD32, a-squared, Ad-Aware SE, Ewido i ATS
nie pomagają.
Atak ten występuje po uruchomieniu przeglądarki internetowej obojętnie której bym użył.
Podaje co wyświetlił Kerio

Szczegóły techniczne o próbie ataku:

Aplikacja iniekcyjna:
Opis aplikacji: \??\C:\WINDOWS\system32\winlogon.exe
Wersja pliku: winlogon
Nazwa produktu:
Wersja produktu:
Utworzono:
Ostatnia zmiana: N/A
Ostatni dostęp: N/A

Aplikacja docelowa:
Opis aplikacji: C:\Program Files\Mozilla Firefox\firefox.exe
Wersja pliku: Firefox
Nazwa produktu: 1.8.1.4: 2007051502
Wersja produktu: Firefox
Utworzono: 2.0.0.4
Ostatnia zmiana: 2007/6/7, 16:04:57
Ostatni dostęp: 2007/5/15, 20:44:15

Adres iniekcji: 0x7FEB0065

wstawię też skany z HijackThis v1.99.1

Logfile of HijackThis v1.99.1
Scan saved at 14:28:55, on 2007-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\supervisor.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Microsoft Office\Office\1045\msoffice.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Mateusz\Pulpit\FILTRY\Mateusz.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WooCnxMon] c:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -lock
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12137B10-9DF8-4061-8A1B-E6D1C730FE80}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{12137B10-9DF8-4061-8A1B-E6D1C730FE80}: NameServer = 194.204.152.34 217.98.63.164
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: eMule MorphXT as a service (eMule) - http://emulemorph.sourceforge.net - C:\Program Files\eMule MorphXP\eMule.exe
O23 - Service: HASP Loader - Unknown owner - C:\WINDOWS\system32\Hsrvldr.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Skan z ComboScan v20070306.20

ComboScan v20070306.20 run by Mateusz on 2007-06-17 at 14:30:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Mateusz.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 14:30:27, on 2007-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\supervisor.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Microsoft Office\Office\1045\msoffice.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Mateusz\Pulpit\FILTRY\comboscan.exe
C:\DOCUME~1\Mateusz\Pulpit\FILTRY\Mateusz.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WooCnxMon] c:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -lock
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12137B10-9DF8-4061-8A1B-E6D1C730FE80}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{12137B10-9DF8-4061-8A1B-E6D1C730FE80}: NameServer = 194.204.152.34 217.98.63.164
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: eMule MorphXT as a service (eMule) - http://emulemorph.sourceforge.net - C:\Program Files\eMule MorphXP\eMule.exe
O23 - Service: HASP Loader - Unknown owner - C:\WINDOWS\system32\Hsrvldr.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

-- Files created between 2007-05-17 and 2007-06-17 -----------------------------

2007-06-10 20:51:35 1156 --a------ C:\WINDOWS\mozver.dat
2007-06-09 19:15:18 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-06-07 18:11:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-07 18:04:57 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-05-23 11:38:17 321583 --a------ C:\WINDOWS\supervisor.exe<SUPERV~1.EXE>
2007-05-21 00:10:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-05-21 00:01:20 19456 --a------ C:\WINDOWS\system32\winxtx32.dll
2007-05-20 23:41:27 0 d-------- C:\Program Files\Common Files\Autodata Limited Shared<AUTODA~1>
2007-05-20 23:41:26 0 d-------- C:\ADCDA2
2007-05-20 23:41:17 0 d-------- C:\ADCDTEMP

-- Find3M Report ---------------------------------------------------------------

2007-06-17 12:25:04 436322 --a------ C:\WINDOWS\system32\perfh015.dat
2007-06-17 12:25:04 67298 --a------ C:\WINDOWS\system32\perfc015.dat
2007-06-17 12:15:32 0 d-------- C:\Program Files\a-squared Free<A-SQUA~1>
2007-06-17 10:29:06 0 d-------- C:\Program Files\ATS2
2007-06-09 18:01:13 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-06-07 18:05:14 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Mozilla
2007-06-07 16:55:05 0 d-------- C:\Program Files\eMule MorphXP<EMULEM~1>
2007-06-02 19:50:40 0 d---s---- C:\Documents and Settings\Mateusz\Dane aplikacji\Microsoft<MICROS~1>
2007-06-01 19:15:27 0 d-------- C:\Program Files\Sunbelt Software<SUNBEL~1>
2007-05-23 12:33:15 0 d-------- C:\Program Files\Hard Truck<HARDTR~1>
2007-05-22 10:26:19 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Lavasoft
2007-05-22 10:26:03 0 d-------- C:\Program Files\Lavasoft
2007-05-16 17:18:58 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-15 22:44:48 72192 --a------ C:\WINDOWS\system32\hlvdd.dll
2007-05-15 21:14:53 0 d-------- C:\Program Files\PC_Navigator6<PC_NAV~1>
2007-05-15 21:14:53 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Navigator<NAVIGA~1>
2007-05-13 21:12:08 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-09 08:28:49 0 d-------- C:\Program Files\Cartall
2007-05-06 13:46:31 0 d-------- C:\Program Files\eMule
2007-05-04 22:36:12 88 -r-hs---- C:\WINDOWS\system32\0F032371FB.sys<0F0323~1.SYS>
2007-05-04 22:35:49 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Corel
2007-05-04 22:35:48 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-05-04 22:35:40 0 d-------- C:\Program Files\Common Files\Corel
2007-05-04 22:35:14 0 d-------- C:\Program Files\Corel
2007-05-01 23:16:20 0 d-------- C:\Program Files\Winamp
2007-05-01 23:16:17 0 d-------- C:\Program Files\DFX
2007-05-01 16:12:32 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Gadu-Gadu<GADU-G~1>
2007-05-01 16:07:25 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-04-26 21:34:25 0 d-------- C:\Program Files\CDex_151
2007-04-26 21:18:38 0 d-------- C:\Program Files\Common Files\Agnitum Shared<AGNITU~1>
2007-04-26 16:01:52 672256 --a------ C:\WINDOWS\is-C57FN.exe
2007-04-25 16:23:30 144896 --a------ C:\WINDOWS\system32\schannel.dll
2007-04-24 16:18:39 0 d-------- C:\Program Files\DAP
2007-04-23 21:09:39 0 d-------- C:\Program Files\CodeStuff<CODEST~1>
2007-04-21 23:25:32 0 d-------- C:\Program Files\HDD Regenerator<HDDREG~1>
2007-04-18 18:14:32 2854400 --a------ C:\WINDOWS\system32\msi.dll
2007-04-18 12:21:11 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-04-16 22:47:36 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-04-16 22:45:54 1710936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-04-16 22:45:48 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-16 22:45:42 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-16 22:45:36 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-04-16 22:45:28 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-04-16 22:45:20 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-16 22:45:20 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-03-17 20:54:17 1028 --a------ C:\WINDOWS\unins001.dat
2007-03-17 15:45:36 293376 --a------ C:\WINDOWS\system32\winsrv.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"
"supervisor.exe"="C:\\WINDOWS\\supervisor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"nwiz"="nwiz.exe /install"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"WooCnxMon"="c:\\PROGRA~1\\NEOSTR~1\\CnxMon.exe"
"WOOWATCH"="C:\\PROGRA~1\\NEOSTR~1\\Watch.exe"
"WOOTASKBARICON"="C:\\PROGRA~1\\NEOSTR~1\\TaskbarIcon.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1045 -lock"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxtx32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of ComboScan: finished at 2007-06-17 at 14:31:43 ------------------------

**Posty:** 18165 · przez **wojtas** 17 Cze 2007, 23:56

Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach)
Start do awaryjnego ( F8 ) przy starcie komputera.

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg

Pobierz i uruchom narzędzie : The Avenger
http://swandog46.geekstogo.com/avenger.zip
Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Files to delete:

C:\WINDOWS\SYSTEM32\winxtx32.dll
C:\WINDOWS\supervisor.exe
C:\WINDOWS\is-C57FN.exe

Klikasz Done, a następnie zielone światełko i zgadzasz się na restart klikając OK.
Po restarcie w HijackThis usuwasz wpis/y

O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll

ten plik:

C:\WINDOWS\system32\Hsrvldr.exe

skanujesz tutaj:

http://virusscan.jotti.org/
http://www.virustotal.com/

dajesz na forum raporty ze skanow +

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt + log z comboscana + hijacka

**Posty:** 16 · przez **Szalony-Mateo** 18 Cze 2007, 16:25

Zrobiłem tak jak pisałeś poza jednym nie skanowałem pliku

C:\WINDOWS\system32\Hsrvldr.exe

nie mogę go znaleźć

Oto raport z Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wagdtcef

*******************

Script file located at: \??\C:\Documents and Settings\irhpqujn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\winxtx32.dll deleted successfully.
File C:\WINDOWS\supervisor.exe deleted successfully.
File C:\WINDOWS\is-C57FN.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

logi

Logfile of HijackThis v1.99.1
Scan saved at 15:48:30, on 2007-06-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1045\msoffice.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mateusz\Pulpit\FILTRY\Mateusz.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WooCnxMon] c:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -lock
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Otwórz w nowym Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12137B10-9DF8-4061-8A1B-E6D1C730FE80}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{12137B10-9DF8-4061-8A1B-E6D1C730FE80}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: eMule MorphXT as a service (eMule) - http://emulemorph.sourceforge.net - C:\Program Files\eMule MorphXP\eMule.exe
O23 - Service: HASP Loader - Unknown owner - C:\WINDOWS\system32\Hsrvldr.exe (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

ComboScan v20070306.20 run by Mateusz on 2007-06-18 at 15:49:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Mateusz.exe) ---------------------------------------------

Unable to find log (file not found).

-- Files created between 2007-05-18 and 2007-06-18 -----------------------------

2007-06-18 15:41:52 0 d-------- C:\WINDOWS\CSC
2007-06-18 15:26:40 0 d-------- C:\avenger
2007-06-10 20:51:35 1156 --a------ C:\WINDOWS\mozver.dat
2007-06-09 19:15:18 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-06-07 18:11:08 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-07 18:04:57 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-05-21 00:10:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-05-20 23:41:27 0 d-------- C:\Program Files\Common Files\Autodata Limited Shared<AUTODA~1>
2007-05-20 23:41:26 0 d-------- C:\ADCDA2
2007-05-20 23:41:17 0 d-------- C:\ADCDTEMP

-- Find3M Report ---------------------------------------------------------------

2007-06-18 15:41:44 0 d-------- C:\Program Files\ATS2
2007-06-18 15:30:47 436322 --a------ C:\WINDOWS\system32\perfh015.dat
2007-06-18 15:30:47 67298 --a------ C:\WINDOWS\system32\perfc015.dat
2007-06-17 12:15:32 0 d-------- C:\Program Files\a-squared Free<A-SQUA~1>
2007-06-09 18:01:13 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-06-07 18:05:14 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Mozilla
2007-06-07 16:55:05 0 d-------- C:\Program Files\eMule MorphXP<EMULEM~1>
2007-06-02 19:50:40 0 d---s---- C:\Documents and Settings\Mateusz\Dane aplikacji\Microsoft<MICROS~1>
2007-06-01 19:15:27 0 d-------- C:\Program Files\Sunbelt Software<SUNBEL~1>
2007-05-23 12:33:15 0 d-------- C:\Program Files\Hard Truck<HARDTR~1>
2007-05-22 10:26:19 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Lavasoft
2007-05-22 10:26:03 0 d-------- C:\Program Files\Lavasoft
2007-05-16 17:18:58 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-15 22:44:48 72192 --a------ C:\WINDOWS\system32\hlvdd.dll
2007-05-15 21:14:53 0 d-------- C:\Program Files\PC_Navigator6<PC_NAV~1>
2007-05-15 21:14:53 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Navigator<NAVIGA~1>
2007-05-13 21:12:08 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-09 08:28:49 0 d-------- C:\Program Files\Cartall
2007-05-06 13:46:31 0 d-------- C:\Program Files\eMule
2007-05-04 22:36:12 88 -r-hs---- C:\WINDOWS\system32\0F032371FB.sys<0F0323~1.SYS>
2007-05-04 22:35:49 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Corel
2007-05-04 22:35:48 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-05-04 22:35:40 0 d-------- C:\Program Files\Common Files\Corel
2007-05-04 22:35:14 0 d-------- C:\Program Files\Corel
2007-05-01 23:16:20 0 d-------- C:\Program Files\Winamp
2007-05-01 23:16:17 0 d-------- C:\Program Files\DFX
2007-05-01 16:12:32 0 d-------- C:\Documents and Settings\Mateusz\Dane aplikacji\Gadu-Gadu<GADU-G~1>
2007-05-01 16:07:25 0 d-------- C:\Program Files\Gadu-Gadu<GADU-G~1>
2007-04-26 21:34:25 0 d-------- C:\Program Files\CDex_151
2007-04-26 21:18:38 0 d-------- C:\Program Files\Common Files\Agnitum Shared<AGNITU~1>
2007-04-25 16:23:30 144896 --a------ C:\WINDOWS\system32\schannel.dll
2007-04-24 16:18:39 0 d-------- C:\Program Files\DAP
2007-04-23 21:09:39 0 d-------- C:\Program Files\CodeStuff<CODEST~1>
2007-04-18 18:14:32 2854400 --a------ C:\WINDOWS\system32\msi.dll
2007-04-18 12:21:11 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-04-16 22:47:36 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-04-16 22:45:54 1710936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-04-16 22:45:48 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-16 22:45:42 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-16 22:45:36 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-04-16 22:45:28 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-04-16 22:45:20 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-16 22:45:20 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"nwiz"="nwiz.exe /install"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"WooCnxMon"="c:\\PROGRA~1\\NEOSTR~1\\CnxMon.exe"
"WOOWATCH"="C:\\PROGRA~1\\NEOSTR~1\\Watch.exe"
"WOOTASKBARICON"="C:\\PROGRA~1\\NEOSTR~1\\TaskbarIcon.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1045 -lock"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of ComboScan: finished at 2007-06-18 at 15:50:35 ------------------------

**Posty:** 18165 · przez **wojtas** 18 Cze 2007, 16:56

Start => Uruchom => cmd =>wpisz:

sc stop HASP Loader

enter

sc delete HASP Loader

enter

i bedzie ok

**Posty:** 16 · przez **Szalony-Mateo** 18 Cze 2007, 18:04

Wpisałek w konsole jak kazałeś wyszło coś takiego:

C:\>sc stop HASP Loader
[SC] OpenService FAILED 1060:

Okre

C:\>sc delete HASP Loader
[SC] OpenService FAILED 1060:

Okre

C:\>

co ty na to?

**Posty:** 18165 · przez **wojtas** 18 Cze 2007, 18:14

start -> uruchom -> services.msc -> zatrzymaj i wyłącz usługe HASP Loader

**Posty:** 16 · przez **Szalony-Mateo** 18 Cze 2007, 19:55

Wyłączone HASP tak w services.msc jak i w msconfig.

Może być :?:

**Posty:** 18165 · przez **wojtas** 19 Cze 2007, 17:33

**Posty:** 16 · przez **Szalony-Mateo** 20 Cze 2007, 23:48

Dzięki Wojtas twoje rady pomogły.
Po wyłączeniu tego HASP komp sie nawet szybciej wyłancza.
Jeszcze raz wielkiw dzięki.

Pozdrawiam

kerio zgłasza próbę ataku

Kerio zgłasza próbę ataku

Kto jest na forum