hacked by godzilla+log

[lolekTHC]

Witam mam pewne problemy z windowsem tzn chodzi bardzo wolno wiesza sie itp. No i wystapil u mnie wirus zwany hacked by godilla choc znalazlem sposob na usniecie go niestety jest po ang i rozumiem tylko niektore zdania link http://howto.redcomputer.net/windows/hacked_by_godzilla.php
Moglby ktos krok po kroku poweidziec jak usunac tego wirusa badz przetlumaczyc ten sposob ?.



Log

Hijack

Kod: Zaznacz wszystko

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
d:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\WebProxy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\foobar2000\foobar2000.exe
E:\SECURITY\wstawianie logow\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MS32DLL] D:\WINDOWS\MS32DLL.dll.vbs
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Tweak-XP Pro] "D:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avldr - D:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Software Controller - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe


Silent

Kod: Zaznacz wszystko

SStartup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Tweak-XP Pro" = ""D:\Program Files\Tweak-XP Pro 4\autostart.exe"" ["Totalidea Software, Germany, New Zealand"]
"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"uTorrent" = ""D:\Program Files\uTorrent\uTorrent.exe"" [null data]
"DAEMON Tools" = ""D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MS32DLL" = "D:\WINDOWS\MS32DLL.dll.vbs" [file not found]
"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"APVXDWIN" = ""D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s" ["Panda Software International"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
  -> {HKLM...CLSID} = "Panda Antivirus"
                   \InProcServer32\(Default) = "D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\ShellTit.dll" ["Panda Software International"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> avldr\DLLName = "avldr.dll" ["Panda Software International"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
  -> {HKLM...CLSID} = "Panda Antivirus"
                   \InProcServer32\(Default) = "D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\ShellTit.dll" ["Panda Software International"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
  -> {HKLM...CLSID} = "Panda Antivirus"
                   \InProcServer32\(Default) = "D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\ShellTit.dll" ["Panda Software International"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\lolek81\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\system32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll ["Panda Software International"], 01 - 03, 15
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*n" (unwritable string)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Panda anti-virus service, PAVSRV, ""D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe"" ["Panda Software International"]
Panda Function Service, PAVFNSVR, ""D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe"" ["Panda Software International"]
Panda Host Service, PSHost, ""d:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE"" ["Panda Software International"]
Panda IManager Service, PSIMSVC, ""D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe"" ["Panda Software International"]
Panda Process Protection Service, PavPrSrv, ""D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software International"]
Panda Software Controller, Panda Software Controller, ""D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe"" ["Panda Software International"]


---------- (launch time: 2007-08-05 16:34:59)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 100 seconds, including 6 seconds for message boxes)



Combo Scan

Kod: Zaznacz wszystko


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


D:\DOCUME~1\lolek81\Pulpit\internet.lnk


(((((((((((((((((((((((((   Files Created from 2007-07-05 to 2007-08-05  )))))))))))))))))))))))))))))))


2007-08-05 17:50   51,200   --a------   D:\WINDOWS\nircmd.exe
2007-08-05 17:29   <DIR>   d--------   D:\WINDOWS\pss
2007-08-05 17:09   <DIR>   d--h-----   D:\WINDOWS\system32\GroupPolicy
2007-08-05 00:48   57,344   --a------   D:\WINDOWS\system32\WNASPINT.DLL
2007-08-05 00:38   <DIR>   d--------   D:\eJay
2007-08-04 18:05   180,224   --a------   D:\WINDOWS\system32\xwsindex.exe
2007-08-04 18:05   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\Xara
2007-08-04 18:00   <DIR>   d--------   D:\WINDOWS\system32\Xara
2007-08-04 17:59   876,544   --a------   D:\WINDOWS\system32\XaraDocG.dll
2007-08-04 17:59   86,016   --a------   D:\WINDOWS\system32\BinCoder.dll
2007-08-04 17:59   253,952   --a------   D:\WINDOWS\system32\TemplOp.dll
2007-08-04 17:59   23,552   --a------   D:\WINDOWS\system32\XFontMan.dll
2007-08-04 17:59   131,072   --a------   D:\WINDOWS\system32\BmpImporter.dll
2007-08-04 17:59   126,976   --a------   D:\WINDOWS\system32\TemplMan.dll
2007-08-04 17:59   118,784   --a------   D:\WINDOWS\system32\XMUpload.dll
2007-08-04 17:59   110,592   --a------   D:\WINDOWS\system32\tsccvid.dll
2007-08-04 17:59   <DIR>   d--------   D:\Program Files\Xara
2007-08-04 16:01   <DIR>   d--------   D:\Program Files\The All-Seeing Eye
2007-08-04 02:13   <DIR>   d--------   D:\Program Files\HT NETWORKS
2007-08-04 02:00   <DIR>   d---s----   D:\DOCUME~1\lolek81\UserData
2007-08-03 23:41   2,297,552   --a------   D:\WINDOWS\system32\d3dx9_26.dll
2007-08-03 22:10   <DIR>   d--------   D:\Program Files\Counter-Strike
2007-08-03 17:04   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\BearShare
2007-08-03 17:03   <DIR>   d--------   D:\Program Files\BearShare Applications
2007-08-03 15:01   <DIR>   d--------   D:\Program Files\NAPI-PROJEKT
2007-08-02 21:56   <DIR>   d--------   D:\Program Files\DAEMON Tools
2007-08-02 21:42   <DIR>   d--------   D:\DOCUME~1\ALLUSE~1\DANEAP~1\Yahoo! Companion
2007-08-02 16:54   <DIR>   d--------   D:\Program Files\uTorrent
2007-08-02 16:54   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\uTorrent
2007-08-02 02:57   <DIR>   d--------   D:\Program Files\SubEdit-Player
2007-08-01 23:58   <DIR>   d--------   D:\WINDOWS\Neuromemory
2007-08-01 23:58   <DIR>   d--------   D:\Program Files\Neuromemory
2007-08-01 23:54   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\Gadu-Gadu
2007-08-01 23:41   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\Skype
2007-08-01 23:40   <DIR>   d--------   D:\Program Files\Skype
2007-08-01 23:40   <DIR>   d--------   D:\Program Files\Common Files\Skype
2007-08-01 23:40   <DIR>   d--------   D:\DOCUME~1\ALLUSE~1\DANEAP~1\Skype
2007-08-01 23:38   737,280   --a------   D:\WINDOWS\iun6002.exe
2007-08-01 23:38   <DIR>   d--------   D:\Program Files\Tweak-XP Pro 4
2007-08-01 23:37   <DIR>   d--------   D:\Program Files\MemStat XP
2007-08-01 23:36   <DIR>   d--------   D:\Program Files\Yahoo!
2007-08-01 23:36   <DIR>   d--------   D:\Program Files\CCleaner
2007-08-01 23:32   <DIR>   d--------   D:\Program Files\foobar2000
2007-08-01 23:32   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\foobar2000
2007-08-01 23:29   0   --a------   D:\WINDOWS\nsreg.dat
2007-08-01 23:29   <DIR>   d--------   D:\DOCUME~1\lolek81\DANEAP~1\Talkback
2007-08-01 22:50   <DIR>   d--hs----   D:\RECYCLER
2007-08-01 22:15   71,680   --a------   D:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-01 22:15   58,800   --a------   D:\WINDOWS\system32\drivers\APPFLT.SYS
2007-08-01 22:15   499,712   --a------   D:\WINDOWS\system32\MSVCP71.DLL
2007-08-01 22:15   49,968   --a------   D:\WINDOWS\system32\drivers\dsaflt.sys
2007-08-01 22:15   36,016   --a------   D:\WINDOWS\system32\drivers\smsflt.sys
2007-08-01 22:15   348,160   --a------   D:\WINDOWS\system32\MSVCR71.DLL
2007-08-01 22:15   29,360   --a------   D:\WINDOWS\system32\drivers\wnmflt.sys
2007-08-01 22:15   285,812   --a------   D:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-08-01 22:15   281   --a------   D:\WINDOWS\system32\PavCPL.dat
2007-08-01 22:15   190,640   --a------   D:\WINDOWS\system32\drivers\idsflt.sys
2007-08-01 22:15   15,792   --a------   D:\WINDOWS\system32\drivers\fnetmon.sys
2007-08-01 22:15   141,872   --a------   D:\WINDOWS\system32\drivers\netimflt.sys
2007-08-01 22:15   121,392   --a------   D:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-08-01 22:15   <DIR>   d--------   D:\WINDOWS\system32\PAV
2007-08-01 22:14   63,024   --a------   D:\WINDOWS\system32\pavipc.dll
2007-08-01 22:14   50,736   --a------   D:\WINDOWS\system32\avldr.dll
2007-08-01 22:14   292,400   --a------   D:\WINDOWS\system32\PavSHook.dll
2007-08-01 22:14   17,792   --a------   D:\WINDOWS\system32\drivers\cpoint.sys
2007-08-01 22:14   161,328   --a------   D:\WINDOWS\system32\TpUtil.dll
2007-08-01 22:14   101,888   --a------   D:\WINDOWS\system32\SYSTOOLS.DLL
2007-08-01 22:14   <DIR>   d--------   D:\Program Files\Panda Software
2007-08-01 22:13   31,104   --a------   D:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-08-01 22:13   170,800   --a------   D:\WINDOWS\system32\drivers\PavProc.sys
2007-08-01 22:13   <DIR>   d--------   D:\Program Files\Common Files\Panda Software
2007-08-01 22:06   <DIR>   d--------   D:\Program Files\Gadu-Gadu
2007-08-01 22:06   <DIR>   d--------   D:\DOCUME~1\lolek81\Gadu-Gadu
2007-08-01 21:07   82,944   --a------   D:\WINDOWS\system32\drivers\wdmaud.sys
2007-08-01 21:07   7,552   --a------   D:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-08-01 21:07   60,800   --a------   D:\WINDOWS\system32\drivers\sysaudio.sys
2007-08-01 21:07   6,400   --a------   D:\WINDOWS\system32\drivers\splitter.sys
2007-08-01 21:07   54,272   --a------   D:\WINDOWS\system32\drivers\swmidi.sys
2007-08-01 21:07   52,864   --a------   D:\WINDOWS\system32\drivers\DMusic.sys
2007-08-01 21:07   5,376   --a------   D:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-08-01 21:07   4,992   --a------   D:\WINDOWS\system32\drivers\MSPQM.sys
2007-08-01 21:07   3,072   --a------   D:\WINDOWS\system32\drivers\audstub.sys
2007-08-01 21:07   2,944   --a------   D:\WINDOWS\system32\drivers\drmkaud.sys
2007-08-01 21:07   171,776   --a------   D:\WINDOWS\system32\drivers\kmixer.sys
2007-08-01 21:07   142,464   --a------   D:\WINDOWS\system32\drivers\aec.sys
2007-08-01 21:06   96,256   --a------   D:\WINDOWS\system32\drivers\ac97intc.sys
2007-08-01 21:06   9,344   --a------   D:\WINDOWS\system32\drivers\compbatt.sys
2007-08-01 21:06   873,984   --a------   D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-08-01 21:06   870,784   --a------   D:\WINDOWS\system32\ati3d1ag.dll
2007-08-01 21:06   77,312   --a------   D:\WINDOWS\system32\usbui.dll
2007-08-01 21:06   66,591   --a------   D:\WINDOWS\system32\drivers\el90xbc5.sys
2007-08-01 21:06   60,288   --a------   D:\WINDOWS\system32\drivers\drmk.sys
2007-08-01 21:06   58,624   --a------   D:\WINDOWS\system32\drivers\redbook.sys
2007-08-01 21:06   434,496   --a------   D:\WINDOWS\system32\ativvaxx.dll
2007-08-01 21:06   42,368   --a------   D:\WINDOWS\system32\drivers\AGP440.SYS
2007-08-01 21:06   4,096   --a------   D:\WINDOWS\system32\ksuser.dll
2007-08-01 21:06   249,856   --a------   D:\WINDOWS\system32\ati2cqag.dll
2007-08-01 21:06   221,184   --a------   D:\WINDOWS\system32\ati2dvag.dll
2007-08-01 21:06   2,305,984   --a------   D:\WINDOWS\system32\ati3duag.dll
2007-08-01 21:06   145,792   --a------   D:\WINDOWS\system32\drivers\portcls.sys


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 17:43   285812   --a------   D:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-08-05 17:43   1204   --a------   D:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-08-05 17:43   1204   --a------   D:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-08-03 00:46   74648   --a------   D:\WINDOWS\system32\perfc015.dat
2007-08-03 00:46   448586   --a------   D:\WINDOWS\system32\perfh015.dat
   ---------      D:\Program Files\Usługi online


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10]
"APVXDWIN"="D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.exe" [2007-03-30 15:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44]
"Gadu-Gadu"="D:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"Tweak-XP Pro"="D:\Program Files\Tweak-XP Pro 4\autostart.exe" [2004-09-28 04:00]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2007-08-01 22:21]
"uTorrent"="D:\Program Files\uTorrent\uTorrent.exe" [2007-08-02 16:54]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 D:\WINDOWS\system32\avldr.dll

R1 APPFLT;App Filter Plugin;\??\D:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\D:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\D:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\D:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\D:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;\??\D:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\D:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\D:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;D:\WINDOWS\system32\Drivers\cpoint.sys
R2 PAVDRV;pavdrv;D:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\D:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;D:\WINDOWS\system32\DRIVERS\netimflt.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10abb9c1-4060-11dc-b4cf-806d6172696f}]
AutoRun\command- J:\autorun.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 17:52:06
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-05 17:52:56
D:\ComboFix-quarantined-files.txt ... 2007-08-05 17:52

   --- E O F ---


[Lukesh]

Poczekaj az log z Silent Runners wygeneruje sie do konca, no i wklej jeszcze loga z tego programu: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

How to fix Godzilla:

otwierasz moj komputer >> wlasciwosci >> opcje folderow >> widok >> zaznaczasz 'pokaz ukryte pliki i foldery' i odznaczasz 'ukryj chronione pliki systemu operacyjnego'.

ctrl+alt+del >> zakladka procesy, znajdujesz i zakanczasz 'wscript.exe'

otwierasz dysk i kasujesz od razu poprzez Shift+Delete pliki autorun.inf i MS32DLL.dll.vbs, pozniej przechodzisz do c:\windows i robisz to samo z plikiem MS32DLL.dll.vbs

start >> uruchom >>regedit, przechodzisz do klucza HKEY_LOCAL_MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run i kasujesz MS32DLL

Pozniej przechodzisz do klucza HKEY_CURRENT_USER --> Software --> Microsoft --> Internet Explorer --> Main by wykasowac “Hacked by Godzilla”

start >> uruchom >> gpedit.msc >> konfiguracja uzytkownika >> szablony administracyjne >> podwojnie klikasz na Turn Off Autoplay i wtedy
1. Select Enabled
2. Select All drives
3. Click OK

start >> uruchom >> msconfig >> uruchamianie >> odznacz 'MS32DLL' >> zastosuj >> okey >> ...

Autor postu otrzymał pochwałę

[lolekTHC]

Dobra dzieki dziala teraz tylko log wszystko na gorze przygotowane ;p

[Lukesh]

Log z Silenta jest uciety

Poza tym - pozbyles sie juz tej calej godzilli wg przetlumaczonego przeze mnie tekstu?

[lolekTHC]

juz jest wszystko. Co do tego hacked by godzilla to wszystko co chcialem to usunalem tzn nie usynalem tylko tego napisu w IE hacked by godzilla ale najwazniejsze otwieranie partycji dwona kliknieciami dziala.

PS: mozesz mi poradzic jakis dobry firewall i anty vir i cos dodatkowego do ochrony zebym nie mial podobnych nieprzyjemnosci na przyszlosc. Manm pande titanium 2007 plus firewall [jak juz w logu pewnie zauwazyles ] czy to wystarczy czy raczej nie polecasz polec mi cos nie musi byc freeware. no i oczywiscie jeszcze prosze o sprawdzenie loga ;p . POZDRAWIAM

[Lukesh]

Sam uzywam zestawu: NOD32 + Outpost Firewall PRO 4 i powiem Ci, ze niezawodny ...

Moznaby tez sie skusic na darmowe programiki: Avira Antivir i Comodo personal firewall - kiedys polecal je pewien zaufany user - sam nie testowalem.

Dodatkowo polecam uzycie tych programow do zalatania dziur w Windowsie.

Jesli chodzi o sprawdzenie logow - poczekaj na kolegow

[wojtas]

wywal pogrubiony folder do kosza

D:\Program Files\BearShare Applications

potem wklej caly log z hijacka bo ten nie ma naglowka

[lolekTHC]

Kod: Zaznacz wszystko


Logfile of HijackThis v1.99.1
Scan saved at 20:30:55, on 2007-08-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
d:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Gadu-Gadu\gg.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\WebProxy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\taskmgr.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\SECURITY\wstawianie logow\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Tweak-XP Pro] "D:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avldr - D:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Software Controller - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe


[wojtas]

juz masz czysty system