log z hijackthis pod kątem wyskakujących reklam

[Melonix]

Mój główny problem to wyskakujące okienka z różnymi reklamami ale coś czuję, że mogę też mieć sporo innego syfu. To "coś" na kompie jest tak sprytne, że chwilę po uruchomieniu samemu zamyka hijackthis i podobne programy ale za którymś razem zanim mi zamnkęło zdążyłem przeskanować kompa i oto wyniki:

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 19:28:02, on 2007-08-11
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\usr\apache2\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\siriex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\usr\apache2\Apache2\bin\Apache.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\FNTS~1\rundll.exe
C:\Documents and Settings\Administrator\Moje dokumenty\s?curity\winlogon.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\STK014\STK014M.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\OE-QuoteFix\oequotefix.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Pulpit\Anti Spyware - różne progsy\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allegro.pl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.icm.edu.pl :8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 - REG:win.ini: run=hpfsched
O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\System32\COMET.DLL
O2 - BHO: (no name) - {361817A9-DC60-80E5-1C12-F98DCC5085EB} - C:\WINDOWS\System32\dlmwz.dll (file missing)
O2 - BHO: (no name) - {4AFCABBB-3D5D-39DC-2174-3BB67E3DF1CB} - C:\WINDOWS\System32\xton.dll
O2 - BHO: Lch - {5A3700EE-5330-4DE3-A9B6-D9B56E9791F6} - C:\WINDOWS\System32\lch.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll
O2 - BHO: (no name) - {962E1A4D-D8D2-8B50-8806-8AADACBB72B6} - C:\WINDOWS\System32\grm.dll (file missing)
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - C:\WINDOWS\System32\d4xofa.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100408} - C:\WINDOWS\System32\d3dxim.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [shell32] C:\WINDOWS\System32\wuauclt10.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\smmss.exe
O4 - HKLM\..\Run: [Windows update] C:\WINDOWS\System32\wudupdate.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ScanRegistry] E:\INSTALKI CD3\Lektury na CD\Dane\Z\10\W
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\siriex.exe
O4 - HKLM\..\Run: [iPlusManager] C:\Program Files\iPlus\iPlusChecker.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Crrw] "C:\WINDOWS\FNTS~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Spba] "C:\Documents and Settings\Administrator\Moje dokumenty\s?curity\winlogon.exe"
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.gateone.ath.cx
O15 - Trusted Zone: *.loudcash.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.zangocash.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.gateone.ath.cx (HKLM)
O15 - Trusted Zone: *.loudcash.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.zangocash.com (HKLM)
O20 - Winlogon Notify: afcabbdeeedeba - C:\WINDOWS\System32\afcabbdeeedeba.dll
O20 - Winlogon Notify: ddceafddacbda - C:\WINDOWS\System32\ddceafddacbda.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O20 - Winlogon Notify: wudb - C:\WINDOWS\System32\wudb.dll
O23 - Service: Apache2 - Unknown owner - C:\usr\apache2\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RadClock - Unknown owner - C:\Program Files\RadLinker\RadClock.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe




[Dzi@dek]

Masz syfu co nie miara.
Uruchom kompa w trybie awaryjnym po wyłączeniu przywracania systemu.
Użyj narzędzia http://siri.urz.free.fr/Fix/SmitfraudFix.zip w/g tego opisu:
http://www.forum.programosy.pl/trudne-przypadki-i-metody-usuwania-vp319542.html?highlight=#319542

Usuwasz wpisy w hijackthis ( V - zaznaczasz ) później pliki pogrubione ręcznie usuwasz z dysku.

C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\siriex.exe
C:\Documents and Settings\Administrator\Moje dokumenty\s?curity\winlogon.exe
F3 - REG:win.ini: run=hpfsched
O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\System32\COMET.DLL
O2 - BHO: (no name) - {361817A9-DC60-80E5-1C12-F98DCC5085EB} - C:\WINDOWS\System32\dlmwz.dll (file missing)
O2 - BHO: (no name) - {4AFCABBB-3D5D-39DC-2174-3BB67E3DF1CB} - C:\WINDOWS\System32\xton.dll
O2 - BHO: Lch - {5A3700EE-5330-4DE3-A9B6-D9B56E9791F6} - C:\WINDOWS\System32\lch.dll
O2 - BHO: (no name) - {962E1A4D-D8D2-8B50-8806-8AADACBB72B6} - C:\WINDOWS\System32\grm.dll (file missing)
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - C:\WINDOWS\System32\d4xofa.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100408} - C:\WINDOWS\System32\d3dxim.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [shell32] C:\WINDOWS\System32\wuauclt10.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\smmss.exe
O4 - HKLM\..\Run: [Windows update] C:\WINDOWS\System32\wudupdate.exe
O4 - HKLM\..\Run: [ScanRegistry] E:\INSTALKI CD3\Lektury na CD\Dane\Z\10\W
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\siriex.exe
O4 - HKCU\..\Run: [Crrw] "C:\WINDOWS\FNTS~1\rundll.exe" -vt yazb
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O15 - Trusted Zone: *.gateone.ath.cx
O15 - Trusted Zone: *.loudcash.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.zangocash.com
O15 - Trusted Zone: *.gateone.ath.cx (HKLM)
O15 - Trusted Zone: *.loudcash.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.zangocash.com (HKLM)
O20 - Winlogon Notify: afcabbdeeedeba - C:\WINDOWS\System32\afcabbdeeedeba.dll
O20 - Winlogon Notify: ddceafddacbda - C:\WINDOWS\System32\ddceafddacbda.dll
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O20 - Winlogon Notify: wudb - C:\WINDOWS\System32\wudb.dll

[Melonix]

Wyłączyłem przywracanie systemu i zgodnie z instrukcjami (w trybie awaryjnym oczywiście) użyłem SmitFraudFix. Niestety jakieś cenzura (za przeproszeniem) nawet po tym zabiegu wyłącza mi hijackthis parę sekund po uruchomieniu i nie jestem w stanie usunąć wpisów

Raport z SmitFraudFix:

Kod: Zaznacz wszystko


SmitFraudFix v2.210

Scan done at 22:32:40,57, 2007-08-11
Run from C:\Documents and Settings\Administrator\Pulpit\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D1159422-16E3-462F-A93D-FB718E100407}"="za"

[HKEY_CLASSES_ROOT\CLSID\{D1159422-16E3-462F-A93D-FB718E100407}\InProcServer32]
@="C:\WINDOWS\System32\d4xofa.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D1159422-16E3-462F-A93D-FB718E100407}\InProcServer32]
@="C:\WINDOWS\System32\d4xofa.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D1159422-16E3-462F-A93D-FB718E100408}"="za"

[HKEY_CLASSES_ROOT\CLSID\{D1159422-16E3-462F-A93D-FB718E100408}\InProcServer32]
@="C:\WINDOWS\System32\d3dxim.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D1159422-16E3-462F-A93D-FB718E100408}\InProcServer32]
@="C:\WINDOWS\System32\d3dxim.dll"


Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{17F80A80-5053-4BEE-8092-D9DFE76657FA}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{190841B9-4B13-49A7-844B-E4B77DE8BA47}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C721ACEC-A3B9-4554-81CF-D98AB5EB1D3C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{17F80A80-5053-4BEE-8092-D9DFE76657FA}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{190841B9-4B13-49A7-844B-E4B77DE8BA47}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C721ACEC-A3B9-4554-81CF-D98AB5EB1D3C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{17F80A80-5053-4BEE-8092-D9DFE76657FA}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{190841B9-4B13-49A7-844B-E4B77DE8BA47}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C721ACEC-A3B9-4554-81CF-D98AB5EB1D3C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D1159422-16E3-462F-A93D-FB718E100407}"="za"

[HKEY_CLASSES_ROOT\CLSID\{D1159422-16E3-462F-A93D-FB718E100407}\InProcServer32]
@="C:\WINDOWS\System32\d4xofa.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D1159422-16E3-462F-A93D-FB718E100407}\InProcServer32]
@="C:\WINDOWS\System32\d4xofa.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D1159422-16E3-462F-A93D-FB718E100408}"="za"

[HKEY_CLASSES_ROOT\CLSID\{D1159422-16E3-462F-A93D-FB718E100408}\InProcServer32]
@="C:\WINDOWS\System32\d3dxim.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D1159422-16E3-462F-A93D-FB718E100408}\InProcServer32]
@="C:\WINDOWS\System32\d3dxim.dll"

End




[Dzi@dek]

Spróbuj użyć
tego hijackthis

[Melonix]

Niestety również ta wersja programu jest wyłączana zaraz po uruchomieniu

[CatchMe]

Kongo...

1. Do zastosowania na początek WWDC i SeconfigXP.
2. Użyć w trybie awaryjnym z opcji 2 SmitFraudFix.
3. Użyć również w T.A - SDFix.
4. Użyć ComboFix.
5. Wkleić komplet logów: HijackThis + ComboFix + Silent Runners.