nie ścięgajcie cracków z podejrzanych zrodel

[mi33]

Dzięki za pomoc :wink:
Smitfraudem przeczyscilem rejestr ale zostało w hijacku ten isaddoni z file missing wiec usunałem. A dla pewności przejechałem AVG Anti-Spyware 7.5 (ten Ewido), znalazł dllki i je usunął.

Wszystko jest już ok daje logi dla pewności...

Na początek HijackThis!

Logfile of HijackThis v1.99.1
Scan saved at 12:45:47, on 2006-11-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe
Crogram FilesIcecast2 Win32icecastService.exe
C:WINDOWSsystem32Ati2evxx.exe
Crogram FilesATI TechnologiesATI.ACEcli.exe
DowerDVDPDVDServ.exe
Crogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe
Crogram FilesRay AdamsATI Tray Toolsatitray.exe
Crogram FilesCommon FilesAheadLibNMBgMonitor.exe
Crogram FilesWhatPulseWhatPulse.exe
Crogram FilesSlySoftAnyDVDAnyDVD.exe
Crogram FilesCommon FilesAheadLibNMIndexStoreSvr.exe
Crogram FilesNetMeterNetMeter.exe
Crogram FilesATI TechnologiesATI.ACEcli.exe
Crogram FilesATI TechnologiesATI.ACEcli.exe
C:totalcmdTOTALCMD.EXE
Crogram FilesMozilla Firefox 2 Beta 2firefox.exe
C:WINDOWSexplorer.exe
C:WINDOWSNOTEPAD.EXE
c:HijackHijackThis.exe

O4 - HKLM..Run: [ATICCC]"Crogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay
O4 - HKLM..Run: [LogonStudio]"Crogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM
O4 - HKLM..Run: [NeroFilterCheck]Crogram FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [RemoteControl]DowerDVDPDVDServ.exe
O4 - HKLM..Run: [BootSkin Startup Jobs]"CROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs
O4 - HKLM..Run: [!AVG Anti-Spyware]"Crogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized
O4 - HKCU..Run: [AtiTrayTools]"Crogram FilesRay AdamsATI Tray Toolsatitray.exe"
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"Crogram FilesCommon FilesAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [WhatPulse]Crogram FilesWhatPulseWhatPulse.exe
O4 - HKCU..Run: [AnyDVD]Crogram FilesSlySoftAnyDVDAnyDVD.exe
O4 - HKCU..Run: [Crogram FilesNetMeterNetMeter.exe]Crogram FilesNetMeterNetMeter.exe
O23 - Service: Adobe LM Service - Adobe Systems - Crogram FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - Crogram FilesIcecast2 Win32icecastService.exe" "Crogram FilesIcecast2 Win32 (file missing)
O23 - Service: NBService - Nero AG - D:Ahead NeroNero 7Nero BackItUpNBService.exe
O23 - Service: RadClock - Unknown owner - C:WINDOWSsystem32RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%WinPcaprpcapd.exe" -d -f "%ProgramFiles%WinPcaprpcapd.ini (file missing)

Teraz Silent Runners8)

"Silent Runners.vbs", revision 49,

[Aby zobaczyć linki, zarejestruj się tutaj]

Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"AtiTrayTools" = ""Crogram FilesRay AdamsATI Tray Toolsatitray.exe"" ["Ray Adams"]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""Crogram FilesCommon FilesAheadLibNMBgMonitor.exe"" ["Nero AG"]
"WhatPulse" = "Crogram FilesWhatPulseWhatPulse.exe" ["WhatPulse.org"]
"AnyDVD" = "Crogram FilesSlySoftAnyDVDAnyDVD.exe" ["SlySoft, Inc."]
"Crogram FilesNetMeterNetMeter.exe" = "Crogram FilesNetMeterNetMeter.exe" [null data]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"ATICCC" = ""Crogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay" [null data]
"LogonStudio" = ""Crogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM" ["Stardock and Luca Saggese"]
"NeroFilterCheck" = "Crogram FilesCommon FilesAheadLibNeroCheck.exe" ["Nero AG"]
"RemoteControl" = "DowerDVDPDVDServ.exe" ["Cyberlink Corp."]
"BootSkin Startup Jobs" = ""CROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs" [empty string]
"!AVG Anti-Spyware" = ""Crogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
InProcServer32(Default) = "Crogram FilesATI TechnologiesATI.ACEatiacmxx.dll" [empty string]
"{36518101-49AC-42CB-8E4C-40C1F328A565}" = "Rad2 Extension"
-> {HKLM...CLSID} = "RadPropExt2 Class"
InProcServer32(Default) = "C:WINDOWSsystem32Rad.dll" [empty string]
"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Extension"
-> {HKLM...CLSID} = "RadPropExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32Rad.dll" [empty string]
"{75B8D633-9021-442C-9EA4-FF4BE72CE20F}" = "NRad2 Extension"
-> {HKLM...CLSID} = "NRadExt2 Class"
InProcServer32(Default) = "C:WINDOWSsystem32NRad.dll" ["ChrisW"]
"{C6844A1E-2C59-415A-84B3-C6A458372779}" = "RadType Extension"
-> {HKLM...CLSID} = "RadTypeExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadType.dll" [empty string]
"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRad Extension"
-> {HKLM...CLSID} = "NRadExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32NRad.dll" ["ChrisW"]
"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "RadClkr Extension"
-> {HKLM...CLSID} = "RadClkRExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadClkR.dll" [empty string]
"{7700EB62-DB7C-47AF-A092-04376CA1D24C}" = "RadMnu Extension"
-> {HKLM...CLSID} = "RadMnuExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadMnu.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
InProcServer32(Default) = "C:WINDOWSsystem32SHDOCVW.DLL" [MS]
"{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" = "Notepad++ Shell Extension"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "Crogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "Crogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
<<!>> "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension"
-> {HKLM...CLSID} = "RadExeExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadExe.dll" [empty string]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
InProcServer32(Default) = "Crogram FilesGrisoftAVG Anti-Spyware 7.5shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> AtiExtEventDLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLMSoftwareClasses*shellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "Crogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
NppShellExt(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "Crogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "Crogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "Crogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
NppShellExt(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "Crogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "Crogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoSMBalloonTip" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"MemCheckBoxInRunDlg" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoAutoTrayNotify" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_BINARY) hex:01 00 00 00
{Remove "Click here to begin" from Start button}

"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoStrCmpLogical" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLMSoftwarePoliciesMicrosoftInternet ExplorerInfodeliveryRestrictions

"NoUpdateCheck" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"RunStartupScriptSync" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SynchronousMachineGroupPolicy" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SynchronousUserGroupPolicy" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32mswsock.dll [MS] , 01 - 03, 06 - 13
%SystemRoot%system32rsvpsp.dll [MS] , 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:WINDOWSsystem32Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe" ["Anti-Malware Development a.s."]
Icecast Media Server, Icecast, ""Crogram FilesIcecast2 Win32icecastService.exe" "Crogram FilesIcecast2 Win32"" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 124 seconds, including 8 seconds for message boxes)

I ten SmitFraudFix

SmitFraudFix v2.119

Scan done at 12:49:40,66, 2006-11-08
Run from c:HijackSmitfraudFixSmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600]- Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSsystem


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSWeb


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSsystem32


»»»»»»»»»»»»»»»»»»»»»»»» Cocuments and SettingsMichal


»»»»»»»»»»»»»»»»»»»»»»»» Cocuments and SettingsMichalApplication Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» COCUME~1MichalUlubione


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» Crogram Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler''s .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End