Hajasz
(Hajasz)
23 Listopad 2007 18:02
#1
Witam !
To mój pierwszy post i mam nadzieję, że nie dam gafy. Wszystko co niezbędne przeczytałem i mam taki problem. NOD32 wykrywa mi jakiś syf Win32/Adware Virtumonde Program, który jest plikiem xxyxxus.dll i siedzi w windows/system32. Próby usunięcia nic nie dają ponieważ po uruchomieniu kompa problem powraca. Zrobiłem loga w najnowszym HiJack oto on
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:48:28, on 2007-11-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [iSUSPM] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [startCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonlreg/component/INGOnl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 9360280734 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe – End of file - 5500 bytes
Bardzo proszę o pomoc w usunięciu tego syfu.
Pozdrawiam
W logach nic nie ma podejrzanego. Przeskanuj jeszcze komputer programem Spybot Search&Destroy.
Leon1
(Leon$)
23 Listopad 2007 19:03
#3
Log czysty pobierz Combofix przeskanuj nim system daj log na forum.
Hajasz
(Hajasz)
24 Listopad 2007 19:45
#4
Witam ponownie.
Spybot oczywiście wykrył ten syf i niby go usunął ale widzę, że nadal jest.
Znalazłem w rejestrze dwa wpisy odpowiedzialne za ten plik.
Oto one:
Co do propozycji combofix próbowałem ale chyba coś źle robię bo nie wyszedł mi log a program zaliczył zwis pomimo, że wszystko było wyłączone. Oprócz tego pozmieniał mi ustawienia, które trzymal xp-antyspy oraz wyłączył autoodtwarzanie cd, którego teraz nie mogę przyrócić.
LostWorld
(LostWorld)
24 Listopad 2007 20:08
#5
VundoFix powinien skasować ten plik :
Użyj w trybie awaryjnym VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone .
Hajasz:
Co do propozycji combofix próbowałem ale chyba coś źle robię bo nie wyszedł mi log a program zaliczył zwis pomimo, że wszystko było wyłączone. Oprócz tego pozmieniał mi ustawienia, które trzymal xp-antyspy oraz wyłączył autoodtwarzanie cd, którego teraz nie mogę przyrócić.
Opis Combofix - przyklejony dział.
Hajasz
(Hajasz)
24 Listopad 2007 20:19
#6
Witam !
Oto log z Silent Runner.
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [“Google Inc.”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “ISUSPM” = ““C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler” [“Macrovision Corporation”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “StartCCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”” [null data] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2C80EAD3-74CD-4700-83A4-AA878CD1C03C}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\xxyxxus.dll” [null data] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = “flashget urlcatch” -> {HKLM…CLSID} = “FGCatchUrl” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {3F59A278-4182-435E-B837-FE64558128DD}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\vturr.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Notifier BHO” \InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll” [“Google Inc.”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashGet GetFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [“www.flashget.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{AD392E40-428C-459F-961E-9B147782D099}” = “UltraISO” -> {HKLM…CLSID} = “UIContextMenu Class” \InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{00020000-0000-1011-8004-0000C06B5161}” = “WIBU-SYSTEMS Shell Extension” -> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension” \InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll” [empty string] “{CC1E0C36-712E-46CE-A390-1F66F5094335}” = “BurstCopy” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}” = “*g” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\xxyxxus.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> winrzf32\DLLName = “winrzf32.dll” [file not found] <> xxyxxus\DLLName = “xxyxxus.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {00020000-0000-1011-8004-0000C06B5161}(Default) = (no title provided) -> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension” \InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] UltraISO(Default) = “{AD392E40-428C-459F-961E-9B147782D099}” -> {HKLM…CLSID} = “UIContextMenu Class” \InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ BurstCopy(Default) = “{CC1E0C36-712E-46CE-A390-1F66F5094335}” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] UltraISO(Default) = “{AD392E40-428C-459F-961E-9B147782D099}” -> {HKLM…CLSID} = “UIContextMenu Class” \InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRar\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Krzysztof Pietruszka\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp” Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_03” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_03” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\Program Files\FlashGet\FlashGet.exe” [“FlashGet.com ”] {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ “MenuText” = “Spybot - Search & Destroy Configuration” “CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}” -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] IviRegMgr, IviRegMgr, “C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe” [“InterVideo”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] TuneUp Theme Extension, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- (launch time: 2007-11-24 21:15:26) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point.
Lost World czy te programy używa się razem czy pokoleii ?
LostWorld
(LostWorld)
24 Listopad 2007 20:30
#7
Po kolei.
W awaryjnym i wklej raport.I log z Combofix , ponieważ ma on w sobie automat usuwania , co znacznie ułatwia pracę.
Hajasz
(Hajasz)
24 Listopad 2007 21:15
#8
Lost World jeszcze jedno pytanie. Czy te programy to uruchamiane są prosto ze stron czy trzeba je sciągnąć ?
LostWorld
(LostWorld)
24 Listopad 2007 22:10
#9
Tak , trzeba pobrać prosto ze strony.Już dałem odnośnik w nazwie programu.
Hajasz
(Hajasz)
25 Listopad 2007 13:14
#10
Dzięki za pomoc. Usunąłem syf.
Chyba się za szybko ucieszyłem
Co prawda tamten syf został usunięty ale teraz chyba jeszcze coś siedzi ponieważ co jakiś czas znikają mi wszystkie ikony z pulpitu i pasek na dale by za chwilę się pojawić.
Jakieś sugestie co to może być ?
Gutek
(Gutek)
25 Listopad 2007 21:54
#13
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo, ale jeszcze przed logiem:
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na “Wszystkie pliki” Zapisz jako FIX.REG uruchom ten plik (dwuklik) .
Pobierz program SDFix
Hajasz
(Hajasz)
25 Listopad 2007 23:28
#14
Gutek2222 jedno pytanie aby sie upewnić.
Powstaje nowy log po nałożeniu tego pliku na combofix.
Restart i usuwanie tego katalogu.
I teraz nowy log z combo (chodzi o ten co powstał po nakładce tego pliku czy mam utworzyc zupełnie nowy) ?
LostWorld
(LostWorld)
26 Listopad 2007 15:12
#15
Ten zupełnie nowy i raport z SDfix.
Hajasz
(Hajasz)
26 Listopad 2007 19:55
#16
Oto log z combo i raport z sdfix po w/w operacjach.
Log z combo:
ComboFix 07-11-19.3 - Krzysztof Pietruszka 2007-11-26 20:39:01.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.642 [GMT 1:00] Running from: D:\Programy\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 ))))))))))))))))))))))))))))))) . 2007-11-25 01:11 2007-11-23 23:35 2007-11-23 00:22 2007-11-21 20:19 2007-11-19 20:22 2007-11-18 18:57 2007-11-11 00:49 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-11-10 01:03 2007-11-10 01:03 2007-10-31 22:14 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-26 18:03 --------- d-----w C:\Program Files\Your Uninstaller 2006 2007-11-26 19:30 --------- d-----w C:\Documents and Settings\Krzysztof Pietruszka\Dane aplikacji\uTorrent 2007-11-26 19:20 --------- d-----w C:\Program Files\FlashGet 2007-11-25 23:16 --------- d-----w C:\Program Files\NAPI-PROJEKT 2007-11-25 23:10 --------- d-----w C:\Program Files\Feurio 2007-11-25 14:43 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-25 00:19 --------- d-----w C:\Documents and Settings\Krzysztof Pietruszka\Dane aplikacji\CDRoller 2007-11-23 18:38 --------- d-----w C:\Program Files\Foobar2000 2007-11-22 23:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-11-22 21:20 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-22 18:12 --------- d-----w C:\Program Files\SkanerOnline 2007-11-10 23:59 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-10 23:56 --------- d-----w C:\Program Files\TuneUp Utilities 2007 2007-10-23 20:16 --------- d-----w C:\Program Files\Jufsoft 2007-10-23 18:46 --------- d-----w C:\Program Files\Smart Projects 2007-10-22 18:43 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-10-22 18:43 --------- d-----w C:\Program Files\Ontrack 2007-10-21 16:43 --------- d-----w C:\Program Files\CDRoller 2007-10-19 19:49 --------- d-----w C:\Program Files\hp deskjet 930c series 2007-10-19 19:48 --------- d-----w C:\Program Files\Hewlett-Packard 2007-10-18 17:18 --------- d-----w C:\Program Files\Java 2007-10-12 22:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ATI 2007-10-12 22:22 --------- d-----w C:\Program Files\ATI Technologies 2007-10-10 21:43 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-10-10 21:43 286,720 ------w C:\WINDOWS\Setup1.exe 2007-10-09 17:43 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys 2007-10-09 17:43 298,104 ----a-w C:\WINDOWS\system32\imon.dll 2007-10-09 17:43 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys 2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp 2007-09-29 03:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll 2007-09-29 03:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2007-09-29 02:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2007-09-29 02:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2007-09-29 02:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2007-09-29 02:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2007-09-29 02:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2007-09-29 02:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2007-09-29 02:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2007-09-29 02:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll 2007-09-29 02:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2007-09-29 02:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll 2007-09-29 02:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll 2007-09-29 02:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll 2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2007-09-28 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe 2007-04-06 23:37 92,064 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmmdm.sys 2007-04-06 23:37 9,232 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmmdfl.sys 2007-04-06 23:37 79,328 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmserd.sys 2007-04-06 23:37 66,656 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmbus.sys 2007-04-06 23:37 6,208 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmcmnt.sys 2007-04-06 23:37 5,936 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmwhnt.sys 2007-04-06 23:37 4,048 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\mqdmcr.sys 2007-04-06 23:37 25,600 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\usbsermptxp.sys 2007-04-06 23:37 22,768 ----a-w C:\Documents and Settings\Krzysztof Pietruszka\usbsermpt.sys 2007-05-26 16:54 23 --sha-w C:\WINDOWS\system32\bffbbbcf_r.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:44] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-15 18:52] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 08:39] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2006-03-01 09:22 C:\WINDOWS\SOUNDMAN.EXE] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 00:11] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-09-01 14:57] “ISUSPM”=“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” [2006-03-20 16:34] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-10-09 18:43] “StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 11:35] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-03 23:44] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] “UIHost”=“LogonUI.EXE” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime “ISUSPM”=“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler “KernelFaultCheck”=%systemroot%\system32\dumprep 0 -k R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys R1 atitray;atitray;??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the ‘Scheduled Tasks’ folder “2007-11-23 16:16:05 C:\WINDOWS\Tasks\1-Click Maintenance.job” - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe “2007-11-19 11:50:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-26 20:40:07 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … C:\WINDOWS\WindowsShell.Manifest 749 bytes C:\WINDOWS\WindowsUpdate.log 1359988 bytes C:\WINDOWS\winhelp.exe 257104 bytes C:\WINDOWS\winhlp32.exe 285696 bytes executable C:\WINDOWS\WININIT.INI 10 bytes C:\WINDOWS\winnt.bmp 48680 bytes C:\WINDOWS\winnt256.bmp 48680 bytes C:\WINDOWS\WinSxS C:\WINDOWS\wmprfPLK.prx 36946 bytes C:\WINDOWS\WMSysPr9.prx 316640 bytes C:\WINDOWS\WMSysPrx.prx 299552 bytes C:\WINDOWS_default.pif 707 bytes IPC error: 2 Nie można odnaleźć określonego pliku. scan completed successfully hidden files: 12 ************************************************************************** . Completion time: 2007-11-26 20:40:33 . — E O F —
Raport z sdfix
Czy teraz wszystko jest ok ?
Hajasz
(Hajasz)
26 Listopad 2007 23:17
#18
Ok widzę, że u mnie już jest git. Wielkie dzięki za fachową pomoc.
Pozdrawiam !