Witam mam problem z tym wirusem Adware.Virtumonde. nie moge go usunac wiecie co robic?? prosze o pomoc
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:38, on 2008-03-24
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ED72BDB1-649D-4911-B38F-F9CA93A4A367} - C:\WINDOWS\System32\mlljg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [Device Detector] “C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe” -autorun
O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM…\Run: [skyTel] SkyTel.EXE
O4 - HKLM…\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM…\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause
O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [iSUSPM] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler
O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM…\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: xxywxwt - xxywxwt.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
–
End of file - 6223 bytes
i teraz co mam robic dalej?
FIX:
Daj log z ComboFix i zainstaluj SP2!
ComboFix 08-03-23.2 - Administrator 2008-03-26 20:35:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.1590 [GMT 1:00]
Running from: E:\Programy\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Dane aplikacji\urlredir.cfg
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.
2008-03-24 17:39 . 2008-03-24 17:39
2008-03-20 07:16 . 2008-03-20 07:17
2008-03-13 08:10 . 2008-03-13 08:10 289,280 --a------ C:\WINDOWS\system32\mlljg.V00dll
2008-03-08 18:45 . 2008-03-08 18:45 289,280 --a------ C:\WINDOWS\system32\mlljg.Vdll
2008-03-08 17:13 . 2008-03-08 17:13
2008-03-04 19:33 . 2008-03-05 22:39 1,914 —hs---- C:\WINDOWS\system32\maqnfppl.ini
2008-03-03 19:34 . 2008-03-04 19:32 1,554 —hs---- C:\WINDOWS\system32\arhugdrb.ini
2008-03-02 21:04 . 2008-03-02 21:04
2008-03-02 21:04 . 2008-03-02 21:05
2008-03-02 21:02 . 2008-03-02 21:02
2008-03-02 21:02 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 20:56 . 2008-03-02 20:56
2008-03-02 20:55 . 2008-03-02 21:02 671 --a------ C:\WINDOWS\mozver.dat
2008-03-02 16:34 . 2008-03-08 17:12 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-03-02 16:34 . 2008-03-08 17:13 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-03-02 16:34 . 2008-03-08 17:13 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-02 16:20 . 2008-03-02 16:20 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-03-02 16:20 . 2008-03-02 16:20 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-03-02 16:20 . 2008-03-02 16:20 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-03-02 15:55 . 2008-03-03 19:31 1,074 —hs---- C:\WINDOWS\system32\fbiyxgfr.ini
2008-02-29 19:54 . 2008-03-02 15:49 594 —hs---- C:\WINDOWS\system32\ihxpcgvo.ini
2008-02-28 19:54 . 2008-02-29 19:30 414 —hs---- C:\WINDOWS\system32\icuyjwfm.ini
2008-02-28 18:37 . 2008-02-28 18:37
2008-02-27 20:04 . 2008-02-27 20:12
2008-02-27 18:46 . 2008-02-27 18:47 289,280 --------- C:\WINDOWS\system32\mlljg.dll
2008-02-27 18:42 . 2008-02-27 18:42 32,764 --a------ C:\WINDOWS\17PHolmes2000373.exe
2008-02-27 18:03 . 2008-02-27 18:03
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 09:31 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Tlen.pl
2008-03-08 16:13 22,328 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\PnkBstrK.sys
2008-03-08 10:25 --------- d-----w C:\Program Files\ESET
2008-03-02 15:34 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-02-27 19:12 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-02-27 19:03 --------- d-----w C:\Program Files\EA SPORTS
2008-02-11 12:21 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\CyberLink
2008-01-28 20:33 --------- d-----w C:\Program Files\Tlen.pl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{CD44B967-9310-4308-B3B0-FFCE946655A1}]
2008-02-27 18:47 289280 --------- C:\WINDOWS\System32\mlljg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-09-20 17:05 13312]
“Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-09-14 16:49 1672904]
“Komunikator”=“C:\Program Files\Tlen.pl\tlen.exe” [2007-10-16 11:53 6234112]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2002-08-20 15:08 1511453]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2007-05-10 23:03 8429568]
“nwiz”=“nwiz.exe” [2007-05-10 23:03 1626112 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2007-05-10 23:03 81920]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50 155648]
“Device Detector”=“C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe” [2003-09-17 17:39 212992]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2004-12-20 19:41 33792]
“DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05 81920]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-11-26 00:11 180269]
“RTHDCPL”=“RTHDCPL.EXE” [2006-12-17 17:00 16062464 C:\WINDOWS\RTHDCPL.exe]
“SkyTel”=“SkyTel.EXE” [2006-05-15 17:00 2879488 C:\WINDOWS\SkyTel.exe]
“WireLessMouse”=“C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe” [2005-08-30 14:35 303104]
“WireLessKeyboard”=“C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe” [2005-08-30 10:51 319488]
“BearShare”=“C:\Program Files\BearShare\BearShare.exe” [2006-08-01 17:04 3313664]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-10-19 20:16 286720]
“ISUSPM”=“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” []
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2007-01-08 22:26 68640]
“LanguageShortcut”=“C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2007-01-08 22:17 52256]
“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2008-03-02 16:20 949376]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 17:05 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxwt]
xxywxwt.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\mlljg.dll
S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\System32\drivers\asusgsb.sys [2007-05-31 14:29]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\System32\Drivers\Video3D32.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 20:38:52
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-
C:\WINDOWS\System32\mlljg.dll
-
C:\Program Files\Eset\pr_imon.dll
PROCESS: C:\WINDOWS\explorer.exe
- C:\Program Files\Tlen.pl\hook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-26 20:39:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 19:39:30
ComboFix2.txt 2008-03-24 16:37:39
miki605 , popraw posty zgodnie z tym tematem. Inaczej wyciągnę konsekwencję.
Nie pisz posta pod postem. Zapoznaj się proszę z regulaminem i zasadami pisania na forum.
Wklej do Notatnika:
File::
C:\WINDOWS\system32\mlljg.V00dll
C:\WINDOWS\system32\mlljg.Vdll
C:\WINDOWS\system32\maqnfppl.ini
C:\WINDOWS\system32\arhugdrb.ini
C:\WINDOWS\system32\fbiyxgfr.ini
C:\WINDOWS\system32\ihxpcgvo.ini
C:\WINDOWS\system32\icuyjwfm.ini
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\17PHolmes2000373.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD44B967-9310-4308-B3B0-FFCE946655A1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxwt]
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe ) Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe ) – podobnie jak na tym obrazku –>