Agent.Proxy.dd...niesmiertelny wir:(


(Adam Banach1) #1

Witam! od niedawna mam problem z tym wirem proxy co roż pojawia się w system32. jako" wndregmon32.dll "Gdy go usówam KILL BOXEM on po czasie wraca ponownie do system32.Co mam zrobic????


(Tomu250) #2

a zainstalowanie systemu??? wtedy w biosie dajesz ta sama partycje i usuwasz dotychczasowego windowsa.


(bodek32) #3

Czemu od razu format :o

Niech usunie plik w trybie awaryjnym i wyłączonym przywracaniem systemu


(Adam Banach1) #4

więc co mam robic???

Złączono Posta : 22.09.2006 (Pią) 19:38

bodek przywracanie mam wyłączone zawsze a w awaryjnym próbowałem już:(i dalej się pojawia


(Bbieniol) #5

Wrzuć zestaw logów - HijackThis + Silent Runners


(Adam Banach1) #6

on i tak się zjawi jak go wywale kill boxem,a w awaryjnym jest niewidoczny


(Bbieniol) #7

Zrób to, o co Cie proszę w poście wyżej :slight_smile:


(Adam Banach1) #8
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Active Setup\Installed Components\

>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"

                                        \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"

  -> {HKLM...CLSID} = "CMenuExtender"

                   \InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]

"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {HKLM...CLSID} = "NetWare Objects"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {HKLM...CLSID} = "NetWare UNC Folder Menu"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

  -> {HKLM...CLSID} = "NetWare Hood Verbs"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: "]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

  -> {HKLM...CLSID} = "MCPShellInstantiator Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" ["Stardock"]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! MCPClient\DLLName = "C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll" ["Stardock"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  -> {HKLM...CLSID} = "Ctest Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

CMenuExtender\(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"

  -> {HKLM...CLSID} = "CMenuExtender"

                   \InProcServer32\(Default) = "C:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  -> {HKLM...CLSID} = "Ctest Object"

                   \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"

  -> {HKLM...CLSID} = "NetWare UNC Folder Menu"

                   \InProcServer32\(Default) = "nwprovau.dll" [MS]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]


i hijack

sprawdz :)

Logfile of HijackThis v1.99.1

Scan saved at 11:19:33, on 2006-08-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Azureus\Azureus.exe

C:\WINDOWS\TEMP\winnlsukh3.exe

C:\WINDOWS\TEMP\winmmccŕ.exe

C:\WINDOWS\TEMP\winxqdsoq3.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\TEMP\winvqeran3.exe

C:\WINDOWS\TEMP\winsmnxŕ.exe

C:\WINDOWS\TEMP\winxlwlnw3.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Administrator\Pulpit\hijackthis.com


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

Złączono Posta : 23.09.2006 (Sob) 15:26

a więc co teraz??


(Gutek) #9

W trybie awryjnym oczyść ręcznie temp: C:\WINDOWS\TEMP

Proszę otworzyć edytor rejestru Start >>> Uruchom >>> regedit i przejść do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Tam kliknąć podwójnie na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *.


(Adam Banach1) #10

oczysciłem TEMP już wczesniej ,killboxem go zlikwidowałem (często to robie),bo on jest niesmietelny:(gutek teraz przestałem grac bo pingi mis skoczyły ,znowu się pojawił stary agent.proxy.dd w system32 jako wndregmon32.dll,siedzi jak zawsze:(,co moge jeszcze zrobic?


(Gutek) #11

Nic nie widać w logach, użyj http://esupport.trendmicro.com/support/ ... =en-125991 opis http://aumha.net/viewtopic.php?t=10610


(Adam Banach1) #12

maqm cały czas tego wira,ale dezaktywowałem procesy usunąlem i nie ma go,ale ja wiem,że niedługo się pojawi,mam sieciówke z sąsiadem to od niego idzie???,evido wukryje tego proxy agenta.

P.S:niewiem co z tym hijackiem,wlączam i jest tylko scan nie wiem jak wcisnąc tą opcje gdy pierwszy raz się hijcaka uruchamia.??


(Gutek) #13

Opis- http://forum.dobreprogramy.pl/viewtopic.php?t=36654


(Adam Banach1) #14
Logfile of HijackThis v1.99.1

Scan saved at 01:36:56, on 2006-09-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\netdde.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Gadu-Gadu\gg.exe

E:\programy\antyviry\Do ręcznej walki z Trojanami\KillBox.exe

C:\Documents and Settings\Administrator\Pulpit\hijackthis.com


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe /startupscan

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

(Gutek) #15

Jest Ok, czytso :slight_smile:


(Adam Banach1) #16

ale on wróci za jakiś czas ja to wiem,onn zawsze wraca gdzies musi miec przejscie coś jest nie tak


(Gutek) #17

OT-y KOSZ

Adamkoo nie rób zamieszania wróci to napiszesz, zastosuj się do tego co napisałem i użyj Trend Micro System Cleaner


(Adam Banach1) #18

nie jest OK.on ciągle sie pojawia ten natręt niedaje mi spokoju!!co dalej??


(Bbieniol) #19

Zrobiłeś to, co napisał Gutek2222?

Dodatkowo możesz użyć Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.


(Gutek) #20

Adamkoo użyj Trend Micro System Cleaner

Opis: