Proszę o sprawdzenie loga!
Logfile of HijackThis v1.99.1 Scan saved at 07:44:16, on 2007-02-23 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\WINDOWS\UpdReg.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” O4 - HKLM…\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1045 O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM…\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [stefan] C:\Program Files\INTERIAPL\Stefan\Stefan.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26274c50a23 … 601_de.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp03.photoprintit.de/microsite/ … oader3.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15027/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe (file missing) O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
adam9870
(adam9870)
23 Luty 2007 13:57
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\System32\lsasss.exe
Klikasz X czerwony i restart kompa.
Usuń wpisy HJT.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
Niestety nie umiem uruchomić WWDC reszte wykonałem
Logfile of HijackThis v1.99.1 Scan saved at 11:35:10, on 2007-02-24 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\tcpipmon.exe C:\WINDOWS\System32\tcpipmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\CTHELPER.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\System32\WScript.exe C:\WINDOWS\System32\WScript.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Julia&Greg\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” O4 - HKLM…\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1045 O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM…\Run: [tcpipmon] tcpipmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [stefan] C:\Program Files\INTERIAPL\Stefan\Stefan.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26274c50a23 … 601_de.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp03.photoprintit.de/microsite/ … oader3.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15027/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe (file missing) O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “Stefan” = “C:\Program Files\INTERIAPL\Stefan\Stefan.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [null data] “CTHelper” = “CTHELPER.EXE” [“Creative Technology Ltd”] “UpdReg” = “C:\WINDOWS\UpdReg.EXE” [null data] “Jet Detection” = ““C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”” [null data] “Disc Detector” = “C:\Program Files\Creative\ShareDLL\CtNotify.exe” [null data] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1045” [null data] “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe” [null data] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [null data] “Anti-Blaxx Manager” = “C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe” [null data] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”” [null data] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [null data] “tcpipmon” = “tcpipmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{23F0DC38-DC86-49D6-81EC-40C54A204212}” = “Zen Nano Plus Media Explorer” -> {HKLM…CLSID} = “Zen Nano Plus Media Explorer” \InProcServer32(Default) = “C:\Program Files\Creative\Creative Zen Nano Plus\CTMvns.dll” [“Creative Technology Ltd”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data]
adam9870
(adam9870)
24 Luty 2007 10:39
#4
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\System32\rpcc.dll
Klikasz X czerwony i restart kompa.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Przeskanuj ten plik na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/ a jeśli okaże się szkodliwy - plik usuń ręcznie w trybie awaryjnym, a wpis HJT.
Uruchamiasz wwdc.exe >>> jeśli jest jakiś czerwony znaczek to klikasz na niego raz lewym klawiszem myszki i tak dalej na każdy czerwony znaczek >>> zamykasz program >>> zgadzasz się na reset i po resecie wszystko powinno być Ok (czyt. znaczki powinny zostać zmienione na żółte lub zielone).
Po wykonaniu zdaj relacje i pokaż nowe logi. Tylko tym razem log z silenta ma być cały bo teraz jest ucięty.
adam9870
(adam9870)
24 Luty 2007 22:47
#6
Jest Ok.
Proponuję zainstalować dodatek Service Pack 2. Poprawia on bezpieczeństwo w systemie etc. Możesz go pobrać stąd:
http://dobreprogramy.pl/index.php?dz=2&t=35&id=795
Kosmetyka:
Panel sterowania >>> Java Plug-in >>> Update >>> odznacz opcję Check for updates automatically.
Start >>> uruchom >>> msconfig >>> zakładka Uruchamianie >>> możesz odznaczyć w/w.
Jeśli QuickTime nie jest Ci bardzo potrzebny to zastąp go QuickTime Alternative .
W opcjach komunikatorów możesz odznaczyć automatyczny start jeśli nie jest Ci potrzebny.
chyba dalej coś mi siedzi w kompie!
2 dni był spokój i znowu to samo i coraz więcej programów niechce sie otworzyć między innymi HijackThis bo pojawia sie okienko
C:…\hijackthis nie jest prawidłową aplikacją systemu win32 :oops: :oops: :oops: :oops: :oops: :oops: :oops: :oops: :oops: :oops:
nie wiem co mam robic!
Albo avast jest do dupy
działa na szczęście sillent runner
oto log
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Stefan” = “C:\Program Files\INTERIAPL\Stefan\Stefan.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [null data] “CTHelper” = “CTHELPER.EXE” [“Creative Technology Ltd”] “Disc Detector” = “C:\Program Files\Creative\ShareDLL\CtNotify.exe” [null data] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [null data] “Anti-Blaxx Manager” = “C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe” [null data] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”” [null data] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [null data] “tcpipmon” = “tcpipmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) - {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” - {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{23F0DC38-DC86-49D6-81EC-40C54A204212}” = “Zen Nano Plus Media Explorer” - {HKLM…CLSID} = “Zen Nano Plus Media Explorer” \InProcServer32(Default) = “C:\Program Files\Creative\Creative Zen Nano Plus\CTMvns.dll” [“Creative Technology Ltd”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” - {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “SynchronousMachineGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousUserGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\JuliaGreg\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\JuliaGreg\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” - {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) - {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”]
Krzychuu
(Krzychuu)
28 Luty 2007 09:03
#8
majster80 log jest urwany. :?
adam9870
(adam9870)
28 Luty 2007 09:20
#9
A do czego potrzebujesz dalszej części loga? Pytanie retoryczne - nie odpowiadaj.
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\System32\tcpipmon.exe
Klikasz X czerwony i restart kompa.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Po wykonaniu wklej nowe logi. Tylko tym razem log z Silenta ma być cały bo teraz jest ucięty.
adam9870
(adam9870)
28 Luty 2007 14:07
#11
W logu nadal:
Proszę zastosować instrukcję usuwania, którą podałem w swoim poprzednim poście i wkleić nowe logi.
Dodatkowo przeskanuj http://kaspersky.pl/virusscanner.html
Ale gdzie go wykrywa? Proszę podać dokładną lokalizację do zainfekowanego pliku.
Niestety musiałem na nowo zainstalowac windowsa!
adam9870
(adam9870)
3 Marzec 2007 11:18
#13
Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\System32\rpcc.dll
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Usuń wpisy HJT.
Użyj progrmu ATF Cleaner i przeczyść TEMP’y.
Po wykonaniu wklej nowe logi.
Wszystko dokładnie wykonałem ale odłączyłem internet!
Może to wina Avast-a???
oto logi:
Logfile of HijackThis v1.99.1 Scan saved at 11:15:32, on 2007-03-04 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\CTHELPER.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\tcpipmon.exe C:\WINDOWS\System32\tcpipmon.exe C:\WINDOWS\System32\WScript.exe D:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [tcpipmon] tcpipmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “(Default)” = “(empty string)” [file not found] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” [null data] “CTHelper” = “CTHELPER.EXE” [“Creative Technology Ltd”] “UpdReg” = “C:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “Jet Detection” = ““C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”” [empty string] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [file not found] “tcpipmon” = “tcpipmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” - {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\JULIAGREG\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\JULIAGREG\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “JULIAGREG” “All Users” startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “ATI CATALYST System Tray” - shortcut to: “C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray” [null data] “Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\System32\CTsvcCDA.exe” [“Creative Technology Ltd”] Sunbelt Kerio Personal Firewall 4, KPF4, “C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe” [“Sunbelt Software”] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\System32\MsPMSPSv.exe” [MS] ---------- : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 18 seconds. ---------- (total run time: 105 seconds)
adam9870
(adam9870)
4 Marzec 2007 11:43
#15
Zamknąłeś porty robakom?
Być może ten śmieć ciągle powraca ponieważ ciągle odwiedzasz jakąś stronę na której go łapiesz?
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\System32\tcpipmon.exe
Klikasz X czerwony i restart kompa.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Usuń wpis HJT jeśli będzie.
Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.
Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt
JNJN
(JNJN)
4 Marzec 2007 12:05
#16
majster80
Proszę pisać poprawnie i uważać na słownictwo.JNJN
Niestety znowu zrobiłem według instukcji i niestety znowu nic!
Trojan uaktywnia się przy kazdym odpaleniu ewentualnie przy włączeniu połączenia sieciowego!
Prosze bardzo
GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2007-03-05 12:31:58 Windows 5.1.2600 Dodatek Service Pack. 1 ---- System - GMER 1.0.12 ---- SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [10, B1, C7, EB] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1A0 8050261C 4 Bytes [20, A9, C7, EB] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [E0, 6E, C7, EB] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C8 80502644 8 Bytes [20, 9F, C7, EB, 90, 9D, C7, …] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [80, A4, C7, EB] .text … PAGENDSM NDIS.sys!NdisMIndicateStatus F83CF87D 6 Bytes [FF, 25, 88, C5, CE, EB] .text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033FAA .text ntdll.dll!NtCreateFile 77F7595E 5 Bytes CALL 7FFA23F6 .text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034135 .text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034019 .text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033FC8 .text ntdll.dll!NtOpenFile 77F75DFB 5 Bytes CALL 7FFA2443
Resztę loga skosowano - jako zbędną
Asterisk
adam9870
(adam9870)
5 Marzec 2007 13:50
#20
Proszę pokazać logi z najnowszej wersji Gmer’a jaką jest 1.0.12.12027 . Możesz ją pobrać stąd:
http://www.searchengines.pl/phpbb203/pl … s/gmer.zip
Proszę logi z Gmer’a umieścić w postaci plików *.txt na jakimś serwerze, a tu tylko zlinkować ponieważ bezpośrednio do posta się nie zmieszczą.
http://forum.dobreprogramy.pl/viewtopic.php?t=96929
Proszę pokazać dwa logi. Jeden wykonany przy zaznaczonych wszystkich opcjach poza pokazuj wszystko, zaś drugi tylko przy zaznaczonej opcji Usługi + pokazuj wszystko.
Uwaga: przed wrzuceniem nowej wersji Gmer’a proszę zatrzymać stary driver. W tym celu należy wybrać start >>> uruchom >>> wpisać cmd i kliknąć OK >>> w konsoli, która się otworzy wpisać polecenie: