czy ktos moglby mi to sprawdzic , bo nic mi nie chce dzialac
Logfile of HijackThis v1.99.1
Scan saved at 02:22:05, on 2007-02-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tlen.pl\tlen.exe
C:\Documents and Settings\aga.LAPTOP750\Ustawienia lokalne\Temp\Katalog tymczasowy 3 dla hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allegro.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\lsaeuqhr.dll",setvm
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels1118.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [System64] C:\WINDOWS\System32\inet.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\601194.exe "
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Uninstall.exe~
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/jyvaskyla/support/plugins/ebraryRdr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\foila.dll
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - C:\WINDOWS\System32\jvzx32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: Windows Host Services (WINHOST32) - Unknown owner - C:\WINDOWS\system\services.exe (file missing)
jestem pewna ze jest wirus moze nawet nie jeden ale nic mi to nie mowi.
Złączono Posty : 03.02.2007 (Sob) 1:45
a i jeszcze nie napislam ze to jest na awaryjnm , bo normalny nie dziala. Nawet sie nie chce wlaczyc.
Myszak
(Myszonus)
3 Luty 2007 07:00
#2
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługę : Microsoft authenticate service
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz : MsaSvc --> ok
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługę : Windows Host Services
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz : WINHOST32 --> ok
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll O4 - HKLM…\Run: [system] C:\WINDOWS\System32\kernels1118.exe O4 - HKLM…\Run: [sysinter] C:\WINDOWS\System32\adirss.exe O4 - HKLM…\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe O4 - HKLM…\Run: [system64] C:\WINDOWS\System32\inet.exe O4 - HKCU…\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU…\Run: [WinUpdate] “C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\601194.exe” O4 - HKCU…\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe O4 - Global Startup: Uninstall.exe~ O16 - DPF: Win32 Classes - O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\foila.dll O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - C:\WINDOWS\System32\jvzx32.dll O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing) O23 - Service: Windows Host Services (WINHOST32) - Unknown owner - C:\WINDOWS\system\services.exe (file missing)
Startujesz do trybu awaryjnego i wyłączasz przywracanie systemu.
Pliki/foldery na czerwono skasuj z dysku.
Wpisy skasuj Hijackiem.
Użyj ATFCleaner.
Dodatkowo wklej log z Silent Runners.
jest troche lepiej , ale ciagle mnie wywala na trybie normalnym ,poza tym wyskakuje komunikat o tym ze pamiec wirtualna jest niewystarczajaca i nastapi jej zwiekszenie , po czym komp. bardzo zawlnia, nie moglam znales jednego pilu C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe nie widze go w tempie wiec go ne usunelam ,
nowy log jest nastepujacy
Logfile of HijackThis v1.99.1 Scan saved at 13:30:03, on 2007-02-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\tp4mon.exe C:\WINDOWS\System32\RunDll32.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe C:\Documents and Settings\aga.LAPTOP750\Ustawienia lokalne\Temp\Katalog tymczasowy 11 dla hijackthis.zip\HijackThis.exe C:\WINDOWS\System32\rasautou.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allegro.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: @msdxmLC.dll ,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll O4 - HKLM…\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM…\Run: [internat.exe] internat.exe O4 - HKLM…\Run: [systemTray] SysTray.Exe O4 - HKLM…\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM…\Run: [bLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM…\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM…\Run: [DllRunning] rundll32.exe “C:\WINDOWS\System32\lsaeuqhr.dll”,setvm O4 - HKLM…\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM…\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background O4 - Global Startup: Uninstall.exe~ O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Win32 Classes - O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/jyvaskyla/su … aryRdr.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bufor wydruku (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
adam9870
(adam9870)
3 Luty 2007 11:53
#4
Myszak - nie zauważyłeś trojana vundo.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll O4 - HKLM…\Run: [DllRunning] rundll32.exe “C:\WINDOWS\System32\lsaeuqhr.dll”,setvm O4 - HKCU…\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe O4 - Global Startup: Uninstall.exe~ O16 - DPF: Win32 Classes -
Pliki i foldery zaznaczone kasujesz ręcznie z dysku w trybie awaryjnym natomiast wpisy w HijackThis.
Zastosuj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone .
Użyj progrmu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp .
Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix .
ok, wklejam loga z hjt i silent runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “rjenhwov” = ""C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\rjenhwov.exe " " [null data] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “WinMedia” = "C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe " [null data] “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] “msnmsgr” = ““C:\Program Files\MSN Messenger\msnmsgr.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TrackPointSrv” = “tp4mon.exe” [“IBM Corporation”] “internat.exe” = “internat.exe” [file not found] “SystemTray” = “SysTray.Exe” [MS] “BMMMONWND” = “rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor” [MS] “BLOG” = “rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog” [MS] “TPKMAPHELPER” = “C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper” [“Lenovo”] “DllRunning” = “rundll32.exe “C:\WINDOWS\System32\lsaeuqhr.dll”,setvm” [MS] “BMMLREF” = “C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE” [null data] “BMMGAG” = “RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor” [MS] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX” [empty string] {086F3ADF-92EA-4415-877E-C7DD7DD64F14}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nnnljhe.dll” [null data] {46A4E9D9-B30E-452A-8157-DBBEC8573B03}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\VSAdd-in\VSAdd-in.dll” [file not found] {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\unkexqyf.dll” [null data] {7DA39570-5FD2-4f18-94B4-20730CB3F727}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\hnfddwse.dll” [null data] {DD97B296-07B2-461C-A89F-49C9F34CFDBD}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\oppmj.dll” [null data] {E6B80D0E-E3E8-4BF1-9C55-DA917CAD7702}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\pmnon.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0E5CBF21-D15F-11d0-8301-00AA005B4383}” = “Łą&cza” -> {HKLM…CLSID} = “Łą&cza” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{7487cd30-f71a-11d0-9ea7-00805f714772}” = “Thumbnail Image” -> {HKLM…CLSID} = “Thumbnail Image” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}” = “Menu Desk Bar” -> {HKLM…CLSID} = “Menu Desk Bar” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}” = “Menu Site” -> {HKLM…CLSID} = “Menu Site” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}” = “IShellFolderBand” -> {HKLM…CLSID} = “IShellFolderBand” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{5b4dae26-b807-11d0-9815-00c04fd91972}” = “Menu Band” -> {HKLM…CLSID} = “Menu Band” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{8278F931-2A3E-11d2-838F-00C04FD918D0}” = “Tracking Shell Menu” -> {HKLM…CLSID} = “Tracking Shell Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{450D8FBA-AD25-11D0-98A8-0800361B1103}” = “MyDocs Folder” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\MICROS~1\OFFICE10\msohev.dll” [MS] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “C:\PROGRA~1\SIEMEN~1\DES\DESSHE~1.DLL” [file not found] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “C:\PROGRA~1\SIEMEN~1\DES\DESSHE~1.DLL” [file not found] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “C:\PROGRA~1\SIEMEN~1\DES\DESSHE~1.DLL” [file not found] “{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Objects” \InProcServer32(Default) = “nwprovau.dll” [MS] “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] “{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Hood Verbs” \InProcServer32(Default) = “nwprovau.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{2C1CD3D7-86AC-4068-93BC-A02304BB60787}” = “DCOM Server 60787” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\phwotd.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{086F3ADF-92EA-4415-877E-C7DD7DD64F14}” = “*V” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nnnljhe.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\WINDOWS\System32\tmp_0.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> nnnljhe\DLLName = “nnnljhe.dll” [null data] <> oppmj\DLLName = “C:\WINDOWS\System32\oppmj.dll” [null data] <> pmnnnmj\DLLName = “pmnnnmj.dll” [null data] <> rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data] <> ssqpmki\DLLName = “ssqpmki.dll” [null data] <> winsys2freg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “Wallpaper” = (REG_SZ) C:\WINDOWS\desktop.html {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Active Desktop Wallpaper|Wallpaper Name:} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Enabled Scheduled Tasks: ------------------------ “Uruchomienie aplikacji dostrajania” -> launches: “walign” [file not found] “Rozpoczęcie aplikacji dostrajania” -> launches: “walign” [file not found] “Przypomnienie o wygaśnięciu dezinstalacji” -> launches: “C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /u /n:1” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{74DD705D-6834-439C-A735-A6DBE2677452}” -> {HKLM…CLSID} = “&VSAdd-in” \InProcServer32(Default) = “C:\Program Files\VSAdd-in\VSAdd-in.dll” [file not found]
i hjt
Logfile of HijackThis v1.99.1 Scan saved at 15:04:32, on 2007-02-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\tp4mon.exe C:\WINDOWS\System32\RunDll32.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\ctfmon.exe C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\aga.LAPTOP750\Ustawienia lokalne\Temp\Katalog tymczasowy 15 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allegro.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: @msdxmLC.dll ,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM…\Run: [internat.exe] internat.exe O4 - HKLM…\Run: [systemTray] SysTray.Exe O4 - HKLM…\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM…\Run: [bLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM…\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM…\Run: [DllRunning] rundll32.exe “C:\WINDOWS\System32\lsaeuqhr.dll”,setvm O4 - HKLM…\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM…\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Win32 Classes - O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/jyvaskyla/su … aryRdr.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_0.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing) O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing) O23 - Service: Bufor wydruku (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
niestesty z l2mfix sobie nie poradzilam .
adam9870
(adam9870)
3 Luty 2007 14:40
#6
Pięknie… Vundo nadal siedzi i ma się dobrze.
Pobierz The avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:
=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avangera i skasuj plik backup.zip czyli np. c:\avanger\backup.zip.
Zastosuj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone .
W l2mfix jak będziesz miał tak
klik
to wybierasz 1. Run Find Log
ok teraz to wyglada tak
Logfile of HijackThis v1.99.1 Scan saved at 17:21:47, on 2007-02-03 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\aga.LAPTOP750\Ustawienia lokalne\Temp\Katalog tymczasowy 16 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allegro.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {78FDD0AA-6FAD-4921-86D5-98F54DCFA1EB} - C:\WINDOWS\System32\oppmj.dll (file missing) O3 - Toolbar: @msdxmLC.dll ,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM…\Run: [internat.exe] internat.exe O4 - HKLM…\Run: [systemTray] SysTray.Exe O4 - HKLM…\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM…\Run: [bLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM…\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM…\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM…\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [cphcrgjf] C:\jbhwmfmj.bat O4 - HKLM…\Run: [lnrklyce] C:\nlsnralc.bat O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Win32 Classes - O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/jyvaskyla/su … aryRdr.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_0.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing) O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bufor wydruku (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
a z silent runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “rjenhwov” = ""C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\rjenhwov.exe " " [null data] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “WinMedia” = "C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe " [file not found] “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] “msnmsgr” = ““C:\Program Files\MSN Messenger\msnmsgr.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TrackPointSrv” = “tp4mon.exe” [“IBM Corporation”] “internat.exe” = “internat.exe” [file not found] “SystemTray” = “SysTray.Exe” [MS] “BMMMONWND” = “rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor” [MS] “BLOG” = “rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog” [MS] “TPKMAPHELPER” = “C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper” [“Lenovo”] “BMMLREF” = “C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE” [null data] “BMMGAG” = “RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor” [MS] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “cphcrgjf” = “C:\jbhwmfmj.bat” [null data] “lnrklyce” = “C:\nlsnralc.bat” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX” [empty string] {78FDD0AA-6FAD-4921-86D5-98F54DCFA1EB}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\oppmj.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0E5CBF21-D15F-11d0-8301-00AA005B4383}” = “Łą&cza” -> {HKLM…CLSID} = “Łą&cza” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{7487cd30-f71a-11d0-9ea7-00805f714772}” = “Thumbnail Image” -> {HKLM…CLSID} = “Thumbnail Image” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}” = “Menu Desk Bar” -> {HKLM…CLSID} = “Menu Desk Bar” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}” = “Menu Site” -> {HKLM…CLSID} = “Menu Site” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}” = “IShellFolderBand” -> {HKLM…CLSID} = “IShellFolderBand” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{5b4dae26-b807-11d0-9815-00c04fd91972}” = “Menu Band” -> {HKLM…CLSID} = “Menu Band” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{8278F931-2A3E-11d2-838F-00C04FD918D0}” = “Tracking Shell Menu” -> {HKLM…CLSID} = “Tracking Shell Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{450D8FBA-AD25-11D0-98A8-0800361B1103}” = “MyDocs Folder” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\SHELL32.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\MICROS~1\OFFICE10\msohev.dll” [MS] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “C:\PROGRA~1\SIEMEN~1\DES\DESSHE~1.DLL” [file not found] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “C:\PROGRA~1\SIEMEN~1\DES\DESSHE~1.DLL” [file not found] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “C:\PROGRA~1\SIEMEN~1\DES\DESSHE~1.DLL” [file not found] “{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Objects” \InProcServer32(Default) = “nwprovau.dll” [MS] “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] “{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Hood Verbs” \InProcServer32(Default) = “nwprovau.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\WINDOWS\System32\tmp_0.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “Wallpaper” = (REG_SZ) C:\WINDOWS\desktop.html {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Active Desktop Wallpaper|Wallpaper Name:} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Enabled Scheduled Tasks: ------------------------ “Uruchomienie aplikacji dostrajania” -> launches: “walign” [file not found] “Rozpoczęcie aplikacji dostrajania” -> launches: “walign” [file not found] “Przypomnienie o wygaśnięciu dezinstalacji” -> launches: “C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /u /n:1” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{74DD705D-6834-439C-A735-A6DBE2677452}” -> {HKLM…CLSID} = “&VSAdd-in” \InProcServer32(Default) = “C:\Program Files\VSAdd-in\VSAdd-in.dll” [file not found] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ASP.NET State Service, aspnet_state, “C:\WINDOWS\Microsoft.NET \Framework\v1.1.4322\aspnet_state.exe” [MS] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [file not found] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Bufor wydruku, Spooler, “C:\WINDOWS\system32\spoolsv.exe” [file not found] IBM KCU Service, TpKmpSVC, “C:\WINDOWS\system32\TpKmpSVC.exe” [file not found] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]} ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 73 seconds. ---------- (total run time: 207 seconds)
i nie mialam nigdzie pliku backup.zip
Złączono Posty : 03.02.2007 (Sob) 17:15
znalalzlam ten plik i usunelam , robilam jeszcze raz serie
vundofix.
FixVundo.
VirtumundoBeGone.
i niby nic nie wykryly ,ale tryb normalny chodzi tylko jak odlacze internet , jak dostaje polaczenie to po chwili mnie wywala. :?
adam9870
(adam9870)
3 Luty 2007 20:24
#8
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\SYSTEM\blank.htm
C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\rjenhwov.exe
C:\jbhwmfmj.bat
C:\nlsnralc.bat
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Użyj progrmu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp .
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: (no name) - {78FDD0AA-6FAD-4921-86D5-98F54DCFA1EB} - C:\WINDOWS\System32\oppmj.dll (file missing) O4 - HKLM…\Run: [cphcrgjf] C:\jbhwmfmj.bat O4 - HKLM…\Run: [lnrklyce] C:\nlsnralc.bat O4 - HKCU…\Run: [WinMedia] C:\DOCUME~1\AGA~1.LAP\USTAWI~1\Temp\594424.exe O16 - DPF: Win32 Classes - O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_0.dll
Usuń HJT jeśli będą.
Po wykonaniu pokaż nowe logi. Tylko poczytaj o l2mfix i daj log bo nie można usunąć Vundo bez tego loga. Ewentualnie daj log z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.
adam9870
(adam9870)
5 Luty 2007 15:07
#10
Usuń ręcznie będąc w trybie awaryjnym.
Zaś te pliki:
2007-02-03 13:39 10,725 -r-h----- C:\WINDOWS\SYSTEM32\syst064.exe 2007-02-03 13:35 0 --a------ C:\lvnu.exe 2007-02-03 10:35 88,340 --a------ C:\WINDOWS\SYSTEM32\gwdfudoj.exe 2007-01-30 23:17 88,340 --a------ C:\WINDOWS\SYSTEM32\svnjbgog.exe 2007-01-30 12:06 32,832 --a------ C:\exe.exe 2007-01-30 11:51 8,082 --a------ C:\3456346345643.exe 2007-01-26 12:01 4,001 --a------ C:\WINDOWS\loadnew.exe 2007-01-25 10:59 102,400 --a------ C:\WINDOWS\SYSTEM32\advvpi32.dll 2007-01-17 11:56 88,340 --a------ C:\WINDOWS\SYSTEM32\ldyxcyoj.exe 2007-01-15 17:25 88,340 --a------ C:\WINDOWS\SYSTEM32\bhtxqcen.exe
Przeskanuj na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/vt/ , a te które okażą się szkodnikami - również usuń będąc w trybie awaryjnym.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Puść w ruch SDFix i pokaż raport, opis sytuacji oraz nowy log z ComboFix.