Problem wygląda tak: od kilku dni na pulpicie przy przegladaniu internetu pojawiały się reklamy jakies dziwne, predzej nie spotykane. Dziś załaczam kompa i nic…tylko tapeta. Kerio firewall tez cos szwankuje, ciagle prosi o dostep jakies dziwne rzeczy… Explorera uruchomilem recznie z poprzed nowe zadanie…
Moj log z hijacka:
Logfile of HijackThis v1.99.1 Scan saved at 23:06:53, on 2006-06-20 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Explorer.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\winsock\csrss.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\System32\cmd.exe C:\WINDOWS\System32\cmd.exe C:\WINDOWS\explorer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE C:\WINDOWS\System32\3f79abee.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\SSEMBL~1\winlogon.exe C:\WINDOWS\YMANTE~1\XPLORE~1.EXE C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\System32\cmd.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lechoo_HSF\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {D693388B-814C-879C-69A7-F55D30C0459C} - C:\WINDOWS\System32\fdzf.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winsock\csrss.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winsock\csrss.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 “EPSON Stylus CX3600 Series” /O6 “USB001” /M “Stylus CX3600” O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [3f79abee.exe] C:\WINDOWS\System32\3f79abee.exe O4 - HKLM…\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe O4 - HKLM…\Run: [Microsoft ® Windows TCP/IP Socket Driver] C:\WINDOWS\winsock\csrss.exe O4 - HKLM…\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [3f79abee.exe] C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\3f79abee.exe O4 - HKCU…\Run: [Aaod] “C:\WINDOWS\SSEMBL~1\winlogon.exe” -vt yax O4 - HKCU…\Run: [Nuyvtegr] C:\WINDOWS\YMANTE~1\XPLORE~1.EXE O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/a892ed0 … d54_35.exe O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleAc … refid=1123 O20 - AppInit_DLLs: C:\WINDOWS\System32\notepad.dll O20 - Winlogon Notify: winpdc32 - C:\WINDOWS\SYSTEM32\winpdc32.dll O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe
Z góry dzięki za pomoc!
Bieniol
(Bbieniol)
20 Czerwiec 2006 21:23
#2
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Windows TCP/IP Socket Driver
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz winsck i ok
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox ):
R3 - URLSearchHook: (no name) - {D693388B-814C-879C-69A7-F55D30C0459C} - C:\WINDOWS\System32\fdzf.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winsock\csrss.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winsock\csrss.exe O4 - HKLM…\Run: [3f79abee.exe] C:\WINDOWS\System32\3f79abee.exe O4 - HKLM…\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe --> nie pomyl z plikiem winlogon.exe :!: O4 - HKLM…\Run: [Microsoft ® Windows TCP/IP Socket Driver] C:\WINDOWS\winsock\csrss.exe O4 - HKLM…\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe O4 - HKCU…\Run: [3f79abee.exe] C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\3f79abee.exe O4 - HKCU…\Run: [Aaod] “C:\WINDOWS\SSEMBL~1\winlogon.exe” -vt yax O4 - HKCU…\Run: [Nuyvtegr] C:\WINDOWS\YMANTE~1\XPLORE~1.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/a892ed0 … d54_35.exe O20 - AppInit_DLLs: C:\WINDOWS\System32\notepad.dll O20 - Winlogon Notify: winpdc32 - C:\WINDOWS\SYSTEM32\winpdc32.dll O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe
Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite
Uruchom edytor w pole Address wklej ścieżke
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy.
Po zabiegach nowy log z Hijacka + log z Silent Runners
A wiec tak…Komp odpala sie juz dobrze, reklam jakos nie widac, dzięki:) Tylko kilku plikow nie znalazlem na dysku…wiec ich nie usunąłem. Oto nowe logi:
Logfile of HijackThis v1.99.1 Scan saved at 23:52:33, on 2006-06-20 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\SSEMBL~1\winlogon.exe C:\WINDOWS\YMANTE~1\XPLORE~1.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Lechoo_HSF\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {D693388B-814C-879C-69A7-F55D30C0459C} - C:\WINDOWS\System32\fdzf.dll (file missing) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 “EPSON Stylus CX3600 Series” /O6 “USB001” /M “Stylus CX3600” O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [3f79abee.exe] C:\WINDOWS\System32\3f79abee.exe O4 - HKLM…\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe O4 - HKLM…\Run: [Microsoft ® Windows TCP/IP Socket Driver] C:\WINDOWS\winsock\csrss.exe O4 - HKLM…\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [3f79abee.exe] C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\3f79abee.exe O4 - HKCU…\Run: [Aaod] “C:\WINDOWS\SSEMBL~1\winlogon.exe” -vt yax O4 - HKCU…\Run: [Nuyvtegr] C:\WINDOWS\YMANTE~1\XPLORE~1.EXE O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleAc … refid=1123 O20 - AppInit_DLLs: C:\WINDOWS\System32\notepad.dll O20 - Winlogon Notify: winpdc32 - C:\WINDOWS\SYSTEM32\winpdc32.dll O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “3f79abee.exe” = “C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\3f79abee.exe” [file not found] “Aaod” = ““C:\WINDOWS\SSEMBL~1\winlogon.exe” -vt yax” [** WMI GetObject error **] “Nuyvtegr” = “C:\WINDOWS\YMANTE~1\XPLORE~1.EXE” [** WMI GetObject error **] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “wininet.dll” = “regperf.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “EPSON Stylus CX3600 Series” = “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 “EPSON Stylus CX3600 Series” /O6 “USB001” /M “Stylus CX3600"” [“SEIKO EPSON CORPORATION”] “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “3f79abee.exe” = “C:\WINDOWS\System32\3f79abee.exe” [file not found] “Windows Logon Application” = “C:\WINDOWS\System32\winIogon.exe” [file not found] “Microsoft ® Windows TCP/IP Socket Driver” = “C:\WINDOWS\winsock\csrss.exe” [file not found] “Windows Explorer” = “C:\WINDOWS\System32\explorer.exe” [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “AppInit_DLLs” = " C:\WINDOWS\System32\notepad.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! winpdc32\DLLName = “winpdc32.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Lechoo_HSF” & “All Users” startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\FLASHGET\fgiebar.dll” [“Amaze Soft”] “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FLASHGET\flashget.exe” [“Amaze Soft”] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{D693388B-814C-879C-69A7-F55D30C0459C}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\fdzf.dll” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Kerio Personal Firewall 4, KPF4, “C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe” [“Kerio Technologies”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON Stylus CX3600 Series 2KMonitor5E\Driver = “E_FLM9BE.DLL” [“SEIKO EPSON CORPORATION”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 34 seconds, including 2 seconds for message boxes)
Bieniol
(Bbieniol)
20 Czerwiec 2006 22:01
#4
Otwórz notatnik i wklej w nim to:
Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pod nazwą FIX.REG
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot i All Files , w polu full path of file wklej ścieżkę:
C:\WINDOWS\SSEMBL~1\winlogon.exe
C:\WINDOWS\YMANTE~1\XPLORE~1.EXE
C:\WINDOWS\System32\regperf.exe
C:\WINDOWS\System32\winpdc32.dll
Klikasz X i restart kompa
Wyłączasz przywracanie systemu:
Włączasz tryb awaryjny:
Odpalasz Hijacka --> do a system scan only i zaznaczasz wpisy:
I klikasz na dole “fix checked”
W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite
Uruchom edytor w pole Address wklej ścieżke
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy.
Użyj narzędzia --> SmitFraudFix
Po zabiegach nowe logi
Zrobilem wszystko według przepisu. Oto nowe logi:
Logfile of HijackThis v1.99.1 Scan saved at 15:12:36, on 2006-06-21 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\SSEMBL~1\winlogon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lechoo_HSF\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {D693388B-814C-879C-69A7-F55D30C0459C} - C:\WINDOWS\System32\fdzf.dll (file missing) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 “EPSON Stylus CX3600 Series” /O6 “USB001” /M “Stylus CX3600” O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [3f79abee.exe] C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\3f79abee.exe O4 - HKCU…\Run: [Aaod] “C:\WINDOWS\SSEMBL~1\winlogon.exe” -vt ndrv O4 - HKCU…\Run: [Nuyvtegr] C:\WINDOWS\YMANTE~1\XPLORE~1.EXE O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleAc … refid=1123 O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe (file missing)
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “3f79abee.exe” = “C:\Documents and Settings\Lechoo_HSF\Ustawienia lokalne\Dane aplikacji\3f79abee.exe” [file not found] “Aaod” = ““C:\WINDOWS\SSEMBL~1\winlogon.exe” -vt ndrv” [** WMI GetObject error **] “Nuyvtegr” = “C:\WINDOWS\YMANTE~1\XPLORE~1.EXE” [file not found] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “EPSON Stylus CX3600 Series” = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 “EPSON Stylus CX3600 Series” /O6 “USB001” /M “Stylus CX3600"” [“SEIKO EPSON CORPORATION”] “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”]
Gutek
(Gutek)
21 Czerwiec 2006 13:32
#6
noi i co dalej…
usuwanie syfu:
Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku plik i foldery, które podkreśliłem na czerwono
Dokończyć skanerami online - Skanery do wyboru
Pokazać nowy log z HJT i Silenta
Zastosuj się do rady Bieniol