shesmiles
(Telepopmusik)
17 Marzec 2007 11:55
#1
Ok. Nie wiem czy da sie jeszcze z tym cos zrobic, ale sprobujmy.
-Explorer nie uruchamia sie automatycznie po zalogowaniu na konto, tylko trzeba zrobic to recznie tzn. wejsc w menedzer ‘zakonczyc’ dzialanie expolorer.exe i dac ‘nowe zadanie’ Explorer.exe i wtedy uruchamia sie normalnie
-zwolnenie pracy komputera, przegladarki Firefox
-co chwile nie wiadomo skad pojawia sie skroty na pulpicie do firefox z nazwa np. http://www.93xxx.com
-co chwile pojawia sie klepsydra przy kursorze,gdy nie pracuje na pulpicie, a pozostanie kursor normalnie (czasami, szczegolnie po wlaczeniu systemu)
-usunelam w awaryjnym trybie pliki typu ffduff.exe czy cos podobnego, ale nadal zyja i wlaczaja sie z systemem
Logfile of HijackThis v1.99.1 Scan saved at 12:45:16, on 2007-03-17 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\wuaucll.exe C:\WINDOWS\system32\cdsdf.exe C:\WINDOWS\system32\driver.exe C:\WINDOWS\system\REM0REG.EXE C:\WINDOWS\System32\locator.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\Svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ffudf.exe C:\WINDOWS\system32\cdsdf.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\SYSTEM32\RUNDLL2000.EXE C:\WINDOWS\System32\WScript.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\WScript.exe C:\WINDOWS\system32\drivers\ttp.exe C:\WINDOWS\system32\11741316947.exe C:\WINDOWS\system32\11741317399.exe C:\WINDOWS\System32\WScript.exe C:\WINDOWS\System32\WScript.exe C:\WINDOWS\system32\wbem\lsass.exe C:\Documents and Settings\Magda\Pulpit\HijackThis.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\117413188413.exe d:\mplay.com C:\WINDOWS\system32\izottc47\izottc47.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ent.sina.union123.com/indexx.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ent.sina.union123.com/indexx.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll R3 - URLSearchHook: de3a - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4615ntos.dll (file missing) F2 - REG:system.ini: Shell=Explorer.exe wuaucll.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070314.dll start O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll O2 - BHO: (no name) - {157cd9a8-eb22-4c85-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4c85cfsb.dll (file missing) O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: MyFavor Web - {5537AA9F-7FE5-40E1-AEC7-D3B7E01FCA73} - C:\WINDOWS\system32\MyFavor64.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {66AD5926-0A97-4F40-8FCA-46146680AE70} - C:\WINDOWS\system32\xfmdxbzfcmf.dll (file missing) O2 - BHO: ʵÓĂËŃË÷ - {6CFD436C-7AAD-4e50-992F-C0C87A94CAD2} - C:\Program Files\superutilbar\superutilbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - (no file) O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - (no file) O2 - BHO: (no name) - {A4B313AC-16DC-52D1-A4D7-1D4F7B1A9C4E} - C:\WINDOWS\system32\mshtmll.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Tools\FlashGet\jccatch.dll O2 - BHO: (no name) - {befaf5bc-de3a-4615-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4615ntos.dll (file missing) O2 - BHO: EyeOnIE - {C14393E1-95FF-4DFF-9BE0-EA008D4EF930} - C:\WINDOWS\system32\atsldr.dll O2 - BHO: (no name) - {E03A0A31-CB82-9227-A7D9-C3DEB4B208CC} - C:\WINDOWS\system32\brsfo.dll O2 - BHO: cnwin Class - {EC497BD8-460F-44F0-B2A4-8C2B2198035B} - (no file) O2 - BHO: TBSB03263 Class - {EEC7E620-B32A-4E3B-B200-291660803474} - C:\PROGRA~1\365_EQ~1\eqiso.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Tools\FlashGet\fgiebar.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - (no file) O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: ʵÓĂËŃË÷ą¤ľßĚő2.0 - {03465FF5-00AE-411a-9C34-960ED566EC03} - C:\Program Files\superutilbar\superutilbar.dll O3 - Toolbar: de3a - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4615ntos.dll (file missing) O3 - Toolbar: ??? - {33E640D8-EB95-4B22-B475-1852B7D35993} - C:\Program Files\365_EQISOSO\eqiso.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM…\Run: [wsvbs] C:\WINDOWS\wsvbs.exe O4 - HKLM…\Run: [mppds] C:\WINDOWS\mppds.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [system] C:\Program Files\Common Files\System\Updaterun.exe O4 - HKLM…\Run: [kernel32] C:\WINDOWS\Kernel32.exe O4 - HKLM…\Run: [C] C:\WINDOWS\system32\drivers\ttp.exe O4 - HKLM…\Run: [rkcutd65] %systemroot%\system32\Rundll32.exe “%systemroot%\system32\rkcutd65.dll”,Start O4 - HKLM…\Run: [fxxxwh43] %systemroot%\system32\Rundll32.exe “%systemroot%\system32\fxxxwh43.dll”,Start O4 - HKLM…\RunOnce: [vdtpjb84] %systemroot%\system32\Rundll32.exe %systemroot%\system32\vdtpjb84.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [odxlgi70] %systemroot%\system32\Rundll32.exe %systemroot%\system32\odxlgi70.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [lmlhfj43] %systemroot%\system32\Rundll32.exe %systemroot%\system32\lmlhfj43.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [epobxh00] %systemroot%\system32\Rundll32.exe %systemroot%\system32\epobxh00.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [vjgbigr] %systemroot%\system32\rundll32.exe %systemroot%\system32\vjgbigr.dll,Run O4 - HKLM…\RunOnce: [ptht_b] %systemroot%\system32\rundll32.exe %systemroot%\system32\ptht_b.dll,Run O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [mshtmll] regsvr32 /s C:\WINDOWS\system32\mshtmll.dll O4 - HKCU…\Run: [mssys32] C:\WINDOWS\system32\mssys32.exe O4 - HKCU…\Run: [Odkurzacz-MCD] i:\Progs\Odkurzacz\odk_mcd.exe O4 - HKCU…\Run: [Tans] “C:\PROGRA~1\YMANTE~1\iexplore.exe” -vt yazb O4 - HKCU…\Run: [Kng] “C:\Program Files\Common Files??stem32\n?lookup.exe” 99001162 O4 - HKCU…\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet O4 - Startup: RegVac.lnk = I:\progs\RegVac Registry Cleaner\regvac.exe O4 - Global Startup: ruango.lnk = ? O4 - Global Startup: WanSo.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Download All by FlashGet - C:\Tools\FlashGet\jc_all.htm O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download using FlashGet - C:\Tools\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Tools\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Tools\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O9 - Extra button: ˛Ć¸»Í¨ - {C1F0024B-8278-4999-B7E6-2718426D9FE6} - C:\Program Files\˛Ć¸»Í¨\caif.dll (HKCU) O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptig.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: winrcq32 - C:\WINDOWS\SYSTEM32\winrcq32.dll O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll O23 - Service: E65F3159 - Unknown owner - (no file) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: REM0TE REGISTRY (REM0TEREGISTRY) - Unknown owner - C:\WINDOWS\system\REM0REG.EXE O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: Windows_ServerDdos - Unknown owner - C:\WINDOWS\system32\ddos.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “mshtmll” = “regsvr32 /s C:\WINDOWS\system32\mshtmll.dll” [MS] “mssys32” = “C:\WINDOWS\system32\mssys32.exe” [MS] “Odkurzacz-MCD” = “i:\Progs\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “odk_mcd” = “(empty string)” [file not found] “Tans” = ““C:\PROGRA~1\YMANTE~1\iexplore.exe” -vt yazb” [null data] “Kng” = ““C:\Program Files\Common Files**stem32\n*lookup.exe” 99001162” (unwritable string) [null data] “Yahoo! Pager” = ““C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS] “wsvbs” = “C:\WINDOWS\wsvbs.exe” [null data] “mppds” = “C:\WINDOWS\mppds.exe” [null data] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “System” = “C:\Program Files\Common Files\System\Updaterun.exe” [null data] “kernel32” = “C:\WINDOWS\Kernel32.exe” [null data] “C:\WINDOWS\system32\drivers\ttp.exe” = “C:\WINDOWS\system32\drivers\ttp.exe” [null data] “rkcutd65” = “C:\WINDOWS\system32\Rundll32.exe “C:\WINDOWS\system32\rkcutd65.dll”,Start” “fxxxwh43” = “C:\WINDOWS\system32\Rundll32.exe “C:\WINDOWS\system32\fxxxwh43.dll”,Start” HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “vdtpjb84” = “C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\vdtpjb84.dll,DllUnregisterServer” “odxlgi70” = “C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\odxlgi70.dll,DllUnregisterServer” “lmlhfj43” = “C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\lmlhfj43.dll,DllUnregisterServer” “epobxh00” = “C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\epobxh00.dll,DllUnregisterServer” “vjgbigr” = “C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vjgbigr.dll,Run” “ptht_b” = “C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ptht_b.dll,Run” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {11F09AFD-75AD-4E51-AB43-E09E9351CE16}(Default) = (no title provided) -> {HKLM…CLSID} = “CAdLogic Object” \InProcServer32(Default) = “C:\Program Files\Common Files\CPUSH\cpush.dll” [null data] {157cd9a8-eb22-4c85-8b0d-4e03f37a8dbf}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\4c85cfsb.dll” [file not found] {385AB8C6-FB22-4D17-8834-064E2BA0A6F0}(Default) = (no title provided) -> {HKLM…CLSID} = “Info cache” \InProcServer32(Default) = “C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll” ["***(**)******" (unwritable string)] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {5537AA9F-7FE5-40E1-AEC7-D3B7E01FCA73}(Default) = “MyFavor Web” -> {HKLM…CLSID} = “WinMyFavor Class” \InProcServer32(Default) = “C:\WINDOWS\system32\MyFavor.dll” [null data] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! IE Services Button” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Common\yiesrvc.dll” [“Yahoo! Inc.”] {66AD5926-0A97-4F40-8FCA-46146680AE70}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\xfmdxbzfcmf.dll” [file not found] {6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}(Default) = (no title provided) -> {HKLM…CLSID} = “ʵÓĂËŃË÷” \InProcServer32(Default) = “C:\Program Files\superutilbar\superutilbar.dll” [“www.shiyongsousuo.com ”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {A4B313AC-16DC-52D1-A4D7-1D4F7B1A9C4E}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\mshtmll.dll” [null data] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch2 Class” \InProcServer32(Default) = “C:\Tools\FlashGet\jccatch.dll” [“Amaze Soft”] {befaf5bc-de3a-4615-ae2b-1b294ae19f4f}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\4615ntos.dll” [file not found] {C14393E1-95FF-4DFF-9BE0-EA008D4EF930}(Default) = (no title provided) -> {HKLM…CLSID} = “EyeOnIE” \InProcServer32(Default) = “C:\WINDOWS\system32\atsldr.dll” [empty string] {E03A0A31-CB82-9227-A7D9-C3DEB4B208CC}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\brsfo.dll” [null data] {EEC7E620-B32A-4E3B-B200-291660803474}(Default) = (no title provided) -> {HKLM…CLSID} = “TBSB03263 Class” \InProcServer32(Default) = “C:\PROGRA~1\365_EQ~1\eqiso.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {HKLM…CLSID} = “Corel Media Find Folder” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{B63FCD5A-2396-11D1-B762-00A0C90646A4}” = “*n” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFnd80.dll” [“Corel Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Logitech Pictures” -> {HKLM…CLSID} = “My Logitech Pictures” \InProcServer32(Default) = “C:\Program Files\Logitech\Video\Namespc2.dll” [“Logitech Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{B28C18DB-6816-4F31-9630-397683E3C2C3}” = “Filzip Shell Extension” -> {HKLM…CLSID} = “Filzip Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Filzip\fzshext.dll” [empty string] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{4ADF8C01-0AC7-4403-888C-012E6EA2F67E}” = “Sims2Pack Clean Installer Shell Extension” -> {HKLM…CLSID} = “S2PCISE.S2PCISE” \InProcServer32(Default) = “mscoree.dll” [MS] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Web Anti-Virus” -> {HKLM…CLSID} = “Web Anti-Virus” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{A6011F8F-A7F8-49AA-9ADA-49127D43138F}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk” [null data] <> “{DD7D4640-4464-48C0-82FD-21338366D2D2}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Internet Explorer\InfoMs.tdm” [null data] <> “{754FB7D8-B8FE-4810-B363-A788CD060F1F}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys” [null data] <> “{99F1D023-7CEB-4586-80F7-BB1A98DB7602}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Internet Explorer\IEXPLORE.Sys” [null data] <> “{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Internet Explorer\IEXPLORE.win” [null data] <> “{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Internet Explorer\IEXPLORE.Dat” [null data] <> “{4DEC9B29-F08F-4cbc-B179-592B9283FAC9}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “c:\program files\bckpmath.dll” [null data] <> “{4ED6E0B5-F47A-4609-A940-11CF60FDC3C3}” = “NetCache” -> {HKLM…CLSID} = “NetCache” \InProcServer32(Default) = “C:\WINDOWS\system32\trtbc.dll” [empty string] <> “{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “c:\program files\ifhiawxc.dll” [null data] <> “{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “c:\program files\pzuvydap.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “webwork” = “{4C611512-2C1D-44b2-A044-872AD2AD5A61}” -> {HKLM…CLSID} = “Windows Webwork Theme” \InProcServer32(Default) = “C:\WINDOWS\webwork\webwork.dll” [null data] HKLM\Software\Microsoft\Command Processor\ <> “AutoRun” = “d:\mplay.com ” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “Shell” = “Explorer.exe wuaucll.exe” [MS], [null data] <> “Userinit” = “C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070308.dll start” [MS], [MS], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> cryptimg\DLLName = “cryptig.dll” [MS] <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] <> winrcq32\DLLName = “winrcq32.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Filzip(Default) = “{B28C18DB-6816-4F31-9630-397683E3C2C3}” -> {HKLM…CLSID} = “Filzip Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Filzip\fzshext.dll” [empty string] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}” -> {HKLM…CLSID} = “Corel Versions” \InProcServer32(Default) = “C:\COREL\Versions\CVersion.dll” [“Corel Corporation Limited”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Utils\Corel\Graphics8\programs\CMFFld80.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Filzip(Default) = “{B28C18DB-6816-4F31-9630-397683E3C2C3}” -> {HKLM…CLSID} = “Filzip Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Filzip\fzshext.dll” [empty string] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] S2PCI(Default) = “{4ADF8C01-0AC7-4403-888C-012E6EA2F67E}” -> {HKLM…CLSID} = “S2PCISE.S2PCISE” \InProcServer32(Default) = “mscoree.dll” [MS] VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}” -> {HKLM…CLSID} = “Corel Versions” \InProcServer32(Default) = “C:\COREL\Versions\CVersion.dll” [“Corel Corporation Limited”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- <> HKLM\Software\Classes\exefile\shell\open\command(Default) = “wuaucll.exe “%1” %*” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\Firefox Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Magda\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssflwbox.scr” [MS] Startup items in “Magda” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\Magda\Menu Start\Programy\Autostart “RegVac” -> shortcut to: “I:\progs\RegVac Registry Cleaner\regvac.exe bootup” [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “ruango” -> shortcut to: “C:\WINDOWS\system32\MSRundll.exe C:\PROGRA~1\COMMON~1\Ruango\Player.dll,Always” [MS] “WanSo” -> shortcut to: “C:\WINDOWS\system32\RunDll32.exe C:\PROGRA~1\COMMON~1\WANSO\Player.dll,Always” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\Tools\FlashGet\fgiebar.dll” [“Amaze Soft”] “{03465FF5-00AE-411A-9C34-960ED566EC03}” = “ʵÓĂËŃË÷ą¤ľßĚő2.0” -> {HKLM…CLSID} = “ʵÓĂËŃË÷ą¤ľßĚő2.0” \InProcServer32(Default) = “C:\Program Files\superutilbar\superutilbar.dll” [“www.shiyongsousuo.com ”] “{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}” = (no title provided) -> {HKLM…CLSID} = “de3a” \InProcServer32(Default) = “C:\WINDOWS\system32\4615ntos.dll” [file not found] “{33E640D8-EB95-4B22-B475-1852B7D35993}” = (no title provided) -> {HKLM…CLSID} = “???” \InProcServer32(Default) = “C:\Program Files\365_EQISOSO\eqiso.dll” [empty string] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {197A85BC-BD97-4404-A702-95E556E4DAEB}(Default) = (no title provided) -> {HKLM…CLSID} = “Kwso” \InProcServer32(Default) = “C:\Program Files\Common Files\WANSO\SoBar.dll” [" “] {841B2B65-118D-4FF2-AD63-4CFF44B8B68F}(Default) = (no title provided) -> {HKLM…CLSID} = “de3a” \InProcServer32(Default) = “C:\WINDOWS\system32\4615ntos.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {197A85BC-BD97-4404-A702-95E556E4DAEB}(Default) = (no title provided) -> {HKLM…CLSID} = “Kwso” \InProcServer32(Default) = “C:\Program Files\Common Files\WANSO\SoBar.dll” [” "]
adam9870
(adam9870)
17 Marzec 2007 13:03
#2
Pełno syfu, w tym chińszczyzna.
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT
Pobierz Gmer’a .
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
W zakładce Procesy wybierz Gmer awaryjny. Komputer się uruchomi ponownie i zostanie samo okienko Gmer’a
W zakładce Usługi skasuj z prawokliku usługę E65F3159, REM0TEREGISTRY oraz Windows_ServerDdos
W zakładce Procesy przez … (trzy kropki) wskaż plik FIX.BAT. Przez chwilkę mignie ekran. Ewentualnymi błędami się nie przejmuj
W zakładce Procesy przez … (trzy kropki) uruchom Hijacka i usuń w nim wpisy:
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll R3 - URLSearchHook: de3a - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4615ntos.dll (file missing) F2 - REG:system.ini: Shell=Explorer.exe wuaucll.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_070314.dll start O2 - BHO: CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll O2 - BHO: (no name) - {157cd9a8-eb22-4c85-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\4c85cfsb.dll (file missing) O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O2 - BHO: MyFavor Web - {5537AA9F-7FE5-40E1-AEC7-D3B7E01FCA73} - C:\WINDOWS\system32\MyFavor64.dll O2 - BHO: (no name) - {66AD5926-0A97-4F40-8FCA-46146680AE70} - C:\WINDOWS\system32\xfmdxbzfcmf.dll (file missing) O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - (no file) O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - (no file) O2 - BHO: (no name) - {A4B313AC-16DC-52D1-A4D7-1D4F7B1A9C4E} - C:\WINDOWS\system32\mshtmll.dll O2 - BHO: (no name) - {befaf5bc-de3a-4615-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4615ntos.dll (file missing) O2 - BHO: EyeOnIE - {C14393E1-95FF-4DFF-9BE0-EA008D4EF930} - C:\WINDOWS\system32\atsldr.dll O2 - BHO: (no name) - {E03A0A31-CB82-9227-A7D9-C3DEB4B208CC} - C:\WINDOWS\system32\brsfo.dll O2 - BHO: cnwin Class - {EC497BD8-460F-44F0-B2A4-8C2B2198035B} - (no file) O2 - BHO: TBSB03263 Class - {EEC7E620-B32A-4E3B-B200-291660803474} - C:\PROGRA~1\365_EQ~1\eqiso.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - (no file) O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - (no file) O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file) O3 - Toolbar: ʵÓĂËŃË÷ą¤ľßĚő2.0 - {03465FF5-00AE-411a-9C34-960ED566EC03} - C:\Program Files\superutilbar\superutilbar.dll O3 - Toolbar: de3a - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4615ntos.dll (file missing) O3 - Toolbar: Pytajnik? - {33E640D8-EB95-4B22-B475-1852B7D35993} - C:\Program Files\365_EQISOSO\eqiso.dll O4 - HKLM…\Run: [wsvbs] C:\WINDOWS\wsvbs.exe O4 - HKLM…\Run: [mppds] C:\WINDOWS\mppds.exe O4 - HKLM…\Run: [system] C:\Program Files\Common Files\System\Updaterun.exe O4 - HKLM…\Run: [kernel32] C:\WINDOWS\Kernel32.exe O4 - HKLM…\Run: [C] C:\WINDOWS\system32\drivers\ttp.exe O4 - HKLM…\Run: [rkcutd65] %systemroot%\system32\Rundll32.exe “%systemroot%\system32\rkcutd65.dll”,Start O4 - HKLM…\Run: [fxxxwh43] %systemroot%\system32\Rundll32.exe “%systemroot%\system32\fxxxwh43.dll”,Start O4 - HKLM…\RunOnce: [vdtpjb84] %systemroot%\system32\Rundll32.exe %systemroot%\system32\vdtpjb84.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [odxlgi70] %systemroot%\system32\Rundll32.exe %systemroot%\system32\odxlgi70.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [lmlhfj43] %systemroot%\system32\Rundll32.exe %systemroot%\system32\lmlhfj43.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [epobxh00] %systemroot%\system32\Rundll32.exe %systemroot%\system32\epobxh00.dll,DllUnregisterServer O4 - HKLM…\RunOnce: [vjgbigr] %systemroot%\system32\rundll32.exe %systemroot%\system32\vjgbigr.dll,Run O4 - HKLM…\RunOnce: [ptht_b] %systemroot%\system32\rundll32.exe %systemroot%\system32\ptht_b.dll,Run O4 - HKCU…\Run: [mshtmll] regsvr32 /s C:\WINDOWS\system32\mshtmll.dll O4 - HKCU…\Run: [mssys32] C:\WINDOWS\system32\mssys32.exe O9 - Extra button: ˛Ć¸»Í¨ - {C1F0024B-8278-4999-B7E6-2718426D9FE6} - C:\Program Files\˛Ć¸»Í¨\caif.dll (HKCU) O20 - Winlogon Notify: cryptimg - C:\WINDOWS\SYSTEM32\cryptig.dll O20 - Winlogon Notify: winrcq32 - C:\WINDOWS\SYSTEM32\winrcq32.dll O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll O23 - Service: E65F3159 - Unknown owner - (no file) O23 - Service: REM0TE REGISTRY (REM0TEREGISTRY) - Unknown owner - C:\WINDOWS\system\REM0REG.EXE O23 - Service: Windows_ServerDdos - Unknown owner - C:\WINDOWS\system32\ddos.exe
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “mshtmll”=- “mssys32”=- “Tans”=- “Kng”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] “wsvbs”=- “mppds”=- “System”=- “kernel32”=- “C:\WINDOWS\system32\drivers\ttp.exe”=- “rkcutd65”=- “fxxxwh43”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] “vdtpjb84”=- “odxlgi70”=- “lmlhfj43”=- “epobxh00”=- “vjgbigr”=- “ptht_b”=- [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{11F09AFD-75AD-4E51-AB43-E09E9351CE16}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{157cd9a8-eb22-4c85-8b0d-4e03f37a8dbf}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{5537AA9F-7FE5-40E1-AEC7-D3B7E01FCA73}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{66AD5926-0A97-4F40-8FCA-46146680AE70}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{6CFD436C-7AAD-4e50-992F-C0C87A94CAD2}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{A4B313AC-16DC-52D1-A4D7-1D4F7B1A9C4E}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{befaf5bc-de3a-4615-ae2b-1b294ae19f4f}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{C14393E1-95FF-4DFF-9BE0-EA008D4EF930}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{E03A0A31-CB82-9227-A7D9-C3DEB4B208CC}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{EEC7E620-B32A-4E3B-B200-291660803474}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] “{4C611512-2C1D-44b2-A044-872AD2AD5A61}”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{A6011F8F-A7F8-49AA-9ADA-49127D43138F}”=- “{DD7D4640-4464-48C0-82FD-21338366D2D2}”=- “{754FB7D8-B8FE-4810-B363-A788CD060F1F}”=- “{99F1D023-7CEB-4586-80F7-BB1A98DB7602}”=- “{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}”=- “{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}”=- “{4DEC9B29-F08F-4cbc-B179-592B9283FAC9}”=- “{4ED6E0B5-F47A-4609-A940-11CF60FDC3C3}”=- “{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}”=- “{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor] “AutoRun”="" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell”=“Explorer.exe” “Userinit”=“C:\WINDOWS\system32\userinit.exe,” [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptimg] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winrcq32] [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar] “{03465FF5-00AE-411A-9C34-960ED566EC03}”=- “{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}”=- “{33E640D8-EB95-4B22-B475-1852B7D35993}”=- [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars{197A85BC-BD97-4404-A702-95E556E4DAEB}] [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars{841B2B65-118D-4FF2-AD63-4CFF44B8B68F}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars{197A85BC-BD97-4404-A702-95E556E4DAEB}]
Przejrzyj Naprawianie uszkodzonych rozszerzeń .
Po wykonaniu wklej nowy log z Silenta, ComboFix oraz dwa logi z Gmer’a wykonane przy takich ustawieniach:
Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.
http://forum.dobreprogramy.pl/viewtopic.php?t=96929
shesmiles
(Telepopmusik)
18 Marzec 2007 21:50
#3
ok. zrobilam wszystko, prawie wszystko. jest kilka problemow. wyczyscilam,usunelam, naprawilam exeki. jednak komputer po uruchomieniu reseteuj sie sam i nie zdazylam zrobic scanu ani ComboFix ani Gmerem. Gdy wlaczam system pojawia sie wiele bledow z czerwonyym krzyzykiem i : nie mozna odnalezc pliku … najczesciej sa to rozszerzenia .dll i .sys. Kilka razy pojawil sie niebieski ekran, ktory mowi o braku/bledzie pliku cwscq.sys.
Teraz jestem w trybie awaryjnym i probuje zeskanowac Combo i Gmerem.
Złączono Posta : 19.03.2007 (Pon) 10:38
log z Gmera przy ustaw z pokazuj wszystko i uslugami
Złączono Posta : 19.03.2007 (Pon) 13:08
logi z Silenta i ComboFixa
Gmer przy ustawieniach wszystkich oprocz ‘pokazuj wszystko’ scanuje bardzo dlugo, po ok 25 min zwalnia i spowalnia system, ze nic nie mozna zrobic.
adam9870
(adam9870)
19 Marzec 2007 14:11
#4
Usuń wszystkie programy do oglądania meczy ponieważ to prawdopodobnie one są przyczyną infekcji.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
W zakładce Procesy wybierz Gmer awaryjny. Komputer się uruchomi ponownie i zostanie samo okienko Gmer’a
W zakładce Usługi przestaw na Disabled usługę Gentad oraz Navoct
W zakładce Procesy kliknij Pliki i usuń:
W zakładce Procesy wskaż przez … (trzy kropki) plik FIX.BAT. Mignie ekran i reset.
Po resecie wybierz start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:
Otwórz Gmer’a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:
I kliknij Uruchom i reset.
Przeskanuj http://www.ewido.net/en/
Przejrzyj Przywracanie skasowanego trybu awaryjnego .
Po wykonaniu wklej nowe logi.