Adam_Z
(Adam_Z)
28 Sierpień 2006 22:43
#1
Witam!
Co chwilę wyskakują mi komunikaty z antywirusa AVG ze na kompie mam trojana np.win2.tmp.exe, za jakąś chwilę znowu win21.tmp.exe, czasem dla odmiany srvvl(1).exe. Proszę o pomoc. Przeskanowałem kompa juz adaware i ewido. Wyczyściłem CCleaner-em i niestety nic się nie zmienia. Ponieżej logi
Logfile of HijackThis v1.99.1 Scan saved at 23:38:14, on 2006-08-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TC PowerPack\totalcmd.exe C:\spam\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM…\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor O4 - HKLM…\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM…\Run: [Realtime Audio Engine] mmrtkrnl.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM…\RunServices: [Microsoft Update] navmgrd.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Utwórz Ulubione dla urządzenia przenośnego - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 2972512132 O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip…{CCB09FCE-87BD-4380-AB4D-22C7471AA6FB}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winezn32 - C:\WINDOWS\SYSTEM32\winezn32.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{B07A1E3F-07D0-1045-0529-020302280030}” = ““C:\Program Files\Common Files{B07A1E3F-07D0-1045-0529-020302280030}\Update.exe” mc-110-12-0000272” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “AudCtrl” = “RunDll32 AudCtrl.dll,RCMonitor” [MS] “CTStartup” = “C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run” [“Creative Technology Ltd.”] “Realtime Audio Engine” = “mmrtkrnl.exe” [“ALCATech GmbH”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS] “AVG7_CC” = “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP” [“GRISOFT, s.r.o.”] “AVG7_EMC” = “C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe” [“GRISOFT, s.r.o.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} “Flag” = 2 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {5CA3D70E-1895-11CF-8E15-001234567890}(Default) = (no title provided) -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Money\System\mnyviewer.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess” -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] “{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” -> {HKLM…CLSID} = “WinAceContext Menu Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 DragDrop Shell Extension” -> {HKLM…CLSID} = “WinAceDrag-Drop Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Property Sheet Shell Extension” -> {HKLM…CLSID} = “WinAceProperty Sheet Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\MI1933~1\OFFICE11\msohev.dll” [file not found] “{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}” = “Sony Digital Voice File Shell Extention Module” -> {HKLM…CLSID} = “Sony Digital Voice File Shell Extention Module” \InProcServer32(Default) = “IcdShlex.dll” [“Sony Corporation”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{40950107-FEA6-4d53-A65F-B2DCBA57DD58}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{FBFE7864-D495-41f0-B7DC-4BB601CC295E}” = “Contact View” -> {HKLM…CLSID} = “Contact View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll” [“Nokia”] “{C0C4375A-5B72-4efe-929D-3B848C3A1E91}” = “Message View” -> {HKLM…CLSID} = “Message View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll” [“Nokia”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “c:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{8BE13461-936F-11D1-A87D-444553540000}” = “Eraser Shell Extension” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Eraser\erasext.dll” ["-"] “{97C1D2CE-3AB4-4459-9142-D50D9338CB9A}” = “ScriptDropShellExt” -> {HKLM…CLSID} = “RoboEnhance Script File” \InProcServer32(Default) = “C:\Program Files\ACD Systems\RoboEnhancer\ScriptDropShellExt.dll” [empty string] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] “{9E5E1445-6CEA-4761-8E45-AA19F654571E}” = “MagicRotation Shell Extension” -> {HKLM…CLSID} = “BkgndCtxMenuExt Class” \InProcServer32(Default) = “C:\WINDOWS\system32\mpvthook.dll” [“Samsung Electronics, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] INFECTION WARNING! winezn32\DLLName = “winezn32.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Eraser\erasext.dll” ["-"] ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Eraser\erasext.dll” ["-"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 32 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}(Default) = “Money Viewer” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Microsoft Money\System\mnyviewer.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ “ButtonText” = “Utwórz Ulubione dla urządzenia przenośnego” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” -> {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “C:\Program Files\Microsoft ActiveSync\inetrepl.dll” [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ “MenuText” = “Utwórz Ulubione dla urządzenia przenośnego…” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” -> {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “C:\Program Files\Microsoft ActiveSync\inetrepl.dll” [MS] {E023F504-0C5A-4750-A1E7-A9046DEA8A21}\ “ButtonText” = “Money Viewer” “CLSIDExtension” = “{301DA1EE-F65C-4188-A417-9E915CC8FBFA}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Money\System\mnyviewer.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe” [“GRISOFT, s.r.o.”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] MySql, MySql, “c:\usr/MYSQL/bin/mysqld.exe” [null data] Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC, UserAccess, “C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe” [null data] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\System32\MsPMSPSv.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP LaserJet 5 Language Monitor\Driver = “HPDCMON.DLL” [“Hewlett-Packard”] Monitor języka BJ\Driver = “CNBJMON.DLL” [MS] PDF-XChange\Driver = “pxc25pm.dll” [“Tracker Software”] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 388 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 63 seconds. ---------- (total run time: 520 seconds)
Proszę o pomoc. Myślałem, że sobie sam poradze, ale siedzę już nad tym kilka godzin i nic sie nie zmienia. Z góry dziękuję.
Bieniol
(Bbieniol)
29 Sierpień 2006 07:07
#2
Otwórz notatnik i wklej w nim to:
Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pod nazwą FIX.REG
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Po zabiegach nowe logi
Adam_Z
(Adam_Z)
29 Sierpień 2006 07:41
#3
W momencie przejści do zakładki przywracania systemu wyskakuje błąd. Nie wiem czy zignorować przywracanie systemu i postepować wg opisanych zaleceń? Podaje info na temat błędu:
AppName: rundll32.exe AppVer: 5.1.2600.2180 ModName: srrstr.dll
ModVer: 5.1.2600.2180 Offset: 000099b2
AppName: rundll32.exe AppVer: 5.1.2600.2180 ModName: ntdll.dll
ModVer: 5.1.2600.2180 Offset: 00043345
Proszę o info.
Bieniol
(Bbieniol)
29 Sierpień 2006 07:45
#4
Rób wszystko dalej z ominięciem jak na razie tego kroku
Złączono Posta : 29.08.2006 (Wto) 9:49
Sciągnij te dwie biblioteki:
http://www.dll-files.com/dllindex/dll-files.shtml?ntdll
http://www.driverskit.com/dll/srrstr.dll/3483.html
I wrzuć je do katalogu: *C:\WINDOWS\SYSTEM32*
Adam_Z
(Adam_Z)
29 Sierpień 2006 08:11
#5
Te pliki znajdują się w katalogu system32. Mam je nadpisać?
Problem z trojanem niestety nadal występuje
Przy okazji podaje aktualne logi:
Logfile of HijackThis v1.99.1 Scan saved at 09:55:23, on 2006-08-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\usr\MYSQL\bin\mysqld.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TC PowerPack\totalcmd.exe C:\spam\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O4 - HKLM…\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor O4 - HKLM…\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM…\Run: [Realtime Audio Engine] mmrtkrnl.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Utwórz Ulubione dla urządzenia przenośnego - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 2972512132 O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winezn32 - C:\WINDOWS\SYSTEM32\winezn32.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “AudCtrl” = “RunDll32 AudCtrl.dll,RCMonitor” [MS] “CTStartup” = “C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run” [“Creative Technology Ltd.”] “Realtime Audio Engine” = “mmrtkrnl.exe” [“ALCATech GmbH”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS] “AVG7_CC” = “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP” [“GRISOFT, s.r.o.”] “AVG7_EMC” = “C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe” [“GRISOFT, s.r.o.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} “Flag” = 2 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {5CA3D70E-1895-11CF-8E15-001234567890}(Default) = (no title provided) -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Money\System\mnyviewer.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess” -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] “{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” -> {HKLM…CLSID} = “WinAceContext Menu Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 DragDrop Shell Extension” -> {HKLM…CLSID} = “WinAceDrag-Drop Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Context Menu Shell Extension” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}” = “WinAce Archiver 2.5 Property Sheet Shell Extension” -> {HKLM…CLSID} = “WinAceProperty Sheet Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\MI1933~1\OFFICE11\msohev.dll” [file not found] “{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}” = “Sony Digital Voice File Shell Extention Module” -> {HKLM…CLSID} = “Sony Digital Voice File Shell Extention Module” \InProcServer32(Default) = “IcdShlex.dll” [“Sony Corporation”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{40950107-FEA6-4d53-A65F-B2DCBA57DD58}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{FBFE7864-D495-41f0-B7DC-4BB601CC295E}” = “Contact View” -> {HKLM…CLSID} = “Contact View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll” [“Nokia”] “{C0C4375A-5B72-4efe-929D-3B848C3A1E91}” = “Message View” -> {HKLM…CLSID} = “Message View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll” [“Nokia”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “c:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{8BE13461-936F-11D1-A87D-444553540000}” = “Eraser Shell Extension” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Eraser\erasext.dll” ["-"] “{97C1D2CE-3AB4-4459-9142-D50D9338CB9A}” = “ScriptDropShellExt” -> {HKLM…CLSID} = “RoboEnhance Script File” \InProcServer32(Default) = “C:\Program Files\ACD Systems\RoboEnhancer\ScriptDropShellExt.dll” [empty string] “{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver” -> {HKLM…CLSID} = “USIShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”] “{9E5E1445-6CEA-4761-8E45-AA19F654571E}” = “MagicRotation Shell Extension” -> {HKLM…CLSID} = “BkgndCtxMenuExt Class” \InProcServer32(Default) = “C:\WINDOWS\system32\mpvthook.dll” [“Samsung Electronics, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] INFECTION WARNING! winezn32\DLLName = “winezn32.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Eraser\erasext.dll” ["-"] ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] ZFAdd(Default) = “{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}” -> {HKLM…CLSID} = “WinAceContext Menu (Add) Extension” \InProcServer32(Default) = “C:\Program Files\WinAce\arcext.dll” [“e-merge GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] Erasext(Default) = “{8BE13461-936F-11D1-A87D-444553540000}” -> {HKLM…CLSID} = “Eraser Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Eraser\erasext.dll” ["-"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 32 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}(Default) = “Money Viewer” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Microsoft Money\System\mnyviewer.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ “ButtonText” = “Utwórz Ulubione dla urządzenia przenośnego” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” -> {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “C:\Program Files\Microsoft ActiveSync\inetrepl.dll” [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ “MenuText” = “Utwórz Ulubione dla urządzenia przenośnego…” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” -> {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “C:\Program Files\Microsoft ActiveSync\inetrepl.dll” [MS] {E023F504-0C5A-4750-A1E7-A9046DEA8A21}\ “ButtonText” = “Money Viewer” “CLSIDExtension” = “{301DA1EE-F65C-4188-A417-9E915CC8FBFA}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Money\System\mnyviewer.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe” [“GRISOFT, s.r.o.”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] MySql, MySql, “c:\usr/MYSQL/bin/mysqld.exe” [null data] Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC, UserAccess, “C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe” [null data] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\System32\MsPMSPSv.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP LaserJet 5 Language Monitor\Driver = “HPDCMON.DLL” [“Hewlett-Packard”] Monitor języka BJ\Driver = “CNBJMON.DLL” [MS] PDF-XChange\Driver = “pxc25pm.dll” [“Tracker Software”] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 371 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 85 seconds. ---------- (total run time: 522 seconds)
Bieniol
(Bbieniol)
29 Sierpień 2006 08:17
#6
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\SYSTEM32\winezn32.dll
Klikasz X i restart kompa
Usuwasz w hijacku ten wpis:
Podaj pełną lokalizację zarażonych plików
Co do przywracania systemu, to:
Sprawdz w rejestrze: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore sprawdz, czy wartosc “DisableSR” istnieje i czy ma wartosc “0” (wlaczone) Jesli nie ma, dodaj nowa wartosc DWORD i ustaw “0”. Nastepnie: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr i upewnij sie, ze wartosc “Start” jest ustawiona na “0” Sprawdz, czy w systemie znajduja sie nastepujące pliki: C:\WINDOWS\system32\drivers\sr.sys C:\WINDOWS\system32\srclient.dll C:\WINDOWS\system32\srsvc.dll C:\WINDOWS\system32\srrstr.dll C:\WINDOWS\system32\restore\filelist.xml C:\WINDOWS\system32\restore\rstrui.exe C:\WINDOWS\system32\restore\srframe.mmf C:\WINDOWS\system32\restore\sr.mof Sprawdz, czy w trybie awaryjnym na koncie administratora, tez jest problem.
Adam_Z
(Adam_Z)
29 Sierpień 2006 08:59
#7
Chyba w końcu się udało. Bo od kilku chwil jestem w sieci i nic się nie pojawia. A wcześniej nawet podczas pisania post-a na forum miałem co najmniej dwa komunikaty o trojanie. Co do lokalizacji głównie pojawiał się plik winxx.tmp.exe (xx to numer lub litera) w katalogach:
C:\WINDOWS\TEMP
lub C:\Documents and Settings\user\Ustawienia Lokalne\Temporary Internet Files.
Muszę przyznać, że wczoraj jak badałem całą sprawę też myślałem, że może ona być wynikiem działania tego pliku winezn32.dll, jednak nie znałem tak wspaniałego narzędzia jakim jest KillBox, a po drugie ze względu na niewielkie doświadczenie wolałem skorzystać z forum. Dziękuję bardzo użytkownikowi Bieniol za pomoc i poświęcony czas. Z tego co widze (po ilości postów) masz duże doświadczenie w tym zakresie. WIELKIE DZIĘKI
Loga nie zamieszczam ponieważ różni się on jedynie brakiem wpisu 020 ziwązanego z wyżej wymienionym plikiem. Chyba, że ktoś bardzo chce to prosze o informacje.
Jeszcze co do niedziałającej funkcji odzyskiwania systemu. Również na koncie administratora mam problem z uruchomieniem jej. Z plików wymienionych brakuje mi jedynie sr.mof (czy może być powodem nie działania?).
Proszę ewentualnie o uwagi jak usunąć pozostałości z działania trojana (o ile jakieś jeszcze zostały)
POZDRAWIAM i JESZCZE RAZ DZIĘKUJĘ
Bieniol
(Bbieniol)
29 Sierpień 2006 10:49
#8
Ciesze się, że wszystko wraca do normy
W związku z tym:
Wyczyść folder TEMP (w trybie awaryjnym), czyli Start --> uruchom --> cmd i wpisujesz:
oraz folder Temporary Internet Files:
Oraz folder:
C:\WINDOWS\ Temp
Co do funkcji przywracania systemu, to spróbuj nadpisać te dwie w/w biblioteki i spróbować
Adam_Z
(Adam_Z)
29 Sierpień 2006 11:27
#9
Wszystko udało się usunąć z wymienionych katalogów. Poza index.dat znajdującym się w …/Temporary Internet Files.
Nie jestem pewny czy potraktować go KillBox-em czy już zostawić?
Jeśli chodzi o odzyskiwanie to chyba jakiś głębszy problem i podmiana plików nic nie daje. Nie da się w ogóle podmienić tego pliku ntdll.dll.
Myślę, że to raczej temat do innego działu forum, tak więc uznaje temat post-a za zamknięty.
Proszę jedynie o informacje w sprawie tego pliku index.dat
Bieniol
(Bbieniol)
29 Sierpień 2006 11:28
#10
Ten plik możesz spokojnie zostawić
Pozdrawiam