jessica
(jessica)
23 Październik 2007 17:32
#2
Ściągnij -->ComboFix
Wklej do Notatnika :
File::
C:\Program Files\Adssite Advanced Toolbar\toolbar.dll
C:\WINDOWS\system32\nsh5C.dll
Folder::
C:\Program Files\Adssite Advanced Toolbar
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nsh5C.dll O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O3 - Toolbar: Adssite Toolbar - {41C29B07-6F91-4966-91BE-2E2841643C83} - C:\Program Files\Adssite Advanced Toolbar\toolbar.dll
Potem te w/w wpisy sfiksuj w Hijacku (jeśli jeszcze będą):
Hijackscan(Do a system scan only)zaznacz je Fix checked .
Daj log z Hijacka i log z ComboFixa.
Log wklej na http://wklej.org/ , a w poście daj tylko link.(czyli skopiuj adres z paska adresów) .
jessi
crazyworld
(Crazyworld82)
23 Październik 2007 18:28
#3
wklejam logi tu bo tamta strona co podałeś coś nie chce działać
ComboFix
ComboFix 07-10-23.2 - Aneta 2007-10-23 19:53:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.30 [GMT 2:00] Running from: C:\Documents and Settings\Aneta\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\Aneta\Pulpit\CFScript.txt * Created a new restore point FILE:: C:\Program Files\Adssite Advanced Toolbar\toolbar.dll C:\WINDOWS\system32\nsh5C.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Adssite Advanced Toolbar C:\Program Files\Adssite Advanced Toolbar\buttons.xml C:\Program Files\Adssite Advanced Toolbar\search.xml C:\Program Files\Adssite Advanced Toolbar\toolbar.dll C:\Program Files\Adssite Advanced Toolbar\uninstall.exe C:\Program Files\myglobalsearch C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL C:\Program Files\myglobalsearch\bar\1.bin\NPMYGLSH.DLL C:\Program Files\myglobalsearch\bar\Cache\000344BB C:\Program Files\myglobalsearch\bar\Cache\00042E11 C:\Program Files\myglobalsearch\bar\Cache\000BD0C7 C:\Program Files\myglobalsearch\bar\Cache\02F1AC10.bin C:\Program Files\myglobalsearch\bar\Cache\02F1AE81.bin C:\Program Files\myglobalsearch\bar\Cache\02F1B046.bin C:\Program Files\myglobalsearch\bar\Cache\files.ini C:\Program Files\myglobalsearch\bar\History\search C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm C:\WINDOWS\system32\nsh5C.dll . ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))) . 2007-10-23 19:53 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-23 19:11 2007-10-23 12:04 2007-10-20 17:02 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-10-20 17:02 39,688 --------- C:\WINDOWS\system32\drivers\pxhelper.sys 2007-10-10 07:17 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 21:05 2007-10-09 21:05 2007-10-09 21:05 188,960 -ra------ C:\WINDOWS\system\WINGDE.DLL 2007-10-09 21:05 92,208 -ra------ C:\WINDOWS\system\WING.DLL 2007-10-09 21:05 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL 2007-10-09 21:04 2007-09-28 11:41 2007-09-28 11:40 2007-09-28 11:40 79,877 --a------ C:\WINDOWS\system32\adssite-remove.exe 2007-09-28 11:40 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe 2007-09-25 22:01 2007-09-25 22:01 74 --ah----- C:\WINDOWS\kpe.dat 2007-09-25 22:00 2007-09-25 22:00 2007-09-24 22:55 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-22 18:48 --------- d-----w C:\Documents and Settings\Aneta\Dane aplikacji\Skype 2007-10-22 07:21 --------- d-----w C:\Program Files\AQQ 2007-10-20 15:02 --------- d-----w C:\Program Files\Winamp 2007-10-04 10:41 --------- d-----w C:\Documents and Settings\Aneta\Dane aplikacji\Zylom 2007-09-30 13:23 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-09-12 19:28 --------- d-----w C:\Program Files\Gadu-Gadu 2007-09-07 08:40 --------- d-----w C:\Program Files\OpenOffice.org 2.1 2007-09-07 07:09 --------- d-----w C:\Program Files\microsoft frontpage 2007-09-07 07:09 --------- d-----w C:\Documents and Settings\Aneta\Dane aplikacji\Microsoft Web Folders 2007-09-06 18:40 --------- d-----w C:\Documents and Settings\Aneta\Dane aplikacji\OpenOffice.org2 2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-31 10:50 --------- d-----w C:\Program Files\Corel 2007-03-08 14:46:21 56 --sh–r C:\WINDOWS\system32\AD57E3E5C6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] “{41C29B07-6F91-4966-91BE-2E2841643C83}”= C:\Program Files\Adssite Advanced Toolbar\toolbar.dll [] [HKEY_CLASSES_ROOT\CLSID{41C29B07-6F91-4966-91BE-2E2841643C83}] [HKEY_CLASSES_ROOT\CoolToolBar.IEBarLogic.1] [HKEY_CLASSES_ROOT\TypeLib{6B4FA1DD-A353-49F8-A650-79C21D6B4824}] [HKEY_CLASSES_ROOT\CoolToolBar.IEBarLogic] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2004-09-30 07:35] “nwiz”=“nwiz.exe” [2004-09-30 07:35 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2004-09-30 07:35] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 12:06] “BearShare”=“C:\Program Files\BearShare\BearShare.exe” [2006-08-01 17:04] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 16:36] R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-23 19:59:08 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-23 19:59:49 - machine was rebooted . — E O F —
HJT
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:27:24, on 2007-10-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\AQQ\AQQ.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Share_Accelerator_MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbSha1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nse14.dll O2 - BHO: Share_Accelerator_MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbSha1.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Share_Accelerator_MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbSha1.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint – Dodaj do listy drukowania - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint – Drukuj - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint – Drukuj z dużą szybkością - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint – Podgląd - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho … wflash.cab O17 - HKLM\System\CCS\Services\Tcpip…{43298DFA-31D1-4669-9878-A867CDA1507A}: NameServer = 91.90.90.1,85.128.85.132 O17 - HKLM\System\CS1\Services\Tcpip…{43298DFA-31D1-4669-9878-A867CDA1507A}: NameServer = 91.90.90.1,85.128.85.132 O17 - HKLM\System\CS2\Services\Tcpip…{43298DFA-31D1-4669-9878-A867CDA1507A}: NameServer = 91.90.90.1,85.128.85.132 O17 - HKLM\System\CS3\Services\Tcpip…{43298DFA-31D1-4669-9878-A867CDA1507A}: NameServer = 91.90.90.1,85.128.85.132 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe – End of file - 6514 bytes
crazyworld , proszę zmienić temat postu na konkretny, w przeciwnym wypadku poleci on do kosza.
jessica
(jessica)
23 Październik 2007 18:55
#5
----------- @crazyworld —>
Wklej do Notatnika :
File::
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\nse14.dll
Folder::
C:\Documents and Settings\Aneta\Dane aplikacji\Adssite Advanced Toolbar
C:\Program Files\Adssite Games Collection
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{41C29B07-6F91-4966-91BE-2E2841643C83}"=-
[-HKEY_CLASSES_ROOT\CLSID\{41C29B07-6F91-4966-91BE-2E2841643C83}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E45419-7205-4fac-BBFE-174BC7337A79}]
>>Plik>>Zapisz jako… >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
– podobnie jak na tym obrazku –>
Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Daj ten log z ComboFixa.
Znasz te powyższe?
2007-10-09 21:05 188,960 -ra------ C:\WINDOWS\system\WINGDE.DLL 2007-10-09 21:05 92,208 -ra------ C:\WINDOWS\system\WING.DLL 2007-10-09 21:05 12,800 -ra------ C:\WINDOWS\system32\WING32.DLL 2007-10-09 21:04
Pliki “Wing*.dll” mogą być zarówno dobre, jak i złe, dlatego sprawdź “WING32.DLL” Sprawdź go na – http://virusscan.jotti.org/
Opis, jak korzystać z JOTTI – http://otfans.pl/forums/showthread.php?tid=552
albo na http://www.virustotal.com/en/indexf.html .
(korzysta się podobnie jak z JOTTI).
Zobacz, co jest w folderze "~QRWTMP.TMP.
jessi