eXz
(Synapse Pl)
7 Luty 2007 14:38
#1
Mam problem ,i to spory… Od wczoraj staram sie usunąć jeefo.a ,korzystałem z 4 antyvirusów, i szczepionki g data nic nie skutkuje… ma ktoś jakiś pomysł? będe wdzięczny. Daej log z HiJack
Logfile of HijackThis v1.99.1 Scan saved at 15:40:13, on 2007-02-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\Mixer.exe C:\Program Files\Eset\nod32kui.exe D:\AVG Anti-Spyware 7.5\avgas.exe D:\Spyware Doctor\swdoctor.exe D:\Avast\aswUpdSv.exe D:\Avast\ashServ.exe D:\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Eset\nod32krn.exe D:\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe D:\Avast\ashWebSv.exe C:\WINDOWS\System32\alg.exe D:\DAP\DAP.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Admin\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.travian3.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [!AVG Anti-Spyware] “D:\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [spyware Doctor] “D:\Spyware Doctor\swdoctor.exe” /Q O8 - Extra context menu item: &Clean Traces - D:\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - D:\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\DAP\dapextie2.htm O8 - Extra context menu item: Download All by FlashGet - D:\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - D:\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\JetCar.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\JetCar.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{3BFD9246-96FF-45D1-80B2-2C8376A00ED5}: NameServer = 194.204.159.1,194.204.152.34 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Avast\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - D:\Avast\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\AVG Anti-Spyware 7.5\guard.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing) O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\sdhelp.exe
adam9870
(adam9870)
7 Luty 2007 14:46
#2
Start => uruchom => cmd => wpisz:
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\svchost.exe
Klikasz X czerwony i restart kompa.
Usuń wpisy HJT.
Użyj szczepionki przeciwko jeefo: http://wirusy.antivirenkit.pl/pl/szczepionki/Jeefo.html
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
eXz
(Synapse Pl)
7 Luty 2007 14:49
#3
ok juz robie
Złączono Posta : 07.02.2007 (Sro) 16:08
Skasowaly mi sie przez to dns, musialem leciec do admina ale juz ok tutaj wpis z silenta
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “D:\Unlocker\UnlockerCOM.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Avast\ashShell.dll” [“ALWIL Software”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “D:\Alcohol\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “D:\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Avast\ashShell.dll” [“ALWIL Software”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “D:\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “D:\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Avast\ashShell.dll” [“ALWIL Software”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “D:\Unlocker\UnlockerCOM.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “D:\Unlocker\UnlockerCOM.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Scheduled Tasks: ------------------------ “At1” -> launches: “E:\NOWYFO~1\Look2Me-Destroyer.exe /task” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 17 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! iAVS4 Control Service, aswUpdSv, ““D:\Avast\aswUpdSv.exe”” [null data] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] PC Tools Spyware Doctor, SDhelper, “D:\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 143 seconds. ---------- (total run time: 225 seconds)
Złączono Posta : 07.02.2007 (Sro) 16:17
ten wirus dalej siedzi na kompie …
adam9870
(adam9870)
7 Luty 2007 15:18
#4
Już jest ok.
Spyware Doctor jest programem wątpliwej reputacji dlatego proponuję go usunąć. Sposób usunięcia jest podany tutaj:
http://forum.dobreprogramy.pl/viewtopic … 332#791332
Skąd wiesz, że siedzi?
Gdzie siedzi (dokładna lokalizacja)?
Czy użyłeś szczepionki przeciwko Jeefo?
Przeskanuj AVG Anti-spyware i wklej raport.
eXz
(Synapse Pl)
7 Luty 2007 15:19
#5
urzywałem ale ta szczepionka nic nie znalazła, teraz resetowałem kompa i wyskoczył alert nod32 usunolem kolejny plik z wirusem i jak narazie spokoj :|… juz skanuje…
a jeefo.a jest tam gdzie pisales svhost…
Złączono Posta : 07.02.2007 (Sro) 16:32
Rarporcik z AVG… //+130 obiektów jesos mój komp to smietnik…a niedawon był format
Złączono Posta : 07.02.2007 (Sro) 16:40
wszyyyyyyyystko usunolem i sprawdze teraz moze juz niema tego syfu
Złączono Posta : 07.02.2007 (Sro) 16:43
TEN SYF NADAL SIEDZI NA KOMPIE! ;(… no to zostaje mi format -.-
Gutek
(Gutek)
7 Luty 2007 18:16
#6
Nie panikuj to nic groźnego Jest Ok
eXz
(Synapse Pl)
8 Luty 2007 05:44
#7
Ok Ok… próbowałem wszystkiego i nic, wszystkie znane i nieznane programy, tryb awaryjny, i inne fiki misie… i nic, dalej siedzi na kompie (aler nod32) nie wiem juz co zrobić, ręce mi opadają -.-