Moja siostra ma trojana (albo coś innego)


(Matyks) #1

moja siostra ma trojana (albo coś innego). Kożystałem kiedyś sam z waszych programów i wiem że są rewelacyjne. Akurat ja miałem problem, który gdzieś na forum był opisany. Niestety w przypadku mojej siostry nie wiem o co chodzi. Bardzo proszę o pomoc.

Niestety nie wiem o co chodzi z tymi Quotami... wklejam więc loga oddzielając go znakami równości. Wybaczcie, robię to pierwszy raz.

==

Logfile of HijackThis v1.99.1

Scan saved at 12:33:04, on 2007-05-01

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Natalia T\Pulpit\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowemiasto.com.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wp.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.54.191.5:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [bearShare] "D:\Program Files\BS\BearShare.exe" /pause

O4 - HKLM..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

O4 - HKLM..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

O4 - HKLM..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM..\Run: [MSconfig] C:\WINDOWS\System32\MSconfig.exe

O4 - HKLM..\Run: [bearFlix] "C:\Program Files\BearFlix\bearflix.exe" /pause

O4 - HKLM..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime

O4 - HKLM..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [svcManager] services3.exe

O4 - HKLM..\Run: [tcpipmon] tcpipmon.exe

O4 - HKLM..\Run: [Anti Trojan Elite] D:\Program Files\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM..\Run: [bingluejumpbird] C:\Documents and Settings\All Users\Dane aplikacji\Rect Beep Bin Glue\FordGpl.exe

O4 - HKLM..\Run: [soundService] rundll32.exe "C:\WINDOWS\System32\frfoktvf.dll",setvm

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\tpfsybbn.dll",setvm

O4 - HKLM..\Run: [infoData] rundll32.exe "C:\WINDOWS\System32\agxmbwir.dll",realset

O4 - HKLM..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [Debug Byte] C:\DOCUME~1\NATALI~1\DANEAP~1\AUDIOB~1\Film Axis.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe Reader\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe Reader\Reader\AdobeCollabSync.exe

O4 - Global Startup: Digimax Viewer 2.1.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LXCCCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCserv.exe

O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

==

Jeszcze raz bardzo proszę o pomoc!!

matyks


(Grzegorz Ch) #2

to poczytaj:

HijackThis, Silent Runners oraz inne narzędz. - Instrukcja

masz tam graficzną instrukcję :slight_smile: jak to zrobić.


(Matyks) #3

Wklej wątek bo może nie doczytałem.

Przeprosiłem za to. Poza tym chodzi mi o coś innego, jak pozbyć się infekcji na komputerze a tam wyraźnie jest napisane, że po utworzeniu loga niedoświadczeni użytkownicy nie powinni niczego usuwać, stąd moje pytanie na forum. Jeżeli wiesz, to mi doradź...


(adam9870) #4

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pliki i foldery usuń ręcznie w trybie awaryjnym natomiast wpisy HijackThis.

Użyj VundoFix + FixVundo + VirtumundoBeGone + SmitFraudFix (opcja 2). Wszystkie narzędzia należy uruchomić w trybie awaryjnym.

Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix.


(Matyks) #5

Wielkie dzięki adam9870! !!

Myślę, że wszystko jest w pożądku!

Dopiero dziś miałem czas zrobić to, co mi poradziłeś.

Nie wiem jak mam uzyskać log z programu L2Mfix (jakieś dziwne to ustrojstwo).

Po zrobieniu wszystkiego przeskanowałem komputer programem antywirusowym i usunął on jaieś trojany virtumundo (a program VirtumundoBeGone nie usunął tego, albo przeniusł do kwarantanny bo tak to wyglądało)

Dla pewności wkleję jeszcze logi z HJT i SilentRunnera

Bardzo Ci dziękuję !!

Oto moje logi

HJT

==

Logfile of HijackThis v1.99.1

Scan saved at 14:03:37, on 2007-05-02

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\qttask.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Eset\nod32kui.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Adobe Reader\Reader\reader_sl.exe

C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe

C:\Documents and Settings\Natalia T\Pulpit\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wp.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.54.191.5:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3F5CBD1C-90B2-4140-8E99-5E47D66B303f} - C:\WINDOWS\System32\iarktgic.dll (file missing)

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)

O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\dhaaqpqr.dll (file missing)

O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\cuiwhptp.dll

O2 - BHO: (no name) - {EF93A547-75C4-4238-BA1A-A49364589E2D} - C:\WINDOWS\System32\pmnlj.dll (file missing)

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [bearShare] "D:\Program Files\BS\BearShare.exe" /pause

O4 - HKLM..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

O4 - HKLM..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

O4 - HKLM..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM..\Run: [MSconfig] C:\WINDOWS\System32\MSconfig.exe

O4 - HKLM..\Run: [bearFlix] "C:\Program Files\BearFlix\bearflix.exe" /pause

O4 - HKLM..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime

O4 - HKLM..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [Anti Trojan Elite] D:\Program Files\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [Debug Byte] C:\DOCUME~1\NATALI~1\DANEAP~1\AUDIOB~1\Film Axis.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe Reader\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe Reader\Reader\AdobeCollabSync.exe

O4 - Global Startup: Digimax Viewer 2.1.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O20 - Winlogon Notify: opnomkj - opnomkj.dll (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)

O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LXCCCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCserv.exe

O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

==

SILENT RUNNER

==

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]

"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1" [file not found]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" [file not found]

"Gadu-Gadu" = ""E:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"Debug Byte" = "C:\DOCUME~1\NATALI~1\DANEAP~1\AUDIOB~1\Film Axis.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"BearShare" = ""D:\Program Files\BS\BearShare.exe" /pause" [file not found]

"LXCCCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16" [MS]

"lxccmon.exe" = ""C:\Program Files\Lexmark 3300 Series\lxccmon.exe"" [file not found]

"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [file not found]

"MSconfig" = "C:\WINDOWS\System32\MSconfig.exe" [file not found]

"BearFlix" = ""C:\Program Files\BearFlix\bearflix.exe" /pause" [file not found]

"QuickTime Task" = ""C:\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]

"WinampAgent" = "d:\Program Files\Winamp\winampa.exe" [file not found]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"Anti Trojan Elite" = "D:\Program Files\Anti Trojan Elite\TJEnder.exe :NO" [file not found]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

  • {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{3F5CBD1C-90B2-4140-8E99-5E47D66B303f}(Default) = (no title provided)

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\System32\iarktgic.dll" [file not found]

{46A4E9D9-B30E-452A-8157-DBBEC8573B03}(Default) = (no title provided)

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

{D38439EC-4A7F-42b4-90C2-D810D7778FDD}(Default) = (no title provided)

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\System32\dhaaqpqr.dll" [file not found]

{D651AFF4-9590-424d-BD1E-8E33E090DFB3}(Default) = (no title provided)

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\System32\cuiwhptp.dll" [null data]

{EF93A547-75C4-4238-BA1A-A49364589E2D}(Default) = (no title provided)

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\System32\pmnlj.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  • {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  • {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  • {HKLM...CLSID} = "Eksplorator pulpitów"

\InProcServer32(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"

  • {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  • {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "D:\Program Files\WinRar\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  • {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  • {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]

"{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  • {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  • {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  • {HKLM...CLSID} = "iTunes"

\InProcServer32(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

crypt\DLLName = "crypts.dll" [file not found]

opnomkj\DLLName = "opnomkj.dll" [file not found]

rpcc\DLLName = "C:\WINDOWS\System32\rpcc.dll" [file not found]

winzdn32\DLLName = "winzdn32.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\

text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  • {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  • {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"

  • {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"

  • {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  • {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "D:\Program Files\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  • {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "D:\Program Files\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"

  • {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  • {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "D:\Program Files\WinRar\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Natalia T\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Startup items in "Natalia T" "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" - shortcut to: "D:\Program Files\Adobe Reader\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Adobe Reader Synchronizer" - shortcut to: "D:\Program Files\Adobe Reader\Reader\AdobeCollabSync.exe" [null data]

"Digimax Viewer 2.1" - shortcut to: "C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe /s" ["STOIK Imaging (http://www.stoik.com)"]

"Microsoft Office" - shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:


"AC338617918C383F" - launches: "c:\docume~1\natali~1\daneap~1\audiob~1\Vga Bat 1.exe" [file not found]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 19

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{74DD705D-6834-439C-A735-A6DBE2677452}"

  • {HKLM...CLSID} = "VSAdd-in"

\InProcServer32(Default) = "C:\Program Files\VSAdd-in\VSAdd-in.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "Badanie"

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"

Running Services (Display Name, Service Name, Path {Service DLL}):


iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

3300 Series Port\Driver = "lxcclmpm.DLL" ["Lexmark International, Inc."]

Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 82 seconds, including 9 seconds for message boxes)

==


(Monczkin) #6

matyks popraw posty z logami, inaczej temat wyleci. Poczytaj w tym dziale tematy o ich prawidłowym wklejaniu.


(adam9870) #7

Ściągnij program KillBox, zaznacz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\System32\cuiwhptp.dll

Kliknij czerwonego iksa i reset.

Usuń wpisy HJT.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Na temat tworzenia loga numer 1 w l2mfix poczytaj tutaj:

http://cybertrash.pl/images/tata/L2MFIX.html

Po wykonaniu wklej wszystkie trzy nowe logi.