Nie moge usunąć Vundo


(AQX) #1

Siemka...ja tez mam taki sam problem co StanleyP, moj log z hijacka.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:05:39, on 2007-11-14

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VDOTool\TBPanel.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\mrofinu572.exe

C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\aslulpkr.dll

O4 - HKLM..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKLM..\Run: [ec1f15a6] rundll32.exe "C:\WINDOWS\system32\kcailamd.dll",b

O4 - HKCU..\Run: [WinAble] C:\Program Files\WinAble\winable.exe

O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Raconfig.lnk = C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 3275 bytes


(Gutek) #2

Temat wydzielam. Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Po tym - Daj log z ComboFix


(AQX) #3

Log z VundoFix:

VundoFix V6.5.10

Checking Java version...

Sun Java not detected

Scan started at 18:50:55 2007-11-14

Listing files found while scanning....

C:\WINDOWS\system32\aslulpkr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aslulpkr.dll

C:\WINDOWS\system32\aslulpkr.dll Has been deleted!

Performing Repairs to the registry.

Done!

Log z Trojan.Vundo Removal Tool nie ma!!

Log z VirtumundoBeGone:

[11/14/2007, 19:01:41] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Gonzo\Pulpit\Przydatne\VirtumundoBeGone.exe" )

[11/14/2007, 19:01:43] - Detected System Information:

[11/14/2007, 19:01:43] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[11/14/2007, 19:01:44] - Current Username: Gonzo (Admin)

[11/14/2007, 19:01:44] - Windows is in NORMAL mode.

[11/14/2007, 19:01:44] - Searching for Browser Helper Objects:

[11/14/2007, 19:01:44] - BHO 1: {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} ()

[11/14/2007, 19:01:44] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:44] - Checking for HKLM...\Winlogon\Notify\khfgeca

[11/14/2007, 19:01:44] - Found: HKLM...\Winlogon\Notify\khfgeca - This is probably Virtumundo.

[11/14/2007, 19:01:44] - Assigning {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} MSEvents Object

[11/14/2007, 19:01:44] - BHO list has been changed! Starting over...

[11/14/2007, 19:01:44] - BHO 1: {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} (MSEvents Object)

[11/14/2007, 19:01:44] - ALERT: Found MSEvents Object!

[11/14/2007, 19:01:44] - BHO 2: {903FACCF-4546-4FE3-887E-1741723C6D03} ()

[11/14/2007, 19:01:44] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:44] - Checking for HKLM...\Winlogon\Notify\jkhhh

[11/14/2007, 19:01:44] - Key not found: HKLM...\Winlogon\Notify\jkhhh, continuing.

[11/14/2007, 19:01:44] - BHO 3: {99DEF6EE-B060-47B2-87FD-09130974E594} ()

[11/14/2007, 19:01:44] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:44] - Checking for HKLM...\Winlogon\Notify\jumper83122.exe

[11/14/2007, 19:01:44] - Key not found: HKLM...\Winlogon\Notify\jumper83122.exe, continuing.

[11/14/2007, 19:01:44] - BHO 4: {bc0908cd-7d14-4cc1-96fe-bde2bfdbf285} ()

[11/14/2007, 19:01:44] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:44] - Checking for HKLM...\Winlogon\Notify\vfltpyrr

[11/14/2007, 19:01:44] - Key not found: HKLM...\Winlogon\Notify\vfltpyrr, continuing.

[11/14/2007, 19:01:44] - Finished Searching Browser Helper Objects

[11/14/2007, 19:01:44] - *** Detected MSEvents Object

[11/14/2007, 19:01:44] - Trying to remove MSEvents Object...

[11/14/2007, 19:01:45] - Terminating Process: IEXPLORE.EXE

[11/14/2007, 19:01:45] - Terminating Process: RUNDLL32.EXE

[11/14/2007, 19:01:45] - Disabling Automatic Shell Restart

[11/14/2007, 19:01:45] - Terminating Process: EXPLORER.EXE

[11/14/2007, 19:01:45] - Suspending the NT Session Manager System Service

[11/14/2007, 19:01:45] - Terminating Windows NT Logon/Logoff Manager

[11/14/2007, 19:01:46] - Re-enabling Automatic Shell Restart

[11/14/2007, 19:01:46] - File to disable: C:\WINDOWS\system32\khfgeca.dll

[11/14/2007, 19:01:46] - Renaming C:\WINDOWS\system32\khfgeca.dll -> C:\WINDOWS\system32\khfgeca.dll.vir

[11/14/2007, 19:01:46] - File successfully renamed!

[11/14/2007, 19:01:46] - Removing HKLM...\Browser Helper Objects{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}

[11/14/2007, 19:01:46] - Removing HKCR\CLSID{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}

[11/14/2007, 19:01:46] - Adding Kill Bit for ActiveX for GUID: {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}

[11/14/2007, 19:01:46] - Deleting ATLEvents/MSEvents Registry entries

[11/14/2007, 19:01:46] - Removing HKLM...\Winlogon\Notify\khfgeca

[11/14/2007, 19:01:46] - Searching for Browser Helper Objects:

[11/14/2007, 19:01:46] - BHO 1: {903FACCF-4546-4FE3-887E-1741723C6D03} ()

[11/14/2007, 19:01:46] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:46] - Checking for HKLM...\Winlogon\Notify\jkhhh

[11/14/2007, 19:01:46] - Key not found: HKLM...\Winlogon\Notify\jkhhh, continuing.

[11/14/2007, 19:01:46] - BHO 2: {99DEF6EE-B060-47B2-87FD-09130974E594} ()

[11/14/2007, 19:01:46] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:46] - Checking for HKLM...\Winlogon\Notify\jumper83122.exe

[11/14/2007, 19:01:46] - Key not found: HKLM...\Winlogon\Notify\jumper83122.exe, continuing.

[11/14/2007, 19:01:46] - BHO 3: {bc0908cd-7d14-4cc1-96fe-bde2bfdbf285} ()

[11/14/2007, 19:01:46] - WARNING: BHO has no default name. Checking for Winlogon reference.

[11/14/2007, 19:01:46] - Checking for HKLM...\Winlogon\Notify\vfltpyrr

[11/14/2007, 19:01:46] - Key not found: HKLM...\Winlogon\Notify\vfltpyrr, continuing.

[11/14/2007, 19:01:46] - Finished Searching Browser Helper Objects

[11/14/2007, 19:01:46] - Finishing up...

[11/14/2007, 19:01:46] - A restart is needed.

[11/14/2007, 19:01:50] - Attempting to Restart via STOP error (Blue Screen!)

Log z ComboFix: http://wklej.org/id/5f80f50647


(Gutek) #4

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Wklej do Notatnika:

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo, ale przed logiem:

Wklej do Notatnika:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

  00

Z menu Notatnika Plik Zapisz jako Ustaw rozszerzenie na "Wszystkie pliki" Zapisz jako FIX.REG uruchom ten plik (dwuklik).


(AQX) #5

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=-

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\

00

to mam dodac przed logiem w pliku txt tam gdzie znajduje sie ten log...dobrze zrozumialem????

Ten pasek juz zniknal...i mam pytanie...nie ma w logu hijacka nic zwiazanego z reklamiarzem??


(Gutek) #6

Tak przed logiem i po tym log z Combo


(AQX) #7

Ok...dzieki za pomoc pozdrawiam! !!


(Arekmalek) #8