system
(system)
18 Styczeń 2010 10:52
#1
Witam mam problem z kmj.exe
logi z OTL:
http://wklejto.pl/54455
Extras
http://wklejto.pl/54457
Bardzo prosze o pomoc
Ktoś wie może co jeszcze to ustrojstwo robi oprócz ukrywania ukrytego i niemozliwości odkrycia? W total commanderze moge podejrzeć pliki ukryte, widzę też ten plik kmj.exe, jednak usuwanie nic nie daje. Skąd go przywraca? Co usuwać w rejestrze?
Serdecznie pozdrawiam i dziękuję z góry
Gutek
(Gutek)
18 Styczeń 2010 13:41
#2
Uruchom OTL i w oknie Custom Scans/Fixes wklej to:
:Processes Explorer.EXE :OTL MOD - [2010-01-18 09:25:38 | 00,086,016 | RHS- | M] () – C:\Documents and Settings\admin\Ustawienia lokalne\Temp\cvasds1.dll IE - HKCU…\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found FF - prefs.js…browser.search.defaultthis.engineName: “Free_Lunch_Design Customized Web Search” FF - prefs.js…browser.search.selectedEngine: “Free_Lunch_Design Customized Web Search” FF - prefs.js…extensions.enabledItems: {57cc715d-37ca-44e4-9ec2-8c2cbddb25ec}:2.5.2.14 [2010-01-12 08:50:44 | 00,000,000 | —D | M] (Free Lunch Design Toolbar) – C:\Documents and Settings\admin\Dane aplikacji\Mozilla\Firefox\Profiles\ab2eu9wq.default\extensions{57cc715d-37ca-44e4-9ec2-8c2cbddb25ec} O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Ask Toolbar BHO) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com ) O3 - HKLM…\Toolbar: (Free Lunch Design Toolbar) - {57cc715d-37ca-44e4-9ec2-8c2cbddb25ec} - C:\Program Files\Free_Lunch_Design\tbFre0.dll (Conduit Ltd.) O3 - HKLM…\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com ) O3 - HKCU…\Toolbar\ShellBrowser: (Free Lunch Design Toolbar) - {57CC715D-37CA-44E4-9EC2-8C2CBDDB25EC} - C:\Program Files\Free_Lunch_Design\tbFre0.dll (Conduit Ltd.) O3 - HKCU…\Toolbar\ShellBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com ) O3 - HKCU…\Toolbar\WebBrowser: (Free Lunch Design Toolbar) - {57CC715D-37CA-44E4-9EC2-8C2CBDDB25EC} - C:\Program Files\Free_Lunch_Design\tbFre0.dll (Conduit Ltd.) O3 - HKCU…\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com ) O4 - HKLM…\Run: [MyWebSearch Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL File not found O4 - HKCU…\Run: [cdoosoft] C:\Documents and Settings\admin\Ustawienia lokalne\Temp\herss.exe () O32 - AutoRun File - [2010-01-18 11:38:20 | 00,000,055 | RHS- | M] () - C:\autorun.inf – [FAT32] O32 - AutoRun File - [2010-01-18 11:38:19 | 00,000,055 | RHS- | M] () - D:\autorun.inf – [NTFS] O32 - AutoRun File - [2010-01-18 11:38:19 | 00,000,055 | RHS- | M] () - E:\autorun.inf – [NTFS] O33 - MountPoints2{0720e324-3886-11de-8e2d-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{0720e325-3886-11de-8e2d-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{0dc10924-35ad-11de-8e2c-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{46a36836-f757-11dd-8de6-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{4ab30516-fc15-11dc-8d32-001485b0adc9}\Shell\AutoRun\command - “” = H:\USBNB.exe – File not found O33 - MountPoints2{5629c1f6-033f-11de-8e04-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{59cb7dbd-0f82-11dd-8d45-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{8d5553e2-4f80-11de-8e47-001485b0adc9}\Shell\AutoRun\command - “” = G:\q9.cmd – File not found O33 - MountPoints2{8d5553e2-4f80-11de-8e47-001485b0adc9}\Shell\open\Command - “” = G:\q9.cmd – File not found O33 - MountPoints2{a850f57c-2995-11de-8e22-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{aa9beebc-b098-11dd-8da4-001485b0adc9}\Shell\AutoRun\command - “” = H:\8xcrbho6.exe – File not found O33 - MountPoints2{aa9beebc-b098-11dd-8da4-001485b0adc9}\Shell\open\Command - “” = H:\8xcrbho6.exe – File not found O33 - MountPoints2{c9506461-6a3b-11de-8e6d-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{c9506462-6a3b-11de-8e6d-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{d4f90fa6-00ea-11df-8ee2-001485b0adc9}\Shell\AutoRun\command - “” = G:\kmj.exe – File not found O33 - MountPoints2{d4f90fa6-00ea-11df-8ee2-001485b0adc9}\Shell\open\Command - “” = G:\kmj.exe – File not found O33 - MountPoints2{dbeecaa2-819a-11de-8e85-001485b0adc9}\Shell - “” = AutoRun O33 - MountPoints2{e72a411a-1e8f-11de-8e19-001485b0adc9}\Shell - “” = AutoRun [2010-01-18 11:41:02 | 00,000,055 | RHS- | M] () – C:\autorun.inf [2010-01-18 09:25:38 | 00,115,712 | RHS- | M] () – C:\9xf8.exe [2010-01-14 09:16:42 | 00,111,104 | RHS- | M] () – C:\kmj.exe [2010-01-12 08:49:16 | 00,118,784 | RHS- | M] () – C:\8xcrbho6.exe [2010-01-18 09:26:04 | 00,115,712 | RHS- | C] () – C:\9xf8.exe [2010-01-13 09:29:47 | 00,111,104 | RHS- | C] () – C:\kmj.exe [2010-01-11 13:08:57 | 00,000,055 | RHS- | C] () – C:\autorun.inf [2010-01-11 13:08:53 | 00,118,784 | RHS- | C] () – C:\8xcrbho6.exe :Files C:\9xf8.exe C:\kmj.exe C:\autorun.inf C:\8xcrbho6.exe G:\q9.cmd G:\kmj.exe H:\8xcrbho6.exe C:\Documents and Settings\admin\Ustawienia lokalne\Temp\herss.exe C:\Program Files\Free_Lunch_Design C:\Program Files\AskSBar C:\PROGRA~1\MYWEBS~1 :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “SuperHidden”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “Hidden”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] “CheckedValue”=dword:00000001 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] @="" :Commands [emptytemp] [Reboot]
Kliknij w Run Fix . Zatwierdź restart komputera.
Następnie uruchom OTL ponownie, tym razem wywołaj opcję Run Scan.
Pokaż nowy log OTL.txt oraz log z czyszczenia.
system
(system)
18 Styczeń 2010 16:05
#3
Dzięki bardzo - to log po wykonaniu wszystkiego:
http://wklejto.pl/54509
to log z otl’a po wykonaniu ponownego pełnego skanowania
http://wklejto.pl/54522
Extras
http://www.wklejto.pl/54523
Czy jesteś w stanie zdradzić co za linijki na przyszłość mam wpisywać do poprawienia, by móc sam sobie z tym ustrojstwem radzić?
Leon1
(Leon$)
18 Styczeń 2010 16:15
#4
OTL w oknie Custom Scans-Fixes wklej następujący skrypt:
:Processes explorer.exe :OTL IE - HKCU…\URLSearchHook: {57cc715d-37ca-44e4-9ec2-8c2cbddb25ec} - Reg Error: Key error. File not found O2 - BHO: (no name) - {57cc715d-37ca-44e4-9ec2-8c2cbddb25ec} - No CLSID value found. O3 - HKCU…\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKCU…\Run: [VoipDiscount] E:)\Voip\VoipDiscount\VoipDiscount.exe File not found O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta … s-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta … s-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta … s-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta … s-i586.cab (Reg Error: Key error.) [2010-01-04 09:30:14 | 00,000,000 | -HSD | C] – C:\FOUND.035 :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=- “C:\Program Files\Yahoo!\Messenger\YServer.exe”=- “C:\Program Files\Winamp Remote\bin\Orb.exe”=- “C:\Program Files\Winamp Remote\bin\OrbTray.exe”=- “C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe”=- “E:)\Voip\VoipDiscount\VoipDiscount.exe”=- “C:\Program Files\eMule\emule.exe”=- “C:\Program Files\Konnekt\konnekt.exe”=- :Commands [emptytemp] [start explorer] [Reboot]
Kliknij w Run Fix. Zatwierdź restart komputera.
potem nowy log OTL
system
(system)
18 Styczeń 2010 16:33
#5
Oto nowy log oTL z pełnego skanowania
http://wklejto.pl/54530
Leon1
(Leon$)
18 Styczeń 2010 17:00
#6
OTL w oknie Custom Scans-Fixes wklej następujący skrypt:
Kliknij w Run Fix. Zatwierdź restart komputera.
W OTL kilknij CleanUp
Pobierz CCleaner http://www.filehippo.com/download_ccleaner/
przeskanuj nim i wyczyść rejestr.
zrób optymalizacje uruchamiania
http://cybertrash.netarteria.pl/cyber/i … 378.0.html
Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl
przeskanuj
Dr.WEB CureIt! http://www.dobreprogramy.pl/DrWEB-CureI … 12976.html
system
(system)
18 Styczeń 2010 17:34
#7
Co po przeskanowaniu Dr.Web?
Na jakie konto wpłacać donacje??
Uchylisz rąbka tajemnicy co wklepywać do otla i w jakich przypadkach?