Solo_ZiP
(Solosk8)
29 Grudzień 2006 00:33
#1
Witam, od pewnego czasu mam problem z komputerem dzieją sie dziwne rzeczy np zrywa mi połaczenie z netem (lacze sie radiowka) albo strony mi sie nie otwierają np gg chodzi a przegladac stron już sie nie da najbardziej denerwujące jest to że gdy słucham muzyki lub ogladam film dzieje sie to częściej i po kilku minutach komputer zawiesza sie poprostu staje, prosze o pomoc ! dodam jeszcze ze mialem jakis czas temu problem z wirusami ale czytałem forum i chyba wszystko usunalem na wszelki wypadek daje logi z hijacka i silent runners
hijack
Logfile of HijackThis v1.99.1 Scan saved at 01:24:36, on 2006-12-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\SYSTEM32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Documents and Settings\Solo\Moje dokumenty\Solo\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [dmodc.exe] C:\windows\system32\dmodc.exe O4 - HKLM…\Run: [pccguide.exe] “C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe” O4 - HKLM…\Run: [Windows Update Notifier] “C:\windows\system32\winalert.exe” O4 - HKCU…\Run: [WinMedia] winnt321988656.exe O4 - HKCU…\Run: [WinInit] winnt322019218.exe O4 - HKCU…\Run: [WinUpdate] “C:\Documents and Settings\Solo\Pulpit\winnt322031000.exe” O4 - Global Startup: WConfig.lnk = ? O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip…{D510FF77-0C07-433A-A9D7-959394F6E376}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing) O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing) O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\MKS\Bin\mksmonsv.exe (file missing) O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
silent runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “WinMedia” = “winnt321988656.exe” [file not found] “WinInit” = “winnt322019218.exe” [file not found] “WinUpdate” = "“C:\Documents and Settings\Solo\Pulpit\winnt322031000.exe” " [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} " " = “C:\Program Files\Gadu-Gadu2\server.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “dmodc.exe” = “C:\windows\system32\dmodc.exe” [file not found] “pccguide.exe” = ““C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe”” [“Trend Micro Incorporated.”] “Windows Update Notifier” = ““C:\windows\system32\winalert.exe”” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{CC1E0C36-712E-46CE-A390-1F66F5094335}” = “BurstCopy” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{48F45200-91E6-11CE-8A4F-0080C81A28D4}” = “TMD Shell Extension” -> {HKLM…CLSID} = “TMD Shell Extension” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll” [“Trend Micro Incorporated.”] “{771A9DA0-731A-11CE-993C-00AA004ADB6C}” = “VBPropSheet” -> {HKLM…CLSID} = “VBPropSheet” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll” [“Trend Micro Incorporated.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{429F4BB8-7BF7-4152-8011-3C6F9EB7E892}” = “Module” -> {HKCU…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\chp.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “System” = “csepm.exe” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ BurstCopy(Default) = “{CC1E0C36-712E-46CE-A390-1F66F5094335}” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} “NoBandCustomize” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbars} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Solo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Solo” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “WConfig” -> shortcut to: “C:\Program Files\WLAN\WConfig\WConfig.exe” [“WirelessLan Technology, Corp.”] Enabled Scheduled Tasks: ------------------------ “AVG Free Control Center” -> launches: “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4D5C8C2A-D075-11D0-B416-00C04FB90376}” -> {HKLM…CLSID} = “Pasek poleceń Microsoft” \InProcServer32(Default) = “C:\windows\system32\browseui.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Trend Micro Central Control Component, PcCtlCom, “C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe” [“Trend Micro Incorporated.”] Trend Micro Personal Firewall, TmPfw, “C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe” [“Trend Micro Inc.”] Trend Micro Proxy Service, tmproxy, “C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe” [“Trend Micro Inc.”] Trend Micro Real-time Service, Tmntsrv, “C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe” [“Trend Micro Incorporated.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 810 Series Port\Driver = “lxbslmpm.DLL” [file not found] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 38 seconds. ---------- (total run time: 105 seconds)
pomozcie
Joan
(Joan Sunshine)
29 Grudzień 2006 00:43
#2
Użyj narzędzia FixWareOut
Wyłączasz przywracanie systemu (Panel sterowania -> System -> Przywracanie systemu -> zaznaczasz „Wyłącz przywracanie systemu” ).
W HJT zaznaczasz wpisy i klikasz na dole “Fix checked” :
F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM…\Run: [Windows Update Notifier] “C:\windows\system32\winalert.exe” O4 - HKCU…\Run: [WinMedia] winnt321988656.exe O4 - HKCU…\Run: [WinInit] winnt322019218.exe O4 - HKCU…\Run: [WinUpdate] “C:\Documents and Settings\Solo\Pulpit\winnt322031000.exe” O17 - HKLM\System\CCS\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip…{D510FF77-0C07-433A-A9D7-959394F6E376}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
C:\windows\system32\dmodc.exe > przeskanuj ten plik na http://virusscan.jotti.org/ i podaj wynik.
Przeczyść rejestr – użyj do tego jv16 PowerTools 2006 1.5.2.344.
Daj nowe logi
Solo_ZiP
(Solosk8)
29 Grudzień 2006 12:32
#4
Uzylem narzedzia FixWareOut a oto raport
Fixwareout Last edited 12/06/2006 Post this report in the forums please … Prerun check [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “System”=“csepm.exe” … … Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes … Random Runs removed from HKLM “dmodc.exe”=- … … PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names… * csr.exe C:\windows\System32\CSLMV.EXE »»»»» Search five digit cs, dm kd and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\CSLMV.EXE 51 205 2006-09-08 C:\WINDOWS\SYSTEM32\DMAXS.EXE 61 965 2004-08-03 Other suspects. »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. … Postrun check [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”="" …
usunalem wpisy w hijacku
C:\windows\system32\dmodc.exe <- nie przeskanowałem tego pliku bo FixWareOut chyba go już usunal w kazdym razie nie ma juz tego pliku
przeczyscilem rejestr tym programem jv16 PowerTools 2006 1.5.2.344.
(wynik byl przerazajacy :O)
Teraz daje logi z hijacka i silent runners, czy raport z tego przeczysczenia rejestru tez jest wam potrzebny ? jesli tak to napiszcie.
Hijack
Logfile of HijackThis v1.99.1 Scan saved at 13:25:06, on 2006-12-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\SYSTEM32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\windows\system32\NOTEPAD.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\jv16 PowerTools 2006\jv16pt.exe C:\Documents and Settings\Solo\Moje dokumenty\Solo\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [pccguide.exe] “C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe” O4 - Global Startup: WConfig.lnk = ? O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing) O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing) O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\MKS\Bin\mksmonsv.exe (file missing) O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Silent Runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “pccguide.exe” = ““C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe”” [“Trend Micro Incorporated.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{CC1E0C36-712E-46CE-A390-1F66F5094335}” = “BurstCopy” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{48F45200-91E6-11CE-8A4F-0080C81A28D4}” = “TMD Shell Extension” -> {HKLM…CLSID} = “TMD Shell Extension” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll” [“Trend Micro Incorporated.”] “{771A9DA0-731A-11CE-993C-00AA004ADB6C}” = “VBPropSheet” -> {HKLM…CLSID} = “VBPropSheet” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll” [“Trend Micro Incorporated.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{429F4BB8-7BF7-4152-8011-3C6F9EB7E892}” = “Module” -> {HKCU…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\chp.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ BurstCopy(Default) = “{CC1E0C36-712E-46CE-A390-1F66F5094335}” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Solo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Solo” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “WConfig” -> shortcut to: “C:\Program Files\WLAN\WConfig\WConfig.exe” [“WirelessLan Technology, Corp.”] Enabled Scheduled Tasks: ------------------------ “AVG Free Control Center” -> launches: “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4D5C8C2A-D075-11D0-B416-00C04FB90376}” -> {HKLM…CLSID} = “Pasek poleceń Microsoft” \InProcServer32(Default) = “C:\windows\system32\browseui.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Trend Micro Central Control Component, PcCtlCom, “C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe” [“Trend Micro Incorporated.”] Trend Micro Personal Firewall, TmPfw, “C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe” [“Trend Micro Inc.”] Trend Micro Proxy Service, tmproxy, “C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe” [“Trend Micro Inc.”] Trend Micro Real-time Service, Tmntsrv, “C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe” [“Trend Micro Incorporated.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 810 Series Port\Driver = “lxbslmpm.DLL” [file not found] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 18 seconds. ---------- (total run time: 71 seconds)
adam9870
(adam9870)
29 Grudzień 2006 12:41
#5
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\SYSTEM32\CSLMV.EXE
C:\WINDOWS\SYSTEM32\DMAXS.EXE
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, a dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
Po wykonaniu wklej nowe logi.
Solo_ZiP
(Solosk8)
29 Grudzień 2006 20:12
#6
Usunalem KillBoxem cslmv.exe i dmaxs.exe potem otworzylem w trybie awaryjnym fix.reg i dodalem do rejestru, oto logi
Hijack
Logfile of HijackThis v1.99.1 Scan saved at 21:10:24, on 2006-12-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\SYSTEM32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\windows\system32\wuauclt.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Solo\Moje dokumenty\Solo\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [pccguide.exe] “C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe” O4 - HKLM…\Run: [txpmv.exe] C:\windows\system32\txpmv.exe O4 - Global Startup: WConfig.lnk = ? O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip…{D510FF77-0C07-433A-A9D7-959394F6E376}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing) O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing) O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\MKS\Bin\mksmonsv.exe (file missing) O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Silent Runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “pccguide.exe” = ““C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe”” [“Trend Micro Incorporated.”] “txpmv.exe” = “C:\windows\system32\txpmv.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{CC1E0C36-712E-46CE-A390-1F66F5094335}” = “BurstCopy” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{48F45200-91E6-11CE-8A4F-0080C81A28D4}” = “TMD Shell Extension” -> {HKLM…CLSID} = “TMD Shell Extension” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll” [“Trend Micro Incorporated.”] “{771A9DA0-731A-11CE-993C-00AA004ADB6C}” = “VBPropSheet” -> {HKLM…CLSID} = “VBPropSheet” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll” [“Trend Micro Incorporated.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ BurstCopy(Default) = “{CC1E0C36-712E-46CE-A390-1F66F5094335}” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Solo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Solo” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “WConfig” -> shortcut to: “C:\Program Files\WLAN\WConfig\WConfig.exe” [“WirelessLan Technology, Corp.”] Enabled Scheduled Tasks: ------------------------ “AVG Free Control Center” -> launches: “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4D5C8C2A-D075-11D0-B416-00C04FB90376}” -> {HKLM…CLSID} = “Pasek poleceń Microsoft” \InProcServer32(Default) = “C:\windows\system32\browseui.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Trend Micro Central Control Component, PcCtlCom, “C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe” [“Trend Micro Incorporated.”] Trend Micro Personal Firewall, TmPfw, “C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe” [“Trend Micro Inc.”] Trend Micro Proxy Service, tmproxy, “C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe” [“Trend Micro Inc.”] Trend Micro Real-time Service, Tmntsrv, “C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe” [“Trend Micro Incorporated.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 810 Series Port\Driver = “lxbslmpm.DLL” [file not found] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 40 seconds. ---------- (total run time: 101 seconds)
adam9870
(adam9870)
29 Grudzień 2006 20:23
#7
Infekcja powróciła.
Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
O4 - HKLM…\Run: [txpmv.exe] C:\windows\system32\txpmv.exe O17 - HKLM\System\CCS\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip…{D510FF77-0C07-433A-A9D7-959394F6E376}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
Usuń w hjt.
Użyj narzędzia FixWareOut .
Po wykonaniu nowy log z hijacka, silenta oraz raport z fixwareout.
Solo_ZiP
(Solosk8)
30 Grudzień 2006 00:57
#8
Zrobione. Z tym że gdy usuwam następujące wpisy dzieje się bardzo dziwna rzecz, mianowice nie moge otworzyć żadnej stronki, nie mogę ściągnąć żadnej aktualizacji, nie moge wysłać sms, chodzi mi tylko gg ale nie wyświetlają się bannery więc musiałem przywrócić te wpisy aby móc dać posta, o co chodzi ? a oto one :
O17 - HKLM\System\CCS\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip…{D510FF77-0C07-433A-A9D7-959394F6E376}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23
musiałem je przywrócić gdyż bez tego nie mógłbym dać tego posta
oto logi z hijacka, silent runners i FixWareOut
Hijack
Logfile of HijackThis v1.99.1 Scan saved at 01:56:28, on 2006-12-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\windows\System32\smss.exe C:\windows\SYSTEM32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\Program Files\WLAN\WConfig\WConfig.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Solo\Moje dokumenty\Solo\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [pccguide.exe] “C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe” O4 - Global Startup: WConfig.lnk = ? O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip…{D510FF77-0C07-433A-A9D7-959394F6E376}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS1\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O17 - HKLM\System\CS2\Services\Tcpip…{1CB62071-1DFE-460A-BDC2-B613FD02CAED}: NameServer = 85.255.116.137,85.255.112.23 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.137 85.255.112.23 O23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing) O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing) O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\MKS\Bin\mksmonsv.exe (file missing) O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Silent Runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “pccguide.exe” = ““C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe”” [“Trend Micro Incorporated.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{CC1E0C36-712E-46CE-A390-1F66F5094335}” = “BurstCopy” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{48F45200-91E6-11CE-8A4F-0080C81A28D4}” = “TMD Shell Extension” -> {HKLM…CLSID} = “TMD Shell Extension” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll” [“Trend Micro Incorporated.”] “{771A9DA0-731A-11CE-993C-00AA004ADB6C}” = “VBPropSheet” -> {HKLM…CLSID} = “VBPropSheet” \InProcServer32(Default) = “C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll” [“Trend Micro Incorporated.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ BurstCopy(Default) = “{CC1E0C36-712E-46CE-A390-1F66F5094335}” -> {HKLM…CLSID} = “BurstCopy” \InProcServer32(Default) = “C:\Program Files\BurstCopy\bcsh.dll” [“BurstCopy Labs”] PowerArchiver(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {HKLM…CLSID} = “PowerArchiver Shell Extensions” \InProcServer32(Default) = “C:\Program Files\PowerArchiver\PASHLEXT.DLL” [“ConeXware, Inc.”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Solo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Solo” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “WConfig” -> shortcut to: “C:\Program Files\WLAN\WConfig\WConfig.exe” [“WirelessLan Technology, Corp.”] Enabled Scheduled Tasks: ------------------------ “AVG Free Control Center” -> launches: “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4D5C8C2A-D075-11D0-B416-00C04FB90376}” -> {HKLM…CLSID} = “Pasek poleceń Microsoft” \InProcServer32(Default) = “C:\windows\system32\browseui.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Trend Micro Central Control Component, PcCtlCom, “C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe” [“Trend Micro Incorporated.”] Trend Micro Personal Firewall, TmPfw, “C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe” [“Trend Micro Inc.”] Trend Micro Proxy Service, tmproxy, “C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe” [“Trend Micro Inc.”] Trend Micro Real-time Service, Tmntsrv, “C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe” [“Trend Micro Incorporated.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 810 Series Port\Driver = “lxbslmpm.DLL” [file not found] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 41 seconds. ---------- (total run time: 98 seconds)
FixWareOut
Fixwareout Last edited 12/06/2006 Post this report in the forums please … Prerun check [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”="" … … Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins}1929B3F43739-CE99-D764-7028-C3AAE1C1{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd … Random Runs removed from HKLM … … PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names… »»»»» Search five digit cs, dm kd and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects. »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. … Postrun check [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”="" …
Zapomniałem jeszcze powiedzieć że po użyciu programu FixWareOut w koszu znajdują się foldery z folderu Content.IE5 i ostatni raport z FixWareOut to bardzo dziwne co mam teraz zrobić ?
Bieniol
(Bbieniol)
30 Grudzień 2006 07:15
#9
Te wpisy O17, to DNSy Ukraińskie, które znaczą o rootkicie Windows Security Center. W Twoim wypadku prawdopodobnie te DNSy zostały zamienione całowicie, więc proponuję usunąć te wpisy, a następnie ponownie skonfigurować połączenie internetowe.
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG
Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Użyj tego narzędzia -> http://dobreprogramy.pl/index.php?dz=2&id=1188&t=59 -> i usuń nim wszystko, co znajdzie