Problem z Mass-Mailing Software

Radishizzar · 6 Wrzesień 2007 13:20

Witam… kiedy mam włączonego Kaperskiego to co jakiś czas mi wywala okienko że znalazł Mass-mailing software i co chce z tym zrobić (zamknąć, kwarantanna itp…tyle że to jest services.exe i po minucie mi się system zamyka). Próbowałem skanować KAV-em czy Ad-Awarem z trybu awaryjnego ale nic nie dało

Wklejam loga i prosze o pomoc

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:02:18, on 2007-09-06 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {61570087-387A-4C10-A7E1-7A1AD455FEAE} - C:\WINDOWS\system32\oppol.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\rfrbkoqc.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [AVP] “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O20 - Winlogon Notify: oppol - C:\WINDOWS\system32\oppol.dll (file missing) O20 - Winlogon Notify: urqqppq - urqqppq.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) – End of file - 4313 bytes

Colicab · 6 Wrzesień 2007 13:29

jesli wirus dopisal sie do services.exe to musisz w trybie naprawy expandowac z plyty Cd ten plik…

Radishizzar · 6 Wrzesień 2007 14:06

yyy wybaczcie za noobowe pytanie ale…jak? ^^ i ja mam płyte z XP sp1, bo sp2 instalowałem z neta… czy to wszystko jedno ?

LostWorld · 6 Wrzesień 2007 15:11

Na początek Użyj w trybie awaryjnym

VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Radishizzar · 6 Wrzesień 2007 19:29

Pierwszy znalazł i usunął z 5 plików… drugi nic…a trzeci ma loga

[09/06/2007, 21:11:21] - VirtumundoBeGone v1.5 ( “C:\Documents and Settings\Radek.RMA\Pulpit\VirtumundoBeGone.exe” ) [09/06/2007, 21:11:30] - Detected System Information: [09/06/2007, 21:11:30] - Windows Version: 5.1.2600, Dodatek Service Pack 2 [09/06/2007, 21:11:30] - Current Username: Radek (Admin) [09/06/2007, 21:11:30] - Windows is in SAFE mode with Networking. [09/06/2007, 21:11:30] - Searching for Browser Helper Objects: [09/06/2007, 21:11:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [09/06/2007, 21:11:30] - BHO 2: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar) [09/06/2007, 21:11:30] - BHO 3: {61570087-387A-4C10-A7E1-7A1AD455FEAE} () [09/06/2007, 21:11:30] - WARNING: BHO has no default name. Checking for Winlogon reference. [09/06/2007, 21:11:30] - Checking for HKLM…\Winlogon\Notify\oppol [09/06/2007, 21:11:30] - Found: HKLM…\Winlogon\Notify\oppol - This is probably Virtumundo. [09/06/2007, 21:11:30] - Assigning {61570087-387A-4C10-A7E1-7A1AD455FEAE} MSEvents Object [09/06/2007, 21:11:30] - BHO list has been changed! Starting over… [09/06/2007, 21:11:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [09/06/2007, 21:11:30] - BHO 2: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar) [09/06/2007, 21:11:30] - BHO 3: {61570087-387A-4C10-A7E1-7A1AD455FEAE} (MSEvents Object) [09/06/2007, 21:11:30] - ALERT: Found MSEvents Object! [09/06/2007, 21:11:30] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [09/06/2007, 21:11:30] - Finished Searching Browser Helper Objects [09/06/2007, 21:11:30] - *** Detected MSEvents Object [09/06/2007, 21:11:30] - Trying to remove MSEvents Object… [09/06/2007, 21:11:31] - Terminating Process: IEXPLORE.EXE [09/06/2007, 21:11:31] - Terminating Process: RUNDLL32.EXE [09/06/2007, 21:11:31] - Disabling Automatic Shell Restart [09/06/2007, 21:11:31] - Terminating Process: EXPLORER.EXE [09/06/2007, 21:11:32] - Suspending the NT Session Manager System Service [09/06/2007, 21:11:32] - Terminating Windows NT Logon/Logoff Manager [09/06/2007, 21:11:32] - Re-enabling Automatic Shell Restart [09/06/2007, 21:11:32] - File to disable: C:\WINDOWS\system32\oppol.dll [09/06/2007, 21:11:32] - Removing HKLM…\Browser Helper Objects{61570087-387A-4C10-A7E1-7A1AD455FEAE} [09/06/2007, 21:11:32] - Removing HKCR\CLSID{61570087-387A-4C10-A7E1-7A1AD455FEAE} [09/06/2007, 21:11:32] - Adding Kill Bit for ActiveX for GUID: {61570087-387A-4C10-A7E1-7A1AD455FEAE} [09/06/2007, 21:11:32] - Deleting ATLEvents/MSEvents Registry entries [09/06/2007, 21:11:32] - Removing HKLM…\Winlogon\Notify\oppol [09/06/2007, 21:11:32] - Searching for Browser Helper Objects: [09/06/2007, 21:11:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [09/06/2007, 21:11:32] - BHO 2: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar) [09/06/2007, 21:11:32] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [09/06/2007, 21:11:32] - Finished Searching Browser Helper Objects [09/06/2007, 21:11:32] - Finishing up… [09/06/2007, 21:11:32] - A restart is needed. [09/06/2007, 21:11:58] - Attempting to Restart via STOP error (Blue Screen!)

Nowe logi

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:19:42, on 2007-09-06 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\atiptaxx.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\Tlen.pl\tlen.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [AVP] “D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O20 - Winlogon Notify: urqqppq - urqqppq.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing) – End of file - 4135 bytes[\quote] i

Gutek · 6 Wrzesień 2007 19:57

Daj log z ComboFix

Radishizzar · 6 Wrzesień 2007 20:13

Wywala błąd że nie może znaleźć C:\Windows\system32\cmd.exe ostatnio mnie wirus zaatakował i Kaspersky troche tych plików pousówał… niby mam go w kopi zapasowej… przywrócić ?

Gutek · 6 Wrzesień 2007 20:20

W takim układzie

Pobierz program SDFix

Radishizzar · 6 Wrzesień 2007 21:57

yyyyy… jak klikam na RunThis.bat to mi wywala błąd że nie może znaleźć tego pliku i mam się upewnić czy wpisana nazwa jest poprawna o_0…serio ja nie rozumiem czasami tego kompa ^^"

Gutek · 6 Wrzesień 2007 22:23

Masz AVG ściągnij najnowsza wersję(bazę danych) i przeskanuj