Problem z systemem - wirus simper.exe


(Tadeo) #1

Mam juz swoje lata i nerwy na wyczerpaniu :frowning:

Prosze o nieskomplikowane sugestie, co dalej. Oto moj Logfile of HijackThis:


(squeet) #2

tadeooo prosz臋 o zastosowanie si臋 do tych temat贸w:

:arrow: http://forum.dobreprogramy.pl/viewtopic.php?t=66889

:arrow: http://forum.dobreprogramy.pl/viewtopic.php?t=36654

  1. Opisz dok艂adnie, jaki masz problem.

  2. Logi obejmuj tagami quote.


(Tadeo) #3

Przepraszam, jestem raczej uzytkownikiem komputera, nie jego znawca :frowning:

Wydawalo mi sie, ze wkleilem "log-a" w calosci, nic nie obcialem.

Oczekiwalem porady, ktore wpisy usunac i co jeszcze zrobic, by komputer zaczal dzialac normalnie po problemie zwiazanym z "simpler.exe"

Z instrukcja obslugi HiJackThis raczej sie zapoznalem.

Objawy: po starcie wyskakuje od razu okno logowania do gg, system antywir. nod32 wykrywa wirusa i go usuwa, ale po ponownym uruchomieniu sytuacja powtarza sie, lacze internetowe dziala niezmiernie wolno - ledwie moge z niego korzystac (i to chyba jest najwieksza bolaczka)

Z gory dziekuje za zrozumienie i pomoc

Z艂膮czono Posta : 28.11.2006 (Wto) 22:54

Pewnie wywolalem smiech, ale nic nie poradze :frowning:


(Bbieniol) #4

Uruchamiasz narz臋dzie KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej 艣cie偶k臋:

C:\WINDOWS\System32\rpcc.dll

Klikasz X i restart kompa :slight_smile:

Start -> wszystkie programy -> autostart -> z prawokliku kasujesz Uninstall.exe.

Usuwasz Hijackiem te wpisy:

Po zabiegach nowy log z Hijacka + log z Silent Runners


(Tadeo) #5

nie pomoglo, gg sie nie uruchamia, ale w folderze:

C:\Documents and Settings\Admin

tkwia pliki

gg.dll

NTUSER

ntuser.dat

a nod32 wykrywa wirusa :frowning:

Z艂膮czono Posta : 28.11.2006 (Wto) 23:19

na wszelki wypadek wklejam ponownego "loga", moze cos sie zmienilo:


(Bbieniol) #6

Hijack jest ju偶 czysty :slight_smile:

Wrzu膰 koniecznie log z Silenta:)


(squeet) #7

tadeooo jak wklejasz loga, obejmuj go tagiem quote.

Instrukcj臋 jak to zrobi膰 i jak wklei膰 loga z Silent Runners masz w tematach wy偶ej


(Tadeo) #8

log z silent runners:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (http://www.cmedia.com.tw)"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]

"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wy艣wietlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wy艣wietlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> rpcc\DLLName = "C:\WINDOWS\System32\rpcc.dll" [file not found]


(Duncaen) #9

Czy powinien pozosta膰 wpis :

tadeooo zapomnia艂e艣 znowu "quote"

Z艂膮czono Posta : 28.11.2006 (Wto) 23:29

Sorki za takie pytanie ale pr贸buje troche skuma膰 z tych log贸w


(Tadeo) #10

oto silent runners (poprzednio nie caly wkleilem - przez niecierpliwosc)

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (http://www.cmedia.com.tw)"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]

"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wy艣wietlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wy艣wietlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> rpcc\DLLName = "C:\WINDOWS\System32\rpcc.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = ""C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:


Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Messenger"

"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 156 seconds, including 4 seconds for message boxes)

W folderze C:\Documents and Settings\Admin

tkwia nadal pliki

gg.dll

NTUSER

ntuser.dat

Moze tak pozostac?


(Bbieniol) #11

Otw贸rz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmie艅 rozszerzenie na wszystkie pliki -> zapisz pod nazw膮 FIX.REG

Odpal plik FIX.REG i potwierd藕 dodanie do rejestru i reset kompa :slight_smile:

Usu艅 z dysku plik, ktory zaznaczy艂em na czerwono - pozosta艂e s膮 OK :slight_smile:


(Tadeo) #12

Zrobilem wedle wskazowek, serdecznie dziekuje za cierpliwosc i czas :slight_smile:

Mam nadzieje, ze juz teraz bedzie wzszystko OK.

Pozdrowienia