czyrzu
(Czyrzu)
10 Grudzień 2006 20:36
#1
Logfile of HijackThis v1.99.1 Scan saved at 15:30:39, on 2006-12-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) “Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “ABmenu” = “C:\Program Files\ArcaVir\Bin\ABmenu.exe” [“ArcaBit”] “ABREGMON” = “C:\Program Files\ArcaVir\Bin\ABregmon.exe” [“ArcaBit”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO.dll” [“BitComet”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{94BA40D2-5201-4316-B5D5-4376A795C385}” = “Monkey’s Audio Info Tip Extension (MediaXW)” -> {HKLM…CLSID} = “Monkey’s Audio Info Tip Extension (MediaXW)” \InProcServer32(Default) = “C:\Program Files\GXTranscoder\Codecs\MXWMA.dll” [“Ingo Ralf Blum”] “{C2C04EE2-4313-41C2-AE23-4B2E23101FDF}” = “Monkey’s Audio Column Handler” -> {HKLM…CLSID} = “Monkey’s Audio Column Handler” \InProcServer32(Default) = “C:\Program Files\GXTranscoder\Codecs\MXWMA.dll” [“Ingo Ralf Blum”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> rpcc\DLLName = “C:\WINDOWS\system32\rpcc.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C2C04EE2-4313-41C2-AE23-4B2E23101FDF}(Default) = “{C2C04EE2-4313-41C2-AE23-4B2E23101FDF}” -> {HKLM…CLSID} = “Monkey’s Audio Column Handler” \InProcServer32(Default) = “C:\Program Files\GXTranscoder\Codecs\MXWMA.dll” [“Ingo Ralf Blum”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKLM\Software\Classes\cmdfile\shell\open\command\ = (key not found) HKLM\Software\Classes\cmdfile\ HKLM\Software\Classes\comfile\shell\open\command\ = (key not found) HKLM\Software\Classes\comfile\ HKLM\Software\Classes\scrfile\shell\open\command\ = (key not found) HKLM\Software\Classes\scrfile\ Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoToolbarCustomize” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbar buttons} “NoBandCustomize” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbars} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoToolbarCustomize” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoBandCustomize” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {6FDD5236-C9F0-49EF-935D-385F5E21991A}\ “ButtonText” = “Poker.com ” “Exec” = “C:\Program Files\Poker.com \poker.exe” [“Ingenic”] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {4CBB5C71-1BA0-49CA-93CD-159AF8AA0CC9}\ “ButtonText” = “Betway.com Poker” “Exec” = “C:\Program Files\BetwayMPP\MPPoker.exe” [“Microgaming”] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ArcaBit NetMonitor, ABNetMon, “C:\Program Files\ArcaVir\Bin\NetMonSv.exe” [“ArcaBit sp. z o.o.”] ArcaScan, ArcaScan, “C:\Program Files\ArcaVir\Bin\arcascan.exe” [“ArcaBit”] ArcaVir Monitor, ArcaMonSvc, “C:\Program Files\ArcaVir\Bin\avmonsv.exe” [“ArcaBit”] BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 96 seconds, including 15 seconds for message boxes)
Złączono Posta : 10.12.2006 (Nie) 21:38
problem z trojanem trojan.agent.dc
adam9870
(adam9870)
10 Grudzień 2006 20:41
#2
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\rpcc.dll
Klikasz X czerwony i restart kompa.
Otwórz notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
Dla pewności użyj Unhookexec.inf . Prawy klawisz myszki na link => zapisz element docelowy jako => wskaż gdzie chcesz zapisać i kliknij zapisz => prawy klawisz myszki na pobrany plik => instaluj.
Poniższe wpisy usuń w hjt jeśli będą:
Po wykonaniu proszę wkleić nowe logi.
adam9870
(adam9870)
12 Grudzień 2006 19:36
#4
Użyj dla pewności Unhookexec.inf . Prawy klawisz na link => zapisz element docelowy jako => wskaż gdzie zapisać i kliknij ok => prawy klawisz myszki na pobrany plik => instaluj.
squeet
(squeet)
12 Grudzień 2006 20:11
#5
Proszę o lekturę poniższych tematów:
http://forum.dobreprogramy.pl/viewtopic.php?t=66889
http://forum.dobreprogramy.pl/viewtopic.php?t=36654
I zastosowanie ich w praktyce w Twoim poście:
Proszę zmienić temat na konkretny, mówiący o problemie.