Stea
(Juicy Lucy)
2 Kwiecień 2006 17:16
#1
Witam.
Weszłam na pewne forum i mój komputer został zainfekowany przez chyba z kilkadziesiąt wirusów. Większość usunęłam(a raczej programy antywirusowe), ale z tym TR/StartPage.adi.7 i tym TR/Proxy.Small.BO.1 nie umiem sobie poradzić. Byłabym wdzięczna jeśli ktoś podpowiedział mi jak mam to zlikwidować.
MaYsTeR
(Mayster X)
2 Kwiecień 2006 18:01
#4
przeskanuj jeszcze tym po update :
http://www.ewido.net/en/
z tego co wiem to ten typ wirusa zostawia sporo wpisow w rejestrze … :?
Stea
(Juicy Lucy)
2 Kwiecień 2006 18:21
#5
kuz5
(Kuz5)
3 Kwiecień 2006 17:16
#6
Ponieważ ewido jest przeznaczony dla platformy Windows 2000/XP a ty masz:
Stea:
Platform: Windows ME
Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE
Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.
Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O4 - HKLM…\Run: [sysTray] C:\PROGRAM FILES\TRXRTIGX.EXE O4 - HKLM…\Run: [tetriz3] C:\WINDOWS.000\SYSTEM\tetriz3.exe O4 - HKLM…\RunServices: [tetriz3] C:\WINDOWS.000\SYSTEM\tetriz3.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [pro] C:\WINSTALL.EXE O4 - HKCU…\Run: [tetriz3] C:\WINDOWS.000\SYSTEM\tetriz3.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.000\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.000\web\related.htm
Pliki na czerwono usun ręcznie z dysku
Wklej loga SilentRunners
Stea
(Juicy Lucy)
3 Kwiecień 2006 18:30
#7
Tego już nie mam, ale jak robie log to dalej jest :?
Logfile of HijackThis v1.99.1 Scan saved at 20:29:04, on 2006-04-03 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS.000\SYSTEM\KERNEL32.DLL C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE C:\WINDOWS.000\SYSTEM\mmtask.tsk C:\WINDOWS.000\SYSTEM\MPREXE.EXE C:\WINDOWS.000\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SCHEDM.EXE C:\WINDOWS.000\EXPLORER.EXE C:\WINDOWS.000\SYSTEM\RPCSS.EXE C:\WINDOWS.000\SYSTEM\LXCGPPLS.EXE C:\WINDOWS.000\SYSTEM\INTERNAT.EXE C:\WINDOWS.000\TASKMON.EXE C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\AVGCTRL.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE C:\PROGRAM FILES\LEXMARK 2300 SERIES\LXCGMON.EXE C:\PROGRAM FILES\LEXMARK 2300 SERIES\EZPRINT.EXE C:\PROGRAM FILES\GADU-GADU\GG.EXE C:\WINDOWS.000\SYSTEM\SPOOL32.EXE C:\WINDOWS.000\SYSTEM\WMIEXE.EXE C:\WINDOWS.000\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\OPENOFFICE.ORG1.1.3\PROGRAM\SOFFICE.EXE C:\WINDOWS.000\SYSTEM\LXCGCOMS.EXE C:\WINDOWS.000\SYSTEM\DDHELP.EXE C:\WINDOWS.000\SYSTEM\WBEM\WINMGMT.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS.000\SYSTEM\STIMON.EXE C:\WINDOWS.000\SYSTEM\PSTORES.EXE C:\WINDOWS.000\PULPIT\HIJACKTHIS_V1.99.1.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F1 - win.ini: run=lxcgppls.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: @msdxmLC.dll ,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL O4 - HKLM…\Run: [internat.exe] internat.exe O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS.000\scanregw.exe /autorun O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe O4 - HKLM…\Run: [PCHealth] C:\WINDOWS.000\PCHealth\Support\PCHSchd.exe -s O4 - HKLM…\Run: [systemTray] SysTray.Exe O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM…\Run: [avgctrl] “C:\Program Files\AntiVir PersonalEdition Classic\avgctrl.exe” /min O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [LXCGCATS] rundll32 C:\WINDOWS.000\SYSTEM\LXCGtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [lxcgmon.exe] “C:\Program Files\Lexmark 2300 Series\lxcgmon.exe” O4 - HKLM…\Run: [EzPrint] “C:\Program Files\Lexmark 2300 Series\ezprint.exe” O4 - HKLM…\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s O4 - HKLM…\Run: [sysTray] C:\PROGRAM FILES\TRXRTIGX.EXE O4 - HKLM…\Run: [tetriz3] C:\WINDOWS.000\SYSTEM\tetriz3.exe O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM…\RunServices: [schedulingAgent] mstask.exe O4 - HKLM…\RunServices: [*StateMgr] C:\WINDOWS.000\System\Restore\StateMgr.exe O4 - HKLM…\RunServices: [schedm] “C:\Program Files\AntiVir PersonalEdition Classic\schedm.exe” O4 - HKLM…\RunServices: [tetriz3] C:\WINDOWS.000\SYSTEM\tetriz3.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [pro] C:\WINSTALL.EXE O4 - HKCU…\Run: [tetriz3] C:\WINDOWS.000\SYSTEM\tetriz3.exe O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.000\web\related.htm (file missing) O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS.000\web\related.htm (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
A tu log z tego drugiego programu
“Silent Runners.vbs”, revision 44, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray” [“sms-express.com ”] “Windows installer” = “C:\winstall.exe” [file not found] “pro” = “C:\WINSTALL.EXE” [file not found] “tetriz3” = “C:\WINDOWS.000\SYSTEM\tetriz3.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] “ScanRegistry” = “C:\WINDOWS.000\scanregw.exe /autorun” [MS] “TaskMonitor” = “C:\WINDOWS.000\taskmon.exe” [MS] “PCHealth” = “C:\WINDOWS.000\PCHealth\Support\PCHSchd.exe -s” [MS] “SystemTray” = “SysTray.Exe” [MS] “LoadPowerProfile” = “Rundll32.exe powrprof.dll,LoadCurrentPwrScheme” [MS] “avgctrl” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgctrl.exe” /min” [“Avira GmbH”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “LXCGCATS” = “rundll32 C:\WINDOWS.000\SYSTEM\LXCGtime.dll,_RunDLLEntry@16” [MS] “lxcgmon.exe” = ““C:\Program Files\Lexmark 2300 Series\lxcgmon.exe”” [“Lexmark International, Inc.”] “EzPrint” = ““C:\Program Files\Lexmark 2300 Series\ezprint.exe”” [“Lexmark International Inc.”] “FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data] “SysTray” = “C:\PROGRAM FILES\TRXRTIGX.EXE” [file not found] “tetriz3” = “C:\WINDOWS.000\SYSTEM\tetriz3.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} “LoadPowerProfile” = “Rundll32.exe powrprof.dll,LoadCurrentPwrScheme” [MS] “SchedulingAgent” = “mstask.exe” [MS] “*StateMgr” = “C:\WINDOWS.000\System\Restore\StateMgr.exe” [MS] “schedm” = ““C:\Program Files\AntiVir PersonalEdition Classic\schedm.exe”” [“Avira GmbH”] “tetriz3” = “C:\WINDOWS.000\SYSTEM\tetriz3.exe” [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis(Default) = “Instalator systemu Windows — Konwerter FAT32” \StubPath = “rundll.exe C:\WINDOWS.000\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS.000\INF\applets1.inf” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX” ["("] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRAM FILES\OPENOFFICE.ORG1.1.3\PROGRAM\SHLXTHDL.DLL” [“Sun Microsystems, Inc.”] “{2E9D3540-211C-11d0-A5F2-00A0248C37BE}” = “Nero Shell Extension Property Sheet” -> {HKLM…CLSID} = “Nero Shell Extension Property Sheet” \InProcServer32(Default) = “C:\Program Files\Ahead\nero\neroshx.dll” [“Ahead Software AG”] “{D0FAC080-AE1A-11ce-8016-CE90976DC901}” = “Picture Publisher File Viewer” -> {HKLM…CLSID} = “Picture Publisher File Viewer” \InProcServer32(Default) = “ppiv30.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{FBF23B40-E3F0-101B-8488-00AA003E56F8}” = (no title provided) -> {HKLM…CLSID} = “Skrót internetowy” \InProcServer32(Default) = “shdocvw.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SHLEXT.DLL” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SHLEXT.DLL” [“H+BEDV Datentechnik GmbH”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS.000\Web\Wallpaper\Zaćmienie słońca.jpg” WIN.INI & SYSTEM.INI launch points: ----------------------------------- WIN.INI [windows] INFECTION WARNING! “run=lxcgppls.exe” [“4”] Startup items in “Startup” & “All Users…Startup” folders: ----------------------------------------------------------- C:\WINDOWS.000\Menu Start\Programy\Autostart “OpenOffice.org 1.1.3” -> shortcut to: “C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe” [null data] “Adobe Gamma Loader.exe” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Enabled Scheduled Tasks: ------------------------ “Rozpoczęcie aplikacji dostrajania” -> launches: “walign” [MS] “Harmonogram programu PCHealth dla zbierania danych” -> launches: “C:\WINDOWS.000\PCHEALTH\SUPPORT\PCHSCHD.EXE -c” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “C:\WINDOWS.000\SYSTEM\rnr20.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS.000\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS.000\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS.000\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL” [“Yahoo! Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “MSN Messenger Service” “Exec” = “C:\PROGRA~1\MESSEN~1\MSMSGS.EXE” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data) The Internet Explorer version cannot be found! C:\WINDOWS.000\INF\IERESET.INF (used to “Reset Web Settings”) The contents of IERESET.INF cannot be reliably checked! Added lines (compared with English-language version): [strings]: START_PAGE_URL=“http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome ” [strings]: MS_START_PAGE_URL=“http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome ” Missing lines (compared with English-language version): [strings]: 2 lines Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 2300 Series Port\Driver = “lxcglmpm.dll” [“4”] Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 10 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 15 seconds. ---------- (total run time: 49 seconds)
Otwórz notatnik i wklej w nim to:
Plik>>>Zapisz jako>>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.REG>>>>przejście do trybu awaryjnego i odpalasz FIX.REG
W hijackthis kasujesz wpisy i pogrubiony plik:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
Po zabiegu nowy log z silenta + hijackthis
Skasuj w hijackthis:
Zastanawia mnie ten plik:
Niby wygląda jak coś od drukarki lexmark, ale w necie nic o tym nie ma.
Dojdź po ścieżce i >właściwości>>pobierz info, producent itp, jeśli bedzie lexmark to ok.
Stea
(Juicy Lucy)
4 Kwiecień 2006 14:01
#11
Skasowałam te pliki, a tamten to jest od d.
Bardzo dziękuję wszystkim za pomoc a w szczególności Tobie-InfinityToJa .