radecki77
(Wolfik3)
15 Sierpień 2006 19:02
#1
Panowie,czy ktokolwiek z Was spotkal sie z w/w w temacie wirami? Mam problem z nimi, od dluzszego czasu siedza w moim kompie, o ich istnieniu powiadamia mnie NOD32 w trakcie pelnego skanowania. Probowalem juz przeroznych programow min. te ktore sa polecane przez Was na forum i dalej nic. Nie mam pojecia jak sie ich pozbyc, bede wdzieczy za jakiekolwiek porady.
…moj log wg Hijackthis jest wg mnie ok,
pozdrawiam
Miszel89
(Michael89)
15 Sierpień 2006 19:08
#2
wrzuc loga z hijacka sprawdzimy czy jest ok
arekf
(Arek F.)
15 Sierpień 2006 19:09
#3
Log z SilentRunners też się przyda
radecki77
(Wolfik3)
15 Sierpień 2006 20:40
#4
Logfile of HijackThis v1.99.1 Scan saved at 22:36:00, on 15.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\acer\epm\epm-dm.exe C:\Programme\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Winamp\winamp.exe C:\Programme\Internet Explorer\iexplore.exe D:\Programiki\hijackthis\HijackThis.exe O4 - HKLM…\Run: [epm-dm] c:\acer\epm\epm-dm.exe O4 - HKLM…\Run: [] C:\Programme\Eset\nod32kui.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe
Złączono Posta : 15.08.2006 (Wto) 22:41
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{F8225B2C-063B-1031-0509-050331200031}” = ““C:\Programme\Gemeinsame Dateien{F8225B2C-063B-1031-0509-050331200031}\Update.exe” mc-110-12-0000272” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “epm-dm” = “c:\acer\epm\epm-dm.exe” [“Acer Inc”] “(Default)” = “C:\Programme\Eset\nod32kui.exe” ["Eset "] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {625B8A49-953A-43D4-BFC5-5A7CB8FF4EBB}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\pmnnl.dll” [null data] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Programme\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “CPL-Erweiterung für Anzeigeverschiebung” -> {HKLM…CLSID} = “CPL-Erweiterung für Anzeigeverschiebung” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Erweiterung für HyperTerminal-Icons” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}” = “EPM-PO Shell Extension” -> {HKLM…CLSID} = “EPM-PO Shell Extensions” \InProcServer32(Default) = “epm-po.dll” [“Acer Labs USA”] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Microsoft Office\OFFICE11\msohev.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}” = “Microsoft AntiMalware ShellExecuteHook” -> {HKLM…CLSID} = “Microsoft AntiMalware ShellExecuteHook” \InProcServer32(Default) = “C:\PROGRA~1\WINDOW~4\MpShHook.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”] INFECTION WARNING! pmnnl\DLLName = “C:\WINDOWS\system32\pmnnl.dll” [null data] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] INFECTION WARNING! winbfi32\DLLName = “winbfi32.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] Default executables: -------------------- HKCU\Software\Classes.bat(Default) = (value not set) HKCU\Software\Classes.cmd(Default) = (value not set) HKCU\Software\Classes.com (Default) = (value not set) HKCU\Software\Classes.exe(Default) = (value not set) HKCU\Software\Classes.hta(Default) = (value not set) Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “Kasik” & “All Users” startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart “Cisco Systems VPN Client” -> shortcut to: “C:\Programme\Cisco Systems\VPN Client\vpngui.exe “-user_logon”” [“Cisco Systems, Inc.”] Enabled Scheduled Tasks: ------------------------ “MP Scheduled Scan” -> launches: “C:\Programme\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 35 %SystemRoot%\system32\mswsock.dll [MS], 06 - 09, 12 - 34 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe” [“GRISOFT, s.r.o.”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} Cisco Systems, Inc. VPN Service, CVPND, ““C:\Programme\Cisco Systems\VPN Client\cvpnd.exe”” [“Cisco Systems, Inc.”] Machine Debug Manager, MDM, ““C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Programme\Eset\nod32krn.exe”” ["Eset "] Notebook Manager Service, anbmService, “C:\Acer\eManager\anbmServ.exe” [“OSA Technologies Inc.”] Windows Defender Service, WinDefend, ““C:\Programme\Windows Defender\MsMpEng.exe”” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 31 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 6 seconds. ---------- (total run time: 59 seconds)
system
(system)
15 Sierpień 2006 20:53
#5
log z HiJackThis jest OK, wywal IE, odpal Operę lub Firefoxa, jakimi antywirami skanowałes?
radecki77
(Wolfik3)
15 Sierpień 2006 21:08
#6
IE jest odlaczony juz dosc dlugo,mam nadzieje ze zrobilem to ok (w ramach upewnienia prosze o instrukcje:) ),aktualnie chodzi mi firefox i maxthon(ale rzadko), skanowalem NOD-em 32 i on mi wyswietla komunikaty o tych wirach AVG nic nie widzi, a zainfekowane pliki sa w mieszczone w dosc dziwnej lokalizacji bo: c:/system volume information/…win32/aware.WhenU. SaveNow
Myszak
(Myszonus)
15 Sierpień 2006 21:09
#7
Usuwanie trojana Vundo . - zastosuj się. Daj nowe logi.
radecki77
(Wolfik3)
16 Sierpień 2006 09:01
#8
W jaki sposob mam sie zastosowac do tego co naisales,skoro podczas uruchomienia VundoFix-a musze mu podac ścieżkę dostępu do pliku który w HijackThis pokazał się w identyfikatorze O2 - BHO, a u mnie w logu z HijacThis-a nie ma takiego wpisu,zatem cala operacja zastosowania sie do usuniecia …Vundo pali na panewce od samego poczatku.Poprostu u mnie w logo nie ma takiego wpisu
adam9870
(adam9870)
16 Sierpień 2006 09:15
#9
A gdzie u niego widzisz tego trojana ? :o
On się charakteryzuje wpisem O2 oraz O20 a w logu nie widać żadnego z nich.
radecki77 Nie masz Vundo - zostaw tą instrukcję.
radecki77
(Wolfik3)
16 Sierpień 2006 09:15
#10
jedynie co mi pokazuje Silent Runners to cztery zainfekowane pliki: “igfxsrvc.dll”, “pmunl.dll”, “Wgalogon.dll”, “winibifi32.dll” oraz INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = (no title provided). Nie mam tylko pojecia czy sa to pliki majace cos wsplnego z w/w w temacie wirusami oraz jakiego typu sa to smieci i jak sie ich pozbyc? Prosze kogokolwiek o w miare zetelna porade.
pozdrawiam
jest instalowany dobrowolnie. Dołączony jest do niektórych programów lub skórek ze Style XP. Najlepiej usunąć w trybie awaryjnym. Przeskanuj SpyBot Search & Destroy i Avastem. W normalnym trybie pliki są w pamieci
radecki77
(Wolfik3)
16 Sierpień 2006 09:45
#12
…zatem jak mam sie odniesc do ostrzezen w Silent Runner o czterech zainfekowanych plikach?Z tego co wiem to Silent Runner jest dokladniejszy od Hij…, a chwilowo nikt sie nie ustosunkowal co do tych czterech plikow z Silent Runnera, NOD32 ciagle krzyczy o tym wirusie jaki jest w/w temacie, zrobie skany w trybie awaryjnym Spybot-Search & Destroy,zobaczymy co dalej. 8)
Myszak
(Myszonus)
16 Sierpień 2006 09:47
#13
pmnnl\DLLName = “C:\WINDOWS\system32\pmnnl.dll”
radecki77
(Wolfik3)
16 Sierpień 2006 09:58
#14
…a co z reszta :igfxsrvc.dll , wgaLogon.dll, winbifi.32dll co z nimi ?co to za smieci i jakiego typu?ale cos naprawde sie dzieje bo sam IE mi sie uruchamia z jakims badziewiem.jestes pewnien ze to Vundo ?
Złączono Posta : 16.08.2006 (Sro) 17:34
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{F8225B2C-063B-1031-0509-050331200031}” = ““C:\Programme\Gemeinsame Dateien{F8225B2C-063B-1031-0509-050331200031}\Update.exe” mc-110-12-0000272” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ccleaner” = ““C:\Programme\CCleaner\ccleaner.exe” /AUTO” [“Piriform Ltd”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “epm-dm” = “c:\acer\epm\epm-dm.exe” [“Acer Inc”] “(Default)” = “C:\Programme\Eset\nod32kui.exe” ["Eset "] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {1609B57E-C5E7-4CC7-AC83-50467AE0117B}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\pmnnl.dll” [file not found] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Programme\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “CPL-Erweiterung für Anzeigeverschiebung” -> {HKLM…CLSID} = “CPL-Erweiterung für Anzeigeverschiebung” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Erweiterung für HyperTerminal-Icons” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}” = “EPM-PO Shell Extension” -> {HKLM…CLSID} = “EPM-PO Shell Extensions” \InProcServer32(Default) = “epm-po.dll” [“Acer Labs USA”] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Microsoft Office\OFFICE11\msohev.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}” = “Microsoft AntiMalware ShellExecuteHook” -> {HKLM…CLSID} = “Microsoft AntiMalware ShellExecuteHook” \InProcServer32(Default) = “C:\PROGRA~1\WINDOW~4\MpShHook.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [file not found] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] INFECTION WARNING! winbfi32\DLLName = “winbfi32.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] Default executables: -------------------- HKCU\Software\Classes.bat(Default) = (value not set) HKCU\Software\Classes.cmd(Default) = (value not set) HKCU\Software\Classes.com (Default) = (value not set) HKCU\Software\Classes.exe(Default) = (value not set) HKCU\Software\Classes.hta(Default) = (value not set) Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “Kasik” & “All Users” startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart “Cisco Systems VPN Client” -> shortcut to: “C:\Programme\Cisco Systems\VPN Client\vpngui.exe “-user_logon”” [“Cisco Systems, Inc.”] Enabled Scheduled Tasks: ------------------------ “MP Scheduled Scan” -> launches: “C:\Programme\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 35 %SystemRoot%\system32\mswsock.dll [MS], 06 - 09, 12 - 34 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe” [“GRISOFT, s.r.o.”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} Cisco Systems, Inc. VPN Service, CVPND, ““C:\Programme\Cisco Systems\VPN Client\cvpnd.exe”” [“Cisco Systems, Inc.”] Machine Debug Manager, MDM, ““C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Programme\Eset\nod32krn.exe”” ["Eset "] Notebook Manager Service, anbmService, “C:\Acer\eManager\anbmServ.exe” [“OSA Technologies Inc.”] Windows Defender Service, WinDefend, ““C:\Programme\Windows Defender\MsMpEng.exe”” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 42 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 5 seconds. ---------- (total run time: 77 seconds)
Myszak
(Myszonus)
16 Sierpień 2006 16:16
#15
te 2 są ok.
Co do
Otwórz notatnik i wklej :
Plik --> zapisz jako --> zmień rozszerzenie z .txt na wszystkie pliki --> zapisz pod nazwą FIX.REG i uruchom w awaryjnym.
Masz AVG i Noda ? to wywal jeden. I uważnie korzystaj z zasobów netu
radecki77
(Wolfik3)
16 Sierpień 2006 18:34
#16
ponizej przedstawim jeszcze raz logi,jesli mozesz to spojrz na nie jeszcze raz
i podziel sie wrazeniami,mam nadzieje ze all jest ok.
Logfile of HijackThis v1.99.1 Scan saved at 20:28:52, on 16.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\acer\epm\epm-dm.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\Mozilla Firefox\firefox.exe D:\Programiki\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1609B57E-C5E7-4CC7-AC83-50467AE0117B} - C:\WINDOWS\system32\pmnnl.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [epm-dm] c:\acer\epm\epm-dm.exe O4 - HKLM…\Run: [] C:\Programme\Eset\nod32kui.exe O4 - HKCU…\Run: [ccleaner] “C:\Programme\CCleaner\ccleaner.exe” /AUTO O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing) O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{F8225B2C-063B-1031-0509-050331200031}” = ““C:\Programme\Gemeinsame Dateien{F8225B2C-063B-1031-0509-050331200031}\Update.exe” mc-110-12-0000272” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ccleaner” = ““C:\Programme\CCleaner\ccleaner.exe” /AUTO” [“Piriform Ltd”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “epm-dm” = “c:\acer\epm\epm-dm.exe” [“Acer Inc”] “(Default)” = “C:\Programme\Eset\nod32kui.exe” ["Eset "] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {1609B57E-C5E7-4CC7-AC83-50467AE0117B}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\pmnnl.dll” [file not found] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Programme\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “CPL-Erweiterung für Anzeigeverschiebung” -> {HKLM…CLSID} = “CPL-Erweiterung für Anzeigeverschiebung” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Erweiterung für HyperTerminal-Icons” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}” = “EPM-PO Shell Extension” -> {HKLM…CLSID} = “EPM-PO Shell Extensions” \InProcServer32(Default) = “epm-po.dll” [“Acer Labs USA”] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Microsoft Office\OFFICE11\msohev.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}” = “Microsoft AntiMalware ShellExecuteHook” -> {HKLM…CLSID} = “Microsoft AntiMalware ShellExecuteHook” \InProcServer32(Default) = “C:\PROGRA~1\WINDOW~4\MpShHook.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [file not found] INFECTION WARNING! WgaLogon\DLLName = “WgaLogon.dll” [MS] INFECTION WARNING! winbfi32\DLLName = “winbfi32.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Programme\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Programme\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programme\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] Default executables: -------------------- HKCU\Software\Classes.bat(Default) = (value not set) HKCU\Software\Classes.cmd(Default) = (value not set) HKCU\Software\Classes.com (Default) = (value not set) HKCU\Software\Classes.exe(Default) = (value not set) HKCU\Software\Classes.hta(Default) = (value not set) Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “Kasik” & “All Users” startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart “Cisco Systems VPN Client” -> shortcut to: “C:\Programme\Cisco Systems\VPN Client\vpngui.exe “-user_logon”” [“Cisco Systems, Inc.”] Enabled Scheduled Tasks: ------------------------ “MP Scheduled Scan” -> launches: “C:\Programme\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 35 %SystemRoot%\system32\mswsock.dll [MS], 06 - 09, 12 - 34 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll” [null data] Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe” [“GRISOFT, s.r.o.”] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} Cisco Systems, Inc. VPN Service, CVPND, ““C:\Programme\Cisco Systems\VPN Client\cvpnd.exe”” [“Cisco Systems, Inc.”] Machine Debug Manager, MDM, ““C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Programme\Eset\nod32krn.exe”” ["Eset "] Notebook Manager Service, anbmService, “C:\Acer\eManager\anbmServ.exe” [“OSA Technologies Inc.”] Windows Defender Service, WinDefend, ““C:\Programme\Windows Defender\MsMpEng.exe”” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 43 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 6 seconds. ---------- (total run time: 68 seconds)
zrobilem all jak kazales tyle ze teraz to hijackkthis pokazuje wpis z Vundo,ale VundoFix nic nie wykazuje.
pozdrawiam serdecznie 8)
radecki77
(Wolfik3)
16 Sierpień 2006 18:46
#18
ok,zrobilem jak kazales
Logfile of HijackThis v1.99.1 Scan saved at 20:45:50, on 16.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\acer\epm\epm-dm.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Mozilla Firefox\firefox.exe D:\Programiki\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [epm-dm] c:\acer\epm\epm-dm.exe O4 - HKLM…\Run: [] C:\Programme\Eset\nod32kui.exe O4 - HKCU…\Run: [ccleaner] “C:\Programme\CCleaner\ccleaner.exe” /AUTO O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe
teraz all ok?mam nadzieje ze po wszystkim,jeszcze raz wielkie dzieki za przysluge, :lol:
p.s: w jaki sposob mozna posiasc taka wiedze na temat wirow…
pozdrawiam
Złączono Posta : 17.08.2006 (Czw) 8:25
…cos mi dalej NOD32 wywala komunikat o infekcji prog. Win32/PrcView,co to moze byc?
Złączono Posta : 17.08.2006 (Czw) 8:48
… ciagle to samo:
C:\System Volume Information\_restore{37D33619-F280-4C12-ABE8-150D572E846E}\RP244\A0328591.exe »NSIS »SetupInst.exe - Win32/Adware.WhenU.SaveNow Program
oraz jak juz wspomnialem rowniez Win32/PrcView.co mam z tym dziadostwem dalej zrobic i jak sie pozbyc?
Myszak
(Myszonus)
17 Sierpień 2006 21:53
#19
Ten folder _restore jest od przywracania systemu - wyłącz je a wszystkie pliki od punktów zostaną usunięte. Potem możesz włączyć przywracanie,
Gutek
(Gutek)
17 Sierpień 2006 21:59
#20
Użyj VundoFix.zip i daj nowy log z Silenta