Problem z wirusem

dawidek11 · 21 Sierpień 2007 14:37

Witam moj kolega ma problem z wirusm o nazwie Win32/Adware Ultimate Defender Program , nod niedal sobie rady go skasowac ale mozna bylo ten prgram odinstalowac wiec tak zrobil ale niewiem czy cos jeszcze moze byc na komputerze , prosze o sprawdzenie logow z silent’a i hijack’a.

Dziekuje i pozdrawiam.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:02:09, on 2007-08-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Advanced Registry Doctor\RegManServ.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe D:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Eset\nod32kui.exe C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe C:\Program Files\BearShare\BearShare.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Logitech\Profiler\lwemon.exe C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Ares\Ares.exe D:\Program Files\RocketDock\RocketDock.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe C:\Program Files\Creative\Shared Files\CamTray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\IEPlugin\SKYPEI~1.DLL O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: (no name) - {479da9e8-1dd2-11b2-9fa9-873c0b90b5d5} - C:\WINDOWS\urypavwl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [vstwnqzy] rundll32.exe “C:\Program Files\vstwnqzy\fuhefmda.dll”,Init O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [start WingMan Profiler] “D:\Program Files\Logitech\Profiler\lwemon.exe” /noui O4 - HKCU…\Run: [internetCalls] “C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” -nosplash -minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe O4 - HKCU…\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h O4 - HKCU…\Run: [RocketDock] “D:\Program Files\RocketDock\RocketDock.exe” O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Ustawienia myszy Labtec.lnk = C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … jhtml?p=ZJ O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\IEPlugin\SKYPEI~1.DLL O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho … wflash.cab O17 - HKLM\System\CCS\Services\Tcpip…{06F40363-21EC-47D7-8E37-A6F9FAF95F49}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CCS\Services\Tcpip…{F416FEC3-3F5F-41C0-B4A2-C0FDCAE6641E}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123 O17 - HKLM\System\CS1\Services\Tcpip…{06F40363-21EC-47D7-8E37-A6F9FAF95F49}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123 O17 - HKLM\System\CS2\Services\Tcpip…{06F40363-21EC-47D7-8E37-A6F9FAF95F49}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Program Files\RealVNC\VNC4\WinVNC4.exe O24 - Desktop Component 0: (no name) - http://www.dzienpo.tk/pictures/dp_000636.jpg O24 - Desktop Component 1: (no name) - http://acn.waw.pl/pooh/kolo/klap-kolo.gif O24 - Desktop Component 2: (no name) - http://tbn0.google.com/images?q=tbn:Cu7 … lube01.jpg – End of file - 8688 bytes

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Start WingMan Profiler” = ““D:\Program Files\Logitech\Profiler\lwemon.exe” /noui” [“Logitech Inc.”] “InternetCalls” = ““C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” -nosplash -minimized” [“InternetCalls”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “MyWebSearch Email Plugin” = “C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe” [“MyWebSearch.com”] “ares” = ““C:\Program Files\Ares\Ares.exe” -h” [“Ares Development Group”] “RocketDock” = ““D:\Program Files\RocketDock\RocketDock.exe”” [null data] “STYLEXP” = “C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” [empty string] HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “RunGCW” = “C:\Program Files\Nokia\Nokia PC Suite 6\GetConnected.exe /instsupp” [“Nokia”] “LaunchApplication.exe” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray” [“Nokia”] “PcSync2.exe” = “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog” [“Time Information Services Ltd.”] “GetConnected.exe” = “C:\Program Files\Nokia\Nokia PC Suite 6\GetConnected.exe /instsupp” [“Nokia”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [null data] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” [null data] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “C-Media Mixer” = “C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup” [“C-Media Electronic Inc.”] “My Web Search Bar” = “rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S” [MS] “MyWebSearch Email Plugin” = “C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe” [“MyWebSearch.com”] “BearShare” = ““C:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “vstwnqzy” = “rundll32.exe “C:\Program Files\vstwnqzy\fuhefmda.dll”,Init” [MS] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [“Nokia”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {00A6FAF1-072E-44cf-8957-5838F569A31D}(Default) = “MyWebSearch Search Assistant BHO” -> {HKLM…CLSID} = “MyWebSearch Search Assistant BHO” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL” [“MyWebSearch.com”] {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {07B18EA1-A523-4961-B6BB-170DE4475CCA}(Default) = “mwsBar BHO” -> {HKLM…CLSID} = “mwsBar BHO” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL” [“MyWebSearch.com”] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = (no title provided) -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll” [“BitComet”] {479da9e8-1dd2-11b2-9fa9-873c0b90b5d5}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\urypavwl.dll” [null data] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] {C333CF63-767F-4831-94AC-E683D962C63C}(Default) = “TGTSoft Explorer Toolbar Changer” -> {HKLM…CLSID} = “CoTGT_BHO Class” \InProcServer32(Default) = “C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{51550900-DCAC-11d4-AA0F-0080C87C465B}” = “WayTech MultiMouse” -> {HKLM…CLSID} = “WayTech MultiMouse Extension” \InProcServer32(Default) = “C:\Program Files\Labtec Laser Mouse Software\CPDll.dll” [null data] “{2F5AC606-70CF-461C-BFE1-734234536262}” = “WindowBlinds CPL Extension” -> {HKLM…CLSID} = “DisplayCplExt Class” \InProcServer32(Default) = “E:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll” [“Stardock.Net, Inc”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “wbsys.dll” [“Stardock.Net, Inc”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “System” = “kdkhw.exe” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> WBSrv\DLLName = “E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll” [“Stardock Corporation”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoResolveTrack” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoResolveTrack” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Radzio\Dane aplikacji\Mozilla\Firefox\Desktop Background.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\DOCUME~1\Radzio\Pulpit\NIE-DO~1.SCR” [file not found] Startup items in “Radzio” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “ATI CATALYST System Tray” -> shortcut to: “C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray” [null data] “Ustawienia myszy Labtec” -> shortcut to: “C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{07B18EA9-A523-4961-B6BB-170DE4475CCA}” -> {HKLM…CLSID} = “My Web Search” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL” [“MyWebSearch.com”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{07B18EA9-A523-4961-B6BB-170DE4475CCA}” -> {HKLM…CLSID} = “My Web Search” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL” [“MyWebSearch.com”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”] “{07B18EA9-A523-4961-B6BB-170DE4475CCA}” = (no title provided) -> {HKLM…CLSID} = “My Web Search” \InProcServer32(Default) = “C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL” [“MyWebSearch.com”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}(Default) = “My Web Search Quick View” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] HKLM\Software\Classes\CLSID{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}(Default) = “BitComet Search” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll” [“BitComet”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {461CC20B-FB6E-4F16-8FE8-C29359DB100E}\ “ButtonText” = “BitComet Search” {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{00A6FAF6-072E-44cf-8957-5838F569A31D}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL” [“MyWebSearch.com”] <> “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = “*v” (unwritable string) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Registry Management Service, RegManServ, “C:\Program Files\Advanced Registry Doctor\RegManServ.exe” [null data] ServiceLayer, ServiceLayer, ““C:\Program Files\PC Connectivity Solution\ServiceLayer.exe”” [“Nokia.”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- (launch time: 2007-08-22 15:35:25) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 109 seconds. ---------- (total run time: 169 seconds)

jessica · 21 Sierpień 2007 14:52

Masz ukraińską infekcję czyli Rootkit “Windows Security Center”, więc najpierw zastosuj

FixWareout

Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL O2 - BHO: (no name) - {479da9e8-1dd2-11b2-9fa9-873c0b90b5d5} - C:\WINDOWS\urypavwl.dll O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL O4 - HKLM…\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe O4 - HKLM…\Run: [vstwnqzy] rundll32.exe “C:\Program Files\vstwnqzy\fuhefmda.dll”,Init O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … jhtml?p=ZJ O17 - HKLM\System\CCS\Services\Tcpip…{06F40363-21EC-47D7-8E37-A6F9FAF95F49}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CCS\Services\Tcpip…{F416FEC3-3F5F-41C0-B4A2-C0FDCAE6641E}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123 O17 - HKLM\System\CS1\Services\Tcpip…{06F40363-21EC-47D7-8E37-A6F9FAF95F49}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123 O17 - HKLM\System\CS2\Services\Tcpip…{06F40363-21EC-47D7-8E37-A6F9FAF95F49}: NameServer = 85.255.114.106,85.255.112.123 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.106 85.255.112.123

Potem te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Potem daj tu:

raport z C:\Fixwareout.txt
log z Hijacka
log z ComboFixa:

ComboFixa (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.

jessi

dawidek11 · 21 Sierpień 2007 15:18

Username “Radzio” - 2007-08-22 15:55:52 [Fixwareout edited 2007/07/05] »»»»»Prerun check HKLM\SOFTWARE~\Winlogon\ “System”=“kdkhw.exe” HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters “nameserver”=“85.255.114.106 85.255.112.123” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{06F40363-21EC-47D7-8E37-A6F9FAF95F49} “nameserver”=“85.255.114.106,85.255.112.123” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{F416FEC3-3F5F-41C0-B4A2-C0FDCAE6641E} “nameserver”=“85.255.114.106,85.255.112.123” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{393588CD-EADA-4046-82BC-23C682DB9A41} “DhcpNameServer”=“85.255.114.106,85.255.112.123” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{F416FEC3-3F5F-41C0-B4A2-C0FDCAE6641E} “DhcpNameServer”=“85.255.114.106,85.255.112.123” Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS. System was rebooted successfully. »»»»» Postrun check HKLM\SOFTWARE~\Winlogon\ “system”="" … … »»»»» Misc files. … »»»»» Checking for older varients. … C:\Program Files\VideoPlugin < Found Additional tools are recomended. »»»»» Current runs (hklm hkcu “run” Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “ATICCC”="“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime" “DAEMON Tools-1033”="“C:\Program Files\D-Tools\daemon.exe” -lang 1033" “Cmaudio”=“RunDll32 cmicnfg.cpl,CMICtrlWnd” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “C-Media Mixer”=“C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup” “My Web Search Bar”=“rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S” “MyWebSearch Email Plugin”=“C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe” “BearShare”="“C:\Program Files\BearShare\BearShare.exe” /pause" “vstwnqzy”=“rundll32.exe “C:\Program Files\vstwnqzy\fuhefmda.dll”,Init” “PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” “Start WingMan Profiler”="“D:\Program Files\Logitech\Profiler\lwemon.exe” /noui" “InternetCalls”="“C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” -nosplash -minimized" “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “MyWebSearch Email Plugin”=“C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe” “ares”="“C:\Program Files\Ares\Ares.exe” -h" “RocketDock”="“D:\Program Files\RocketDock\RocketDock.exe”" “STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” … Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»»

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:07:19, on 2007-08-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Advanced Registry Doctor\RegManServ.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\BearShare\BearShare.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Logitech\Profiler\lwemon.exe C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Ares\Ares.exe D:\Program Files\RocketDock\RocketDock.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\IEPlugin\SKYPEI~1.DLL O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: (no name) - {479da9e8-1dd2-11b2-9fa9-873c0b90b5d5} - C:\WINDOWS\urypavwl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [start WingMan Profiler] “D:\Program Files\Logitech\Profiler\lwemon.exe” /noui O4 - HKCU…\Run: [internetCalls] “C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe” -nosplash -minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [ares] “C:\Program Files\Ares\Ares.exe” -h O4 - HKCU…\Run: [RocketDock] “D:\Program Files\RocketDock\RocketDock.exe” O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Ustawienia myszy Labtec.lnk = C:\Program Files\Labtec Laser Mouse Software\MulMouse.exe O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\IEPlugin\SKYPEI~1.DLL O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho … wflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Program Files\RealVNC\VNC4\WinVNC4.exe O24 - Desktop Component 0: (no name) - http://www.dzienpo.tk/pictures/dp_000636.jpg O24 - Desktop Component 1: (no name) - http://acn.waw.pl/pooh/kolo/klap-kolo.gif O24 - Desktop Component 2: (no name) - http://tbn0.google.com/images?q=tbn:Cu7 … lube01.jpg – End of file - 7053 bytes

http://wklej.org/id/113af875db

Dziekuje

jessica · 21 Sierpień 2007 15:40

Wklej do Notatnika :

File::

C:\WINDOWS\urypavwl.dll


Folder::

C:\Program Files\vstwnqzy

C:\WINDOWS\system32\ueuhhfwo


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{479da9e8-1dd2-11b2-9fa9-873c0b90b5d5}]

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

(czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->http://i12.tinypic.com/4l761r5.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie.

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Sprawdź go na http://virusscan.jotti.org/

Opis, jak korzystać z JOTTI --> http://otfans.pl/forums/showthread.php?tid=552

albo na http://www.virustotal.com/en/indexf.html

(korzysta się podobnie jak z JOTTI).

Daj nowy log z ComboFixa.

jessi

dawidek11 · 21 Sierpień 2007 16:26

Antywirus Wersja Ostatnia aktualizacja Wynik

AhnLab-V3 2007.8.22.0 2007.08.21 -

AntiVir 7.4.1.62 2007.08.21 -

Authentium 4.93.8 2007.08.20 -

Avast 4.7.1029.0 2007.08.20 -

AVG 7.5.0.484 2007.08.20 -

BitDefender 7.2 2007.08.21 -

CAT-QuickHeal 9.00 2007.08.21 -

ClamAV 0.91 2007.08.21 -

DrWeb 4.33 2007.08.21 -

eSafe 7.0.15.0 2007.08.20 -

eTrust-Vet 31.1.5076 2007.08.21 -

Ewido 4.0 2007.08.21 -

FileAdvisor 1 2007.08.21 -

Fortinet 2.91.0.0 2007.08.21 -

F-Prot 4.3.2.48 2007.08.20 -

F-Secure 6.70.13030.0 2007.08.21 -

Ikarus T3.1.1.12 2007.08.21 -

Kaspersky 4.0.2.24 2007.08.21 -

McAfee 5101 2007.08.20 -

Microsoft 1.2803 2007.08.21 -

NOD32v2 2473 2007.08.21 -

Norman 5.80.02 2007.08.21 -

Panda 9.0.0.4 2007.08.21 -

Prevx1 V2 2007.08.21 -

Rising 19.37.12.00 2007.08.21 -

Sophos 4.20.0 2007.08.21 -

Sunbelt 2.2.907.0 2007.08.21 -

Symantec 10 2007.08.21 -

TheHacker 6.1.8.171 2007.08.21 -

VBA32 3.12.2.2 2007.08.21 -

VirusBuster 4.3.26:9 2007.08.21 -

Webwasher-Gateway 6.0.1 2007.08.21 -

Dodatkowe informacje

File size: 2320256 bytes

MD5: c203a06dd9408f33c7a8783c0f758670

SHA1: 0c060d2b6c298113a2ebcd2b7a8468df2c930c39

http://wklej.org/id/f857839696 ---- log z combofix’a

Kozystalem z http://www.virustotal.com/pl/

dziekuje

Gutek · 21 Sierpień 2007 16:35

To jest cały raport ze skanu pliku kernel1.exe?

jessica · 21 Sierpień 2007 16:37

Wygląda, że jest OK!

EDIT:

Skan z JOTTI tego “kernel1” oglądałam już wcześniej na jakimś zagranicznym forum - też nic podejrzanego.

jessi

dawidek11 · 21 Sierpień 2007 16:41

Tak ,ale moge wyslac ten plik do analizy do kaspersky bo czesto tak robie u siebie jesli kaspersky jakiegos wirusa niewykrywa to wysylam go analizy i przychodzi mi na e-maila ze to jest wirus i ze bedzie dodany do bazy wirusow w nanastepnej aktualizacji kasperskiego.

Dziekuje

Gutek · 21 Sierpień 2007 16:41

Ja widziałem jak usuwali ten plik

Hm…

dawidek11 · 21 Sierpień 2007 16:46

http://www.pcformat.pl/forum/showthread … pid=275212 na tej stronie cos jest .

Ps. moj kolega zmienil sobie boot screnna i jak uruchamia widowsa to mu sie pokazuje ze ma 2 windowsy ieden z normalnym boot scrennem a drugi ze zmienionym boot scrennem i mi sie wydaje ze ten kernel1.exeto jest od tego nowego boot screena.

Oki Dziekuje bardzo za wszystko!

Sanjana007 · 24 Sierpień 2007 19:03

Hej. Mam zainstalowany program avast. Ostatnio wyskoczylo mi ze wykryto wirusa ale nie dalo sie go przeniesc do kwarantanny. Teraz jak wlaczylam ponownie komputer to juz nic nie wyskakuje a w dziale wszytskie pliki z kwarantanny sa jakies cztery. Powiedzcie mi jak to usunac bo ja sie na tym kompletnie nie znam:(

jessica · 24 Sierpień 2007 23:10

@sanjana007 - Moderator jeszcze nie zauważył, że się podczepiłeś pod cudzy temat, ale to tylko kwestia czasu.

Zapewniam Cię, że takie podczepianie się pod cudzy temat bardzo utrudnia pomaganie.

Dodatkowo nie wolno nam odpowiadać na podczepione posty, więc właściwie nie powinnam Ci odpowiadać.

Wyjątkowo odpowiem, bo to błahe pytanie, może nie warto zakładać nowego tematu?

Tym zajmie się Moderator.

Ja natomiast:

jessi