Problem z wml.exe proszę o pomoc


(Tn Sp) #1

Witam ja rówież mam podobny problem co krzysinek z plikiem wml.exe. Z tym że nie mogę uruchomić programu HiJackThis. Wyskakuje mi informacja ze prgram nie jest aplikacja systemu 32 czy coś takiego. Proszę o pomoc

Uruchomiłem Combofix oto log:

ComboFix 08-04-24.1 - Mika 2008-05-05 18:18:02.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.264 [GMT 2:00]

Running from: D:\zip\ComboFix.exe

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED!!

.

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))

.

2008-05-04 12:56 . 2008-05-04 12:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-05-04 12:56 . 2008-05-04 12:57 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-05-04 12:56 . 2008-05-04 12:57 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-05-04 12:55 . 2008-05-04 12:55

2008-05-04 12:48 . 2008-05-04 17:56

2008-05-04 12:48 . 2008-05-04 12:47 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-05-04 12:48 . 2008-05-04 12:47 298,104 --a------ C:\WINDOWS\system32\imon.dll

2008-05-04 12:48 . 2008-05-04 12:47 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2008-05-04 12:37 . 2008-05-04 12:37

2008-05-01 04:41 . 2008-05-01 04:41

2008-05-01 04:20 . 2008-05-01 04:20

2008-05-01 04:19 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd

2008-05-01 04:16 . 1999-10-11 03:00 41,984 --------- C:\WINDOWS\Ctregrun.exe

2008-05-01 04:12 . 2003-03-19 07:19 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL

2008-05-01 04:12 . 2003-02-21 06:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

2008-05-01 04:08 . 2002-12-11 18:09 217,600 --a--c--- C:\WINDOWS\system32\dllcache\npdrmv2.dll

2008-05-01 04:08 . 2002-12-11 17:34 9,728 --a--c--- C:\WINDOWS\system32\dllcache\npwmsdrm.dll

2008-05-01 03:04 . 2006-04-13 19:00 126,976 -ra------ C:\WINDOWS\system32\V0220Vfw.dll

2008-05-01 03:04 . 2005-07-12 20:17 86,016 -ra------ C:\WINDOWS\CtDrvIns.exe

2008-05-01 03:04 . 2006-06-28 19:01 32,768 -ra------ C:\WINDOWS\V0220Mon.exe

2008-05-01 03:04 . 2006-04-13 19:00 20,480 -ra------ C:\WINDOWS\V0220Cfg.exe

2008-05-01 03:04 . 2006-06-08 10:00 6,272 -ra------ C:\WINDOWS\system32\drivers\V0220Vfx.sys

2008-05-01 03:04 . 2006-05-06 05:04 6,132 -ra------ C:\WINDOWS\VF0220.uns

2008-05-01 02:50 . 2008-05-05 16:32

2008-05-01 02:50 . 2008-05-01 02:50 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-05-01 02:47 . 2008-05-05 16:38

2008-05-01 02:46 . 2008-05-01 02:47

2008-05-01 02:46 . 2008-05-01 02:46

2008-05-01 02:46 . 2008-05-01 02:47

2008-04-30 23:21 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll

2008-04-30 23:21 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll

2008-04-30 23:21 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl

2008-04-30 23:21 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll

2008-04-30 23:21 . 2004-08-03 14:04 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll

2008-04-30 23:21 . 2004-08-03 14:03 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe

2008-04-30 23:21 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll

2008-04-30 23:14 . 2002-05-23 09:34 310,272 --a------ C:\WINDOWS\system32\winhttp.dll

2008-04-22 17:52 . 2008-04-22 17:52

2008-04-20 20:05 . 2008-04-20 20:05

2008-04-20 20:05 . 2008-05-01 03:21

2008-04-20 20:05 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-20 20:05 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-20 20:05 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-20 20:05 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-20 13:48 . 2008-04-20 14:13

2008-04-20 10:54 . 2003-03-18 21:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll

2008-04-20 10:49 . 2008-04-20 17:51 1,540,809 ---hs---- C:\WINDOWS\system32\lffgxeig.ini

2008-04-20 10:43 . 2008-04-20 10:43 106,496 --a------ C:\WINDOWS\system32\krwhktkt.exe

2008-04-19 11:24 . 2008-04-19 11:24

2008-04-19 10:19 . 2008-04-19 10:18 691,545 --a------ C:\WINDOWS\unins000.exe

2008-04-19 10:19 . 2008-04-19 10:19 2,540 --a------ C:\WINDOWS\unins000.dat

2008-04-19 10:16 . 2008-04-19 10:30

2008-04-19 10:16 . 2008-04-19 10:20

2008-04-19 09:40 . 2008-05-04 17:08

2008-04-19 09:39 . 2008-04-19 09:39 10,752 --a------ C:\Documents and Settings\Mika\65886.exe

2008-04-19 09:39 . 2008-04-19 09:39 10,752 --a------ C:\Documents and Settings\Mika\53103.exe

2008-04-13 19:16 . 2008-04-18 20:31

2008-04-06 10:45 . 2008-04-19 09:53

2008-04-05 13:18 . 2001-10-26 17:29 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-04-05 13:18 . 2001-08-17 21:53 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2008-04-05 13:18 . 2001-10-26 17:29 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2008-04-05 13:11 . 2008-04-06 09:50

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-04 12:09 --------- d-----w C:\Program Files\Operacja Pustynny Grom

2008-05-01 02:18 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-01 02:14 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-04-30 22:16 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll

2008-04-26 13:53 --------- d-----w C:\Documents and Settings\Mika\Dane aplikacji\GanymedeNet

2008-03-28 17:52 --------- d-----w C:\Program Files\Java

2008-03-05 15:22 --------- d-----w C:\Program Files\IrfanView

2007-12-20 19:51 8 --sh--r C:\WINDOWS\system32\F7DB1628C6.sys

2007-12-20 19:51 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects{F653EA3B-76C8-4C6F-8C1A-31DFFC056A8B}]

C:\WINDOWS\System32\ddccbyaX.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}"= "C:\DOCUME~1\Mika\USTAWI~1\Temp\ac8zt2\qtvglped.dll" []

[HKEY_CLASSES_ROOT\clsid{3d91099b-562d-49ec-bdbd-78c5de9caed9}]

[HKEY_CLASSES_ROOT\qtvglped.1]

[HKEY_CLASSES_ROOT\TypeLib{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}]

[HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 19:29 13312]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14 1077277]

"Gadu-Gadu"="E:\Program Files\Gadu-Gadu\gg.exe" [2007-11-14 12:54 2131392]

"vcmcjkmg"="C:\WINDOWS\system32\qfujyfej.exe" []

"yptuuypd"="C:\WINDOWS\system32\krwhktkt.exe" [2008-04-20 10:43 106496]

"bnudvien"="C:\WINDOWS\system32\vctenexw.exe" []

"njlarnvc"="C:\WINDOWS\system32\dwjwhifw.exe" []

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:54 22175528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"="e:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50 33792]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"V0220Mon.exe"="C:\WINDOWS\V0220Mon.exe" [2006-06-28 19:01 32768]

"AVFX Engine"="d:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11 24576]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-05-04 12:47 949376]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-26 19:29 13312]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-20 22:55:05 113664]

Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"YF65J4R49V"= C:\WINDOWS\wininst.exe

"eu0SenVPtK"= C:\Documents and Settings\All Users\Dane aplikacji\mnkjgjsx\wzmlmnan.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= file:///C:\WINDOWS\privacy_danger\index.htm

FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"pmsoarbf"= {55AB04F6-7B69-415E-829F-FC9A1528B731} - C:\WINDOWS\pmsoarbf.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOHwTn]

urqOHwTn.dll

R0 sojubus;sojubus;C:\WINDOWS\System32\DRIVERS\sojubus.sys [2003-10-05 11:41]

R0 sojuscsi;sojuscsi;C:\WINDOWS\System32\DRIVERS\sojuscsi.sys [2003-09-28 11:57]

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-03-29 19:31]

S3 V0220Dev;Live! Cam Video IM;C:\WINDOWS\System32\DRIVERS\V0220Dev.sys [2006-06-29 07:58]

S3 V0220Vfx;V0220VFX;C:\WINDOWS\System32\DRIVERS\V0220Vfx.sys [2006-06-08 10:00]

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-05 18:20:36

Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-05 18:22:50

ComboFix-quarantined-files.txt 2008-05-05 16:21:52

Pre-Run: 807,432,192 bajtów wolnych

Post-Run: 805,253,120 bajtów wolnych

148


(Gutek) #2

Wklej do Notatnika:

File::

C:\WINDOWS\system32\lffgxeig.ini

C:\WINDOWS\system32\krwhktkt.exe

C:\WINDOWS\System32\ddccbyaX.dll


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F653EA3B-76C8-4C6F-8C1A-31DFFC056A8B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3D91099B-562D-49EC-BDBD-78C5DE9CAED9}"=-

[-HKEY_CLASSES_ROOT\clsid\{3d91099b-562d-49ec-bdbd-78c5de9caed9}]

[-HKEY_CLASSES_ROOT\qtvglped.1]

[-HKEY_CLASSES_ROOT\TypeLib\{5A457828-B0A0-44DF-B5DE-373DFDD87ACC}]

[-HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vcmcjkmg"=-

"yptuuypd"=-

"bnudvien"=-

"njlarnvc"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"YF65J4R49V"=-

"eu0SenVPtK"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"pmsoarbf"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOHwTn]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=213350

Nie podpinaj się pod cudy temat