Witam,
Skaner mks wykrył mi parę trojanów, niby usunął, ale przy starcie systemu (Win 98SE) nadal pojawia się komunikat: “Nie można odnaleźć pliku ‘ibm00001.exe’ (lub jego części). Sprawdź, czy ścieżka i nazwa pliku są poprawne oraz czy wszystkie wymagane biblioteki są dostępne”. Proszę o pomoc, oto log:
Z góry dziękuję
Artur
Usunąłem w trybie awaryjnym pliki TOOLBAR.DLL i i1ru74n4.exe, ibm00001.exe usunąłem już wcześniej (nie w trybie awaryjnym), a Q12851748.DLL nie znalazłem. Oto log z Silent Runners:
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“rate.exe” = “C:\WINDOWS\SYSTEM\i1ru74n4.exe” [file not found]
“Shell” = ““C:\WINDOWS\SYSTEM\ibm00001.exe”” [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“ScanRegistry” = “C:\WINDOWS\scanregw.exe /autorun” [MS]
“TaskMonitor” = “C:\WINDOWS\taskmon.exe” [MS]
“SystemTray” = “SysTray.Exe” [MS]
“LoadPowerProfile” = “Rundll32.exe powrprof.dll,LoadCurrentPwrScheme” [MS]
“Zasobnik systemowy” = “SysTray.Exe” [MS]
“LWBMOUSE” = “C:\Program Files\mouse\mouse driver\3.4\lwbwheel.exe” [empty string]
“KAV50Service” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe” -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000” [“Kaspersky Lab”]
“(Default)” = (empty string)
“KAV50” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe” -run -n Workstation -v 5.0.0.0” [“Kaspersky Lab”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
“LoadPowerProfile” = “Rundll32.exe powrprof.dll,LoadCurrentPwrScheme” [MS]
“SchedulingAgent” = “mstask.exe” [MS]
“MSDTC” = “msdtcw -start” [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{5945c046-1e7d-11d1-bc44-00c04fd912be}(Default) = “MSN Messenger Service 2.2”
\StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Remove.PerUser” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! “{B212D577-05B7-4963-911E-4A8588160DFA}” = “Memory monitor”
-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\Q12851748.DLL” [file not found]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus(Default) = “{DD230880-495A-11D1-B064-008048EC2FC5}”
-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll” [“Kaspersky Lab”]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus(Default) = “{DD230880-495A-11D1-B064-008048EC2FC5}”
-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\ShellEx.dll” [“Kaspersky Lab”]
Active Desktop and Wallpaper:
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
WIN.INI & SYSTEM.INI launch points:
SYSTEM.INI
[boot]
INFECTION WARNING! “shell=explorer.exe ibm00001.exe” [MS], [file not found]
Startup items in “Startup” & “All Users…Startup” folders:
C:\WINDOWS\Menu Start\Programy\Autostart
“Uruchamianie pakietu Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA.EXE -b” [MS]
“Pasek skrótów Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE” [MS]
“Microsoft Find Fast” -> shortcut to: “C:\Program Files\Microsoft Office\Office\FINDFAST.EXE” [MS]
“Watchdog” -> shortcut to: “D:\TOOLS\Watchdog\watchdog.exe” [null data]
Enabled Scheduled Tasks:
“Rozpoczęcie aplikacji dostrajania” -> launches: “walign” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “C:\WINDOWS\SYSTEM\rnr20.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{FB2961FD-DD24-4F8A-8A92-6F9325FF6F11}” = “toolbar” [from CLSID]
-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL” [file not found]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{FB2961FD-DD24-4F8A-8A92-6F9325FF6F11}” = “toolbar” [from CLSID]
-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL” [file not found]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FB2961FD-DD24-4F8A-8A92-6F9325FF6F11}\ = “toolbar” [from CLSID]
-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL” [file not found]
Miscellaneous IE Hijack Points
HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
The Internet Explorer version cannot be found!
C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”)
The contents of IERESET.INF cannot be reliably checked!
Added lines (compared with English-language version):
Missing lines (compared with English-language version):
strings: 2 lines
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
PJL Language Monitor\Driver = “PJLMON.DLL” [MS]
HP LaserJet 5 Language Monitor\Driver = “HPDCMON.DLL” [“Hewlett-Packard”]
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer “No” at the first message box.
---------- (total run time: 51 seconds, including 18 seconds for message boxes)
Artur
do wywalenia zaglądamy do rejestru szukamy kluczy *HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler* , *HKLM\Software\Microsoft\Internet Explorer\Explorer Bars*
{FB2961FD-DD24-4F8A-8A92-6F9325FF6F11} , *HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser* i usuwamy wpisy Pocket Killbox Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę C:\WINDOWS\Q12851748.DLL i C:\WINDOWS\SYSTEM\ibm00001.exe oraz C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL Program poprosi o reset kompa … czyli resetujesz.
Sorki, że zadaję prawdopodobnie banalne pytania, ale wolę zapytać niż coś skaszanić. Czy to oznacza, że mam odpalić Regedit i usunąć wszystkie wpisy w wymienionych kluczach?
Artur
Nie numer masz np. {FB2961FD-DD24-4F8A-8A92-6F9325FF6F11}
Wykonałem zalecenia, ale przy starcie systemu nadal pokazuje się komunikat podany na początku mojego pierwszego posta. Czy mogę jeszcze coś zrobić?
Artur
Daj LOG z hijacka
Czy masz jeszcze: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" w tej lokalizacji plik?