i internet explorer wariuje
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:57:45, on 2007-10-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe F:\WINDOWS\Explorer.EXE F:\Program Files\Alwil Software\Avast4\ashServ.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe F:\WINDOWS\SOUNDMAN.EXE F:\Program Files\cFosSpeed\cFosSpeed.exe F:\Program Files\Lexmark 4300 Series\lxcemon.exe F:\Program Files\Lexmark 4300 Series\ezprint.exe F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\retadpu1044.exe F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe F:\Program Files\cFosSpeed\spd.exe F:\Program Files\Gadu-Gadu\gg.exe F:\WINDOWS\system32\ctfmon.exe F:\PROGRA~1\SCURIT~1\chkdsk.exe F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe F:\PROGRA~1\INCRED~1\bin\ImApp.exe F:\WINDOWS\system32\nvsvc32.exe F:\WINDOWS\system32\svchost.exe F:\Program Files\IP Phone Center\IPCenter.exe F:\Program Files\podXP\podXP.exe F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe F:\Program Files\Alwil Software\Avast4\ashWebSv.exe F:\WINDOWS\system32\lxcecoms.exe F:\Program Files\Skype\Plugin Manager\skypePM.exe F:\Program Files\IP Phone Center\pc2pccall.exe F:\Program Files\IP Phone Center\tjbuddy.exe F:\Program Files\IP Phone Center\IPCRelay.exe F:\Program Files\IP Phone Center\RingCntr.exe F:\Program Files\Mozilla Firefox\firefox.exe F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe F:\PROGRA~1\INCRED~1\bin\IncMail.exe F:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe F:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe F:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe F:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe F:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [!AVG Anti-Spyware] “F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [cFosSpeed] F:\Program Files\cFosSpeed\cFosSpeed.exe O4 - HKLM…\Run: [lxcemon.exe] “F:\Program Files\Lexmark 4300 Series\lxcemon.exe” O4 - HKLM…\Run: [EzPrint] “F:\Program Files\Lexmark 4300 Series\ezprint.exe” O4 - HKLM…\Run: [FaxCenterServer] “F:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s O4 - HKLM…\Run: [NeroFilterCheck] F:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM…\Run: [NBKeyScan] “F:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe” O4 - HKLM…\Run: [LXCECATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [searchIndexer] rundll32.exe “F:\WINDOWS\system32\cnmerhad.dll”,sitypnow O4 - HKCU…\Run: [incrediMail] F:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU…\Run: [skype] “F:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “F:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Rtna] “F:\PROGRA~1\SCURIT~1\chkdsk.exe” --ru -vt yazb O4 - HKCU…\Run: [WinAble] F:\Program Files\WinAble\winable.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: IP Phone Center.lnk = F:\Program Files\IP Phone Center\IPCenter.exe O4 - Global Startup: podXP.lnk = F:\Program Files\podXP\podXP.exe O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{6F0FE0B2-1905-4A1C-8A90-C255C583E527}: NameServer = 84.203.254.34,84.203.255.34 O17 - HKLM\System\CCS\Services\Tcpip…{7C1B99FA-151C-4282-BA82-49E4E1EF327E}: NameServer = 84.203.254.34,84.203.255.34 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - F:\Program Files\cFosSpeed\spd.exe O23 - Service: lxce_device - Lexmark International, Inc. - F:\WINDOWS\system32\lxcecoms.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe – End of file - 7249 bytes
Gutek
(Gutek)
2 Październik 2007 22:23
#2
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po daj log z ComboFix
http://wklej.org/id/20ec7f371f
to ten log
Złączono Posta : 02.10.2007 (Wto) 23:42
co to wogle bylo i jak sie przed tym chronic . jak to moglem zlapac??
Złączono Posta : 03.10.2007 (Sro) 10:43
hallo jest tam kto
Złączono Posta : 03.10.2007 (Sro) 11:54
dalej cos jest nie tak prosze o pomoc
adam9870
(adam9870)
3 Październik 2007 13:32
#4
Pobierz The avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:
=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avengera i skasuj plik backup.zip czyli np. c:\avenger\backup.zip.
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Po wykonaniu wykonaj i wklej nowy log z ComboFix.
po tym jak kliklem w zielone swiatelko pojawil sie error
co teraz pomocy dalej jest cos nie tak nawet systemu nie moge przywrocic :evil:
Gutek
(Gutek)
3 Październik 2007 21:14
#6
Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix
juz to robilem mam jeszcze raz
a combo mialem tez urzyc w trybie awaryjnym??
bo poprzednio zrobilem normalnie a teraz w trybie awaryjnym.
oto nowy log
http://www.wklej.org/id/1e584364b8
Gutek
(Gutek)
3 Październik 2007 21:53
#10
Przeskanuj te pliki na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/ a jeśli okażą się szkodliwe usuń, pierwsze dwa są na pewno szkodliwe
lukaszczecin
(Lukasz Grzelak22)
3 Październik 2007 22:19
#11
\awtturs.dll riombnok.dll te sa szkodliwe jak to usunac bo nie moge??
Złączono Posta : 03.10.2007 (Sro) 23:18
nadal jest to samo wyskakuje jakis dziwny komunikat ze moj komputer posiada jakies bledy w rejestrze i jak klikne nie skanuj albo skanuj to laczy mnie z jaka witryna i pyta sie mnie czy chcem zainstalowac errorsafe.pomocy bo juz na glowe dostaje
Złączono Posta : 03.10.2007 (Sro) 23:24
mam objawy jak u tego goscia
http://www.searchengines.pl/Nieproszony … 92907.html
Złączono Posta : 04.10.2007 (Czw) 0:27
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “IncrediMail” = “F:\PROGRA~1\INCRED~1\bin\IncMail.exe /c” [“IncrediMail, Ltd.”] “Gadu-Gadu” = ““F:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “eyeBeam SIP Client” = “(empty string)” [file not found] “ctfmon.exe” = “F:\WINDOWS\system32\ctfmon.exe” [MS] “Rtna” = ““f:\windows\system32\chkdsk.exe” --ru -vt yazb” [MS] “SUPERAntiSpyware” = “F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [“SUPERAntiSpyware.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “!AVG Anti-Spyware” = ““F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“GRISOFT s.r.o.”] “avast!” = “F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NvCplDaemon” = “RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “cFosSpeed” = “F:\Program Files\cFosSpeed\cFosSpeed.exe” [“cFos Software GmbH”] “lxcemon.exe” = ““F:\Program Files\Lexmark 4300 Series\lxcemon.exe”” [“Lexmark International, Inc.”] “EzPrint” = ““F:\Program Files\Lexmark 4300 Series\ezprint.exe”” [“Lexmark International Inc.”] “FaxCenterServer” = ““F:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data] “NeroFilterCheck” = “F:\Program Files\Common Files\Nero\Lib\NeroCheck.exe” [“Nero AG”] “NBKeyScan” = ““F:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”” [“Nero AG”] “LXCECATS” = “rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided) -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “F:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” -> {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “F:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “F:\WINDOWS\system32\shdocvw.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “F:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “F:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “F:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “F:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “F:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “F:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “F:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [“Nero AG”] “{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” = “Groove GFS Browser Helper” -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}” = “Groove GFS Explorer Bar” -> {HKLM…CLSID} = “Groove Folder Synchronization” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{A449600E-1DC6-4232-B948-9BD794D62056}” = “Groove GFS Stub Icon Handler” -> {HKLM…CLSID} = “Groove GFS Stub Icon Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{6C467336-8281-4E60-8204-430CED96822D}” = “Groove GFS Context Menu Handler” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{387E725D-DC16-4D76-B310-2C93ED4752A0}” = “Groove XML Icon Handler” -> {HKLM…CLSID} = “Groove XML Icon Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{16F3DD56-1AF5-4347-846D-7C10C4192619}” = “Groove Explorer Icon Overlay 3 (GFS Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 3 (GFS Folder)” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}” = “Groove Explorer Icon Overlay 2 (GFS Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2 (GFS Stub)” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}” = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{99FD978C-D287-4F50-827F-B2C658EDA8E7}” = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{920E6DB1-9907-4370-B3A0-BAFC03D81399}” = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL” [MS] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] “{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons” -> {HKLM…CLSID} = “NeroCoverEdLiveIcons Class” \InProcServer32(Default) = “F:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “F:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“GRISOFT s.r.o.”] <> “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] <> “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}” = (no title provided) -> {HKLM…CLSID} = “SABShellExecuteHook Class” \InProcServer32(Default) = “F:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [“SuperAdBlocker.com ”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> !SASWinLogon\DLLName = “F:\Program Files\SUPERAntiSpyware\SASWINLO.dll” [“SUPERAntiSpyware.com ”] <> awtturs\DLLName = “awtturs.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “F:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “F:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “F:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}” -> {HKLM…CLSID} = “NeroCoverEdContextMenu Class” \InProcServer32(Default) = “F:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “F:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“GRISOFT s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “F:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “F:\Documents and Settings\lukasz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “lukasz” & “All Users” startup folders: -------------------------------------------------------- F:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “IP Phone Center” -> shortcut to: “F:\Program Files\IP Phone Center\IPCenter.exe $HideBuddyList$” [“CuPhone.com ”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}(Default) = “Groove Folder Synchronization” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_02” \InProcServer32(Default) = “F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_02” \InProcServer32(Default) = “F:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll” [“Sun Microsystems, Inc.”] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “F:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““F:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““F:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“GRISOFT s.r.o.”] cFosSpeed System Service, cFosSpeedS, ““F:\Program Files\cFosSpeed\spd.exe” -service” [“cFos Software GmbH”] lxce_device, lxce_device, “F:\WINDOWS\system32\lxcecoms.exe -service” [“Lexmark International, Inc.”] Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, “F:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe” [“Nero AG”] NVIDIA Display Driver Service, NVSvc, “F:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Windows User Mode Driver Framework, UMWdf, “F:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 4300 Series Port\Driver = “lxcelmpm.DLL” [“Lexmark International, Inc.”] Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- (launch time: 2007-10-04 01:24:26) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 67 seconds. ---------- (total run time: 122 seconds)
Złączono Posta : 04.10.2007 (Czw) 0:44
i jeszcze kombofix
http://www.wklej.org/id/09db5fb95b
Złączono Posta : 04.10.2007 (Czw) 0:47
i comboscan
http://www.wklej.org/id/49f59ae7c5
jessica
(jessica)
4 Październik 2007 07:07
#12
Wklej do Notatnika :
File::
F:\WINDOWS\system32\kmllm.ini2
F:\WINDOWS\system32\kmllm.bak2
F:\WINDOWS\system32\kmllm.bak1
Folder::
F:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtturs]
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER)
Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Nie wiem, co z tym zrobić. To wygląda na element infekcji “PurityScan”, która była widoczna w Twoim pierwszym logu z ComboFixa.
Poza tym plik “chkdsk.exe” nie powinien się nigdy pokazać w logu Hijacka - jeśli się pojawia, to jest to baaaaardzo mocno podejrzane.
Boję się usunąć ten plik, bo ma taką samą nazwę i ścieżkę, jak prawidłowy.
Ale przynajmniej sfiksuj ten wpis w Hijacku, to wyłączy go z Autostartu:
Hijackscan(Do a system scan only)zaznacz (V) Fix checked .
Daj komplet logów, bo może ja czegoś nie zauważyłam, a ktoś inny może zauważy…
jessi
lukaszczecin
(Lukasz Grzelak22)
4 Październik 2007 08:04
#13
cos z tym plikiem jest nie tak chdisk jest nie tak bo podczas uruchamia windowsa na pulpicie pokazuje sie takie czrne okno jak wiersz polecenia i na gorze pisze chkdsk i pojawia sie na jedna sekunde. daje logi
kombofix http://www.wklej.org/id/ef5b2025cf
silent http://www.wklej.org/id/d00008adb0
comboscan http://www.wklej.org/id/d5cd15b845
Złączono Posta : 04.10.2007 (Czw) 8:12
i jeszcze Hijacku posfixowaniu tego pliku http://www.wklej.org/id/a40f9e6c11
Złączono Posta : 04.10.2007 (Czw) 10:59
hallo czy to wszystko usunolem
lukaszczecin
(Lukasz Grzelak22)
4 Październik 2007 22:24
#15
dzieki wszystkim za pomoc . to najlepsze forom na swiecie