Bieniol
(Bbieniol)
29 Sierpień 2006 17:49
#2
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
Gdzie wykrywa Ci te trojany? Podaj lokalizację
Po zabiegach nowy log z Hijacka + log z Silent Runners
jar0
(Jar007)
29 Sierpień 2006 18:02
#3
Trojany wpadaly mi do system32, nie wiem czy tylko tam ale mialem tu problem. Wciąż zalega tam dlh9jkdq8.exe, reszte tego rodzaju udalo mi sie usunac, ale spox narazie zrobie to co mowisz.
Bieniol
(Bbieniol)
29 Sierpień 2006 18:12
#4
W takim razie ten zalegający plik również usuń z dysku
I daj zestaw logów po skończeniu
jar0
(Jar007)
30 Sierpień 2006 10:32
#5
Wrzucam logi
Ale raczej już wszystko w porządku
Logfile of HijackThis v1.99.1 Scan saved at 12:23:09, on 2006-08-30 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\logonui.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wpabaln.exe C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe C:\Documents and Settings\Mirek Dz\Pulpit\pliki\infekcje\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe” O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [smcService] “C:\PROGRA~1\Sygate\SPF\smc.exe” -startgui O4 - HKLM…\Run: [sunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_21.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 5843403959 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/pl/billard8UK_2_0_0_28.cab O17 - HKLM\System\CCS\Services\Tcpip…{C5BBADB5-DDAB-4985-BD0D-0B2A0D14EA9C}: NameServer = 217.30.129.149,217.30.137.200 O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
…
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “WheelMouse” = “C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “SmcService” = ““C:\PROGRA~1\Sygate\SPF\smc.exe” -startgui” [“Sygate Technologies, Inc.”] “SunServer” = “C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe” [“Sunbelt Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] “{A155339D-CCCD-4714-85EB-3754B804C9DF}” = “a-squared Free Context Menu Shell Extension” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{076394AD-7FDD-44EF-A075-32C68DBAB99B}” = “*U” (unwritable string) -> {HKLM…CLSID} = “GIANT AntiSpyware Service Hook” \InProcServer32(Default) = “C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunExecuteHook.dll” [“Sunbelt Software”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! WRNotifier\DLLName = “WRLogonNTF.dll” [“Webroot Software, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2FreeContMenu(Default) = “{A155339D-CCCD-4714-85EB-3754B804C9DF}” -> {HKLM…CLSID} = “a-squared Free Context Menu” \InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL” [“Emsi Software GmbH”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SpySweeper(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” -> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration” \InProcServer32(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [“Webroot Software, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Mirek Dz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Scheduled Tasks: ------------------------ “At1” -> launches: “C:\DOCUME~1\MIREKD~1\Pulpit\pliki\Look2Me-Destroyer.exe /task” [file not found] “wrSpySweeperTrialSweep” -> launches: “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeperTrialSweep” [“Webroot Software, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Sygate Personal Firewall, SmcService, “C:\Program Files\Sygate\SPF\smc.exe” [“Sygate Technologies, Inc.”] Webroot Spy Sweeper Engine, WebrootSpySweeperService, ““C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe”” [“Webroot Software, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 99 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 55 seconds. ---------- (total run time: 305 seconds)