Trojan win32.agent jak usunąć?

Witam

Potrzebuję pomocy, pomimo antywira złapałem wirusa który zmienił mi ustawienia komputera, blokuje dostęp do menagera zadań(pewnie też przy okazji robi inne brzydkie rzeczy o których nie wiem).

Próbowałem skanować kompa ale niestety niektóre pliki mają odmowę dostepu i pewnie tam ten paskud rezyduje.

Poniżej wklejam pliki z silent runners oraz hijacka

Za wszelką pomoc w usunięciu tego szkodnika z góry dziękuje.

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Adobe Photo Downloader” = ““C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe”” [“Adobe Systems Incorporated”]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]

“CloneCDTray” = ““C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s” [“SlySoft, Inc.”]

“Launch PC Probe II” = ““C:\Program Files\ASUS\PC Probe II\Probe2.exe” 1” [“ASUS”]

“RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”]

“Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”]

“QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe” [“Simply Super Software”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”

-> {HKLM…CLSID} = “History Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]

“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”

-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [file not found]

“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”

-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [file not found]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{DBD8E168-244D-448C-9922-25508950D1DC}” = “Ulead UDF Driver”

-> {HKLM…CLSID} = “USIShellExt Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll” [“Ulead Systems, Inc.”]

“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

“{1DCD19FE-51F1-44BF-90F7-26F4D1944755}” = “Direct Audio Converter & CD Ripper Menu Shell Extension”

-> {HKLM…CLSID} = “Direct Audio Converter & CD Ripper Menu Shell Extension”

\InProcServer32(Default) = “C:\PROGRA~1\DIRECT~1\cmenu1.dll” [null data]

“{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension”

-> {HKLM…CLSID} = “Trojan Remover Shell Extension”

\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”

-> {HKLM…CLSID} = “WPDShServiceObj Class”

\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”

-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [file not found]

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}”

-> {HKLM…CLSID} = “Trojan Remover Shell Extension”

\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}”

-> {HKLM…CLSID} = “Trojan Remover Shell Extension”

\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {policy setting}:


Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoChangeStartMenu” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

“NoClose” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

“NoLogOff” = (REG_DWORD) hex:0x00000001

{Disable Logoff}

“NoRun” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“DisableTaskMgr” = (REG_DWORD) hex:0x00000001

{Remove Task Manager}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\MY\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\system32\POLKOM~1.SCR” (PolKompJe.scr) [null data]

Startup items in “MY” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 21

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 20

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{F2CF5485-4E02-4F68-819C-B92DE9277049}”

-> {HKLM…CLSID} = “&Links”

\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

“MenuText” = “@xpsp3res.dll,-20001”

“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


Adobe Active File Monitor V5, AdobeActiveFileMonitor5.0, “C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe” [null data]

ATK Keyboard Service, ATKKeyboardService, “C:\WINDOWS\ATKKBService.exe” [“ASUSTeK COMPUTER INC.”]

Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS]

LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”]

Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

nTune Service, nTuneService, “C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService” [“NVIDIA”]

NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]

Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”]

---------- (launch time: 2007-08-13 07:20:43)

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer “No” at the

first message box and “Yes” at the second message box.

---------- (total run time: 27 seconds, including 6 seconds for message boxes)

Usuń w HJT.

Daj jeszcze log z ComboFix (opis zrobienia loga na samym dole).

Witam

Wywaliłem te dwa wpisy

poniżej log z ComboFix

Mam nadzieję że uda się go wywalić, jest bardzo cwany, blokuje managera zadań a także programy antywirusowe które działają podczas uruchamiania windows, przy normalnym skanowaniu blokuje dostęp do plików, ktoś nieżle go zabezpieczył.

Jestem bliski formatu partycji myślę że to go wykurzy

Pozdrawiam

Ja nie widzę w logu nic podejrzanego.

W poprzednim logu z Sillenta był ten w/w wpis.

Spróbujemy to naprawić, ale raczej się nie uda, bo ten napis “Remove Task Manager” sugeruje, że w ogóle nie masz już Managera Zadań.

Do Notatnika wklej:

Windows Registry Editor Version 5.00 


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] 

"DisableTaskMgr"=dword:00000000 


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System] 

"DisableTaskMgr"=dword:00000000 

"**del.DisableTaskMgr"=" " 


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 

"DisableTaskMgr"=dword:00000000

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na Wszystkie pliki >>> Zapisz jako FIX.REG >>>

plik uruchom (dwuklik i OK).

Zrestartuj komputer.

Daj nowy log z Sillenta lub napisz, czy działa Manager Zadań.

.

Dzieki task manager pojawił się

Jeszcze tylko muszę zmienić denerwującą muzyczkę przy logowaniu i wszystko jeszcze raz przeskanować

Przesyłam silent runnera dla potwierdzenia czy wszystko jest Ok

Pozdrawiam i dzięki za pomoc

Tak, log z Sillenta to potwierdza, że “Manager” jest już OK.

Natomiast nie potrafię dostrzec, co powoduje pozostałe Twoje problemy. :frowning:

.

Jeszcze skan AVG AntySpyware 7.5 po update, wklej raport ze skanowania.