w32.myzor.Fk@yf -problem:(

Dla specjalistów Bezpieczeństwo
#1

witam

mam problem z wirusem w32.myzor.Fk@yf.do tego wyskakuje komunikat Security Alert:NetWorm-i.virus@fp

sciagnalem sobie hi jacka ale nie wiem za bardzo ktore pliki “naprawic” zeby nic nie popsuc:)prosze o jakies instrukcje…z gory wieelkie dzieki!

Logfile of HijackThis v1.99.1

Scan saved at 12:59:47, on 2007-02-23

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Video ActiveX Object\pmsnrr.exe

D:\Program Files\Video ActiveX Object\isamntr.exe

D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

E:\Phone\HP Software Update\HPWuSchd2.exe

D:\Program Files\HP\hpcoretech\hpcmpmgr.exe

D:\WINDOWS\system32\nvraidservice.exe

D:\Program Files\Video ActiveX Object\pmmnt.exe

D:\Program Files\Video ActiveX Object\isamini.exe

D:\WINDOWS\system32\lnwin.exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\inet20126\wpcem.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\wbem\unsecapp.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\adam\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

F3 - REG:win.ini: run=D:\WINDOWS\inet20126\services.exe

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - D:\Program Files\Video ActiveX Object\isadd.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - D:\Program Files\Video ActiveX Object\iesplugin.dll

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”

O4 - HKLM…\Run: [HP Software Update] “E:\Phone\HP Software Update\HPWuSchd2.exe”

O4 - HKLM…\Run: [HP Component Manager] “D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [NVRaidService] D:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [xp_system] D:\WINDOWS\inet20126\services.exe

O4 - HKLM…\Run: [Microsoft standard protector] D:\WINDOWS\inet20126\socks.exe

O4 - HKLM…\Run: [Microsoft WWW] D:\WINDOWS\inet20126\free.exe

O4 - HKLM…\Run: [Microsoft WPCEmail] D:\WINDOWS\inet20126\svchost.exe

O4 - HKLM…\Run: [sysinter] D:\WINDOWS\system32\adirss.exe

O4 - HKLM…\Run: [lnwin.exe] D:\WINDOWS\system32\lnwin.exe

O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [xp_system] D:\WINDOWS\inet20126\services.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_29.cab

O17 - HKLM\System\CCS\Services\Tcpip…{39290636-B4BB-4023-AABC-D5B70BF37DE2}: NameServer = 194.204.159.1 217.98.63.164

O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - D:\WINDOWS\system32\higehsg.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - D:\WINDOWS\system32\update00822631.exe

O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - D:\Documents and Settings\adam~tmp0374.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

#2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

Użyj narzędzia SmitFraudFix (wybierz opcję 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt

#3

w trybie awaryjnym korzystam juz z WWDC?i przy wlaczaniu f8 nie mam opcji “tryb awaryjny z wylaczniem przywracania systemu” tylko tryb awaryjny,tryb awaryjny z obsluga sieci i tryb awaryjny z paskiem komend czy cos takiego…sorry wielkie za moja nieudolnosc ale niestety w temacie komputerow jestem dosc slaby:(pozdrawiam

#4

WWDC stosujesz będąc w trybie normalnym.

Narzędzie SmitFraudFix pobierasz będąc w trybie normalnym ale stosujesz je w awaryjnym.

Tak wyłącza się przywracanie systemu:

A tak uruchamia się system w trybie awaryjnym:

#5

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “D:\WINDOWS\system32\ctfmon.exe” [MS]

“MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON”]

“SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”]

“NeroFilterCheck” = “D:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

“SunJavaUpdateSched” = ““D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

“HP Software Update” = ““E:\Phone\HP Software Update\HPWuSchd2.exe”” [“Hewlett-Packard Company”]

“HP Component Manager” = ““D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]

“NVRaidService” = “D:\WINDOWS\system32\nvraidservice.exe” [“NVIDIA Corporation”]

“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]

“Microsoft WWW” = "D:\WINDOWS\inet20126\free.exe " [null data]

“Microsoft WPCEmail” = "D:\WINDOWS\inet20126\svchost.exe " [null data]

“sysinter” = “D:\WINDOWS\system32\adirss.exe” [null data]

“lnwin.exe” = “D:\WINDOWS\system32\lnwin.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO”

-> {HKLM…CLSID} = “My Global Search Bar BHO”

\InProcServer32(Default) = “D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{F97DA966-F09D-4cab-BF29-75A0026986EA}(Default) = “XBTP02634”

-> {HKLM…CLSID} = “XBTP02634 Class”

\InProcServer32(Default) = “D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll” [“IE Toolbar”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “D:\WINDOWS\system32\Audiodev.dll” [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> partnershipreg\DLLName = “D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll” [null data]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\Documents and Settings\adam\Pulpit\zuz\an.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13, 16 - 18, 21 - 30

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05, 19 - 20

rsvp32_2.dll [null data], 14 - 15, 31

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}”

-> {HKLM…CLSID} = “BearShare MediaBar”

\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)

-> {HKLM…CLSID} = “BearShare MediaBar”

\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in 1.5.0_09”

\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_09”

\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS]

Miscellaneous IE Hijack Points

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> “{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)

-> {HKLM…CLSID} = “BearShare MediaBar”

\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]

Running Services (Display Name, Service Name, Path {Service DLL}):

avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer “No” at the

first message box and “Yes” at the second message box.

---------- (total run time: 54 seconds, including 6 seconds for message boxes)

Logfile of HijackThis v1.99.1

Scan saved at 14:41:48, on 2007-02-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

E:\Phone\HP Software Update\HPWuSchd2.exe

D:\Program Files\HP\hpcoretech\hpcmpmgr.exe

D:\WINDOWS\system32\nvraidservice.exe

D:\WINDOWS\inet20126\free.exe

D:\WINDOWS\system32\adirss.exe

D:\WINDOWS\system32\lnwin.exe

D:\WINDOWS\inet20126\wpcem.exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\wuauclt.exe

D:\WINDOWS\system32\wbem\unsecapp.exe

D:\Documents and Settings\adam\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”

O4 - HKLM…\Run: [HP Software Update] “E:\Phone\HP Software Update\HPWuSchd2.exe”

O4 - HKLM…\Run: [HP Component Manager] “D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [NVRaidService] D:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [Microsoft WWW] D:\WINDOWS\inet20126\free.exe

O4 - HKLM…\Run: [Microsoft WPCEmail] D:\WINDOWS\inet20126\svchost.exe

O4 - HKLM…\Run: [sysinter] D:\WINDOWS\system32\adirss.exe

O4 - HKLM…\Run: [lnwin.exe] D:\WINDOWS\system32\lnwin.exe

O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_29.cab

O17 - HKLM\System\CCS\Services\Tcpip…{39290636-B4BB-4023-AABC-D5B70BF37DE2}: NameServer = 194.204.159.1 217.98.63.164

O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - D:\WINDOWS\system32\update00822631.exe

O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - D:\Documents and Settings\adam~tmp0374.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Złączono Posta : 25.02.2007 (Nie) 14:57

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “D:\WINDOWS\system32\ctfmon.exe” [MS]

“MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON”]

“SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”]

“NeroFilterCheck” = “D:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

“SunJavaUpdateSched” = ““D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

“HP Software Update” = ““E:\Phone\HP Software Update\HPWuSchd2.exe”” [“Hewlett-Packard Company”]

“HP Component Manager” = ““D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]

“NVRaidService” = “D:\WINDOWS\system32\nvraidservice.exe” [“NVIDIA Corporation”]

“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]

“Microsoft WWW” = "D:\WINDOWS\inet20126\free.exe " [null data]

“Microsoft WPCEmail” = "D:\WINDOWS\inet20126\svchost.exe " [null data]

“sysinter” = “D:\WINDOWS\system32\adirss.exe” [null data]

“lnwin.exe” = “D:\WINDOWS\system32\lnwin.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO”

-> {HKLM…CLSID} = “My Global Search Bar BHO”

\InProcServer32(Default) = “D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{F97DA966-F09D-4cab-BF29-75A0026986EA}(Default) = “XBTP02634”

-> {HKLM…CLSID} = “XBTP02634 Class”

\InProcServer32(Default) = “D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll” [“IE Toolbar”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “D:\WINDOWS\system32\Audiodev.dll” [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> partnershipreg\DLLName = “D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll” [null data]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\Documents and Settings\adam\Pulpit\zuz\an.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13, 16 - 18, 21 - 30

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05, 19 - 20

rsvp32_2.dll [null data], 14 - 15, 31

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}”

-> {HKLM…CLSID} = “BearShare MediaBar”

\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)

-> {HKLM…CLSID} = “BearShare MediaBar”

\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in 1.5.0_09”

\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_09”

\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS]

Miscellaneous IE Hijack Points

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> “{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)

-> {HKLM…CLSID} = “BearShare MediaBar”

\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]

Running Services (Display Name, Service Name, Path {Service DLL}):

avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer “No” at the

first message box and “Yes” at the second message box.

---------- (total run time: 54 seconds, including 6 seconds for message boxes)

Logfile of HijackThis v1.99.1

Scan saved at 14:41:48, on 2007-02-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

E:\Phone\HP Software Update\HPWuSchd2.exe

D:\Program Files\HP\hpcoretech\hpcmpmgr.exe

D:\WINDOWS\system32\nvraidservice.exe

D:\WINDOWS\inet20126\free.exe

D:\WINDOWS\system32\adirss.exe

D:\WINDOWS\system32\lnwin.exe

D:\WINDOWS\inet20126\wpcem.exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\wuauclt.exe

D:\WINDOWS\system32\wbem\unsecapp.exe

D:\Documents and Settings\adam\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”

O4 - HKLM…\Run: [HP Software Update] “E:\Phone\HP Software Update\HPWuSchd2.exe”

O4 - HKLM…\Run: [HP Component Manager] “D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [NVRaidService] D:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [Microsoft WWW] D:\WINDOWS\inet20126\free.exe

O4 - HKLM…\Run: [Microsoft WPCEmail] D:\WINDOWS\inet20126\svchost.exe

O4 - HKLM…\Run: [sysinter] D:\WINDOWS\system32\adirss.exe

O4 - HKLM…\Run: [lnwin.exe] D:\WINDOWS\system32\lnwin.exe

O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_29.cab

O17 - HKLM\System\CCS\Services\Tcpip…{39290636-B4BB-4023-AABC-D5B70BF37DE2}: NameServer = 194.204.159.1 217.98.63.164

O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - D:\WINDOWS\system32\update00822631.exe

O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - D:\Documents and Settings\adam~tmp0374.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

#6

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Przejdź do trybu awaryjnego i uruchom utworzone pliki.

Uruchom HijackThis => kliknij Do a system scan only => pokaże się lista wpisów => postaw ptaszek przy wpisach:

=> kliknij Fix checked i potwierdź usunięcie.

Po wykonaniu wklej nowe logi.

#7

Mam pytanie, czy ten wirus objawia się wyskakiwaniem takiego komunikatu o błędzie?

ssssw0.jpg

Jeśli tak to mam to samo i własnie próbuje się tego pozbyć. Wszyscy zalecają format, ale mam dużo ważnych plików na kompie i przegranie ich na płyty byłoby operacją bardzo czasochłonną, a obecnie nie mam czasu niestety…

#8

Format to ostateczność. Zajrzyj tutaj:

http://forum.dobreprogramy.pl/viewtopic.php?t=93075

Ale najpierw wykonaj to, co napisałem w swoim poprzednim poście i wklej nowe logi.

#9

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE - popraw

Pozdrawiam Gutek2222