Wadliwa praca 2. programów - reinstal nie pomógł :(

anon94597501 · 31 Marzec 2007 11:28

Witam,

Mam problem z prawidłową pracą 2 programów :?

Pierwszy to jest System Mechanic 7, a drugi to AMUST Registry Cleaner 3.5.

Po załadowaniu owych programów nie wyświetlają się guziki, i praktycznie nie można nic w nich zrobić :shock:

Jedyną nadzieją to się zapytać o radę tutaj

I chciałem jeszcze wstawić log z Silent Runners, ale mam zablokowane Scripting Host :-x

Log z Hjack:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 13:06:59, on 2007-03-31

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gran Paradiso\firefox.exe

C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe

D:\Programy\Do windowsa xp\Inne\HiJackThis_v2.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {62D6B354-6574-4FE1-8E69-3115B4E3BD7C} - C:\WINDOWS\system32\pmnlj.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"

O4 - HKUS\S-1-5-21-1960408961-113007714-682003330-1002\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1960408961-113007714-682003330-1002\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" (User '?')

O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} - 

O20 - Winlogon Notify: khfgdaa - C:\WINDOWS\SYSTEM32\khfgdaa.dll

O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


--

End of file - 4084 bytes

adam9870 · 31 Marzec 2007 11:36

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\pmnlj.dll

C:\WINDOWS\SYSTEM32\khfgdaa.dll

Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Usuń wpisy HJT.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners, ComboFix oraz zawartość pliku c:\vundofix.txt

anon94597501 · 31 Marzec 2007 12:12

Niestety, loga z SilentRunners nie mogłem wstawić ponieważ nie uruchamia mi się Scripting Host

Więc Log z HiJackThis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 14:04:57, on 2007-03-31

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\FlashGet\flashget.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gran Paradiso\firefox.exe

D:\Programy\Do windowsa xp\Inne\HiJackThis_v2.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1960408961-113007714-682003330-1002\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


--

End of file - 3375 bytes

Log z VBG:

[03/31/2007, 13:56:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Maciej\Pulpit\VirtumundoBeGone.exe" )

[03/31/2007, 13:56:30] - Detected System Information:

[03/31/2007, 13:56:30] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[03/31/2007, 13:56:30] - Current Username: Maciej (Admin)

[03/31/2007, 13:56:30] - Windows is in NORMAL mode.

[03/31/2007, 13:56:30] - Searching for Browser Helper Objects:

[03/31/2007, 13:56:30] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)

[03/31/2007, 13:56:30] - BHO 2: {8D598351-260F-4351-9B57-AD82AB1CC606} ()

[03/31/2007, 13:56:30] - WARNING: BHO has no default name. Checking for Winlogon reference.

[03/31/2007, 13:56:30] - Checking for HKLM\...\Winlogon\Notify\pmkjk

[03/31/2007, 13:56:30] - Found: HKLM\...\Winlogon\Notify\pmkjk - This is probably Virtumundo.

[03/31/2007, 13:56:30] - Assigning {8D598351-260F-4351-9B57-AD82AB1CC606} MSEvents Object

[03/31/2007, 13:56:30] - BHO list has been changed! Starting over...

[03/31/2007, 13:56:30] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)

[03/31/2007, 13:56:30] - BHO 2: {8D598351-260F-4351-9B57-AD82AB1CC606} (MSEvents Object)

[03/31/2007, 13:56:30] - ALERT: Found MSEvents Object!

[03/31/2007, 13:56:30] - BHO 3: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} ()

[03/31/2007, 13:56:30] - WARNING: BHO has no default name. Checking for Winlogon reference.

[03/31/2007, 13:56:30] - Checking for HKLM\...\Winlogon\Notify\khfgdaa

[03/31/2007, 13:56:30] - Found: HKLM\...\Winlogon\Notify\khfgdaa - This is probably Virtumundo.

[03/31/2007, 13:56:30] - Assigning {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} MSEvents Object

[03/31/2007, 13:56:30] - BHO list has been changed! Starting over...

[03/31/2007, 13:56:30] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)

[03/31/2007, 13:56:30] - BHO 2: {8D598351-260F-4351-9B57-AD82AB1CC606} (MSEvents Object)

[03/31/2007, 13:56:30] - ALERT: Found MSEvents Object!

[03/31/2007, 13:56:30] - BHO 3: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} (MSEvents Object)

[03/31/2007, 13:56:30] - ALERT: Found MSEvents Object!

[03/31/2007, 13:56:30] - BHO 4: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)

[03/31/2007, 13:56:30] - Finished Searching Browser Helper Objects

[03/31/2007, 13:56:30] - *** Detected MSEvents Object

[03/31/2007, 13:56:30] - Trying to remove MSEvents Object...

[03/31/2007, 13:56:31] - Terminating Process: IEXPLORE.EXE

[03/31/2007, 13:56:31] - Terminating Process: RUNDLL32.EXE

[03/31/2007, 13:56:31] - Disabling Automatic Shell Restart

[03/31/2007, 13:56:32] - Terminating Process: EXPLORER.EXE

[03/31/2007, 13:56:32] - Suspending the NT Session Manager System Service

[03/31/2007, 13:56:32] - Terminating Windows NT Logon/Logoff Manager

[03/31/2007, 13:56:32] - Re-enabling Automatic Shell Restart

[03/31/2007, 13:56:32] - File to disable: C:\WINDOWS\system32\pmkjk.dll

[03/31/2007, 13:56:32] - Renaming C:\WINDOWS\system32\pmkjk.dll -> C:\WINDOWS\system32\pmkjk.dll.vir

[03/31/2007, 13:56:32] - File successfully renamed!

[03/31/2007, 13:56:32] - Removing HKLM\...\Browser Helper Objects\{8D598351-260F-4351-9B57-AD82AB1CC606}

[03/31/2007, 13:56:32] - Removing HKCR\CLSID\{8D598351-260F-4351-9B57-AD82AB1CC606}

[03/31/2007, 13:56:32] - Adding Kill Bit for ActiveX for GUID: {8D598351-260F-4351-9B57-AD82AB1CC606}

[03/31/2007, 13:56:32] - Deleting ATLEvents/MSEvents Registry entries

[03/31/2007, 13:56:32] - Removing HKLM\...\Winlogon\Notify\pmkjk

[03/31/2007, 13:56:32] - Searching for Browser Helper Objects:

[03/31/2007, 13:56:32] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)

[03/31/2007, 13:56:32] - BHO 2: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} (MSEvents Object)

[03/31/2007, 13:56:32] - ALERT: Found MSEvents Object!

[03/31/2007, 13:56:32] - BHO 3: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)

[03/31/2007, 13:56:32] - Finished Searching Browser Helper Objects

[03/31/2007, 13:56:32] - *** Detected MSEvents Object

[03/31/2007, 13:56:32] - Trying to remove MSEvents Object...

[03/31/2007, 13:56:33] - Terminating Process: IEXPLORE.EXE

[03/31/2007, 13:56:33] - Terminating Process: RUNDLL32.EXE

[03/31/2007, 13:56:33] - Disabling Automatic Shell Restart

[03/31/2007, 13:56:33] - Terminating Process: EXPLORER.EXE

[03/31/2007, 13:56:34] - Suspending the NT Session Manager System Service

[03/31/2007, 13:56:34] - Terminating Windows NT Logon/Logoff Manager

[03/31/2007, 13:56:34] - Re-enabling Automatic Shell Restart

[03/31/2007, 13:56:34] - File to disable: C:\WINDOWS\system32\khfgdaa.dll

[03/31/2007, 13:56:34] - Renaming C:\WINDOWS\system32\khfgdaa.dll -> C:\WINDOWS\system32\khfgdaa.dll.vir

[03/31/2007, 13:56:34] - File successfully renamed!

[03/31/2007, 13:56:34] - Removing HKLM\...\Browser Helper Objects\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}

[03/31/2007, 13:56:34] - Removing HKCR\CLSID\{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}

[03/31/2007, 13:56:34] - Adding Kill Bit for ActiveX for GUID: {E44527F6-1296-4A84-B67D-A6CEA6ED4B69}

[03/31/2007, 13:56:34] - Deleting ATLEvents/MSEvents Registry entries

[03/31/2007, 13:56:34] - Removing HKLM\...\Winlogon\Notify\khfgdaa

[03/31/2007, 13:56:34] - Searching for Browser Helper Objects:

[03/31/2007, 13:56:34] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)

[03/31/2007, 13:56:34] - BHO 2: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)

[03/31/2007, 13:56:34] - Finished Searching Browser Helper Objects

[03/31/2007, 13:56:34] - Finishing up...

[03/31/2007, 13:56:34] - A restart is needed.

[03/31/2007, 13:56:34] - Automatic Reboot on STOP Error is not set. User will have to manually restart.

[03/31/2007, 13:56:35] - Attempting to Restart via STOP error (Blue Screen!)

Log z FixVundo:

Symantec Trojan.Vundo Removal Tool 1.5.0


C:\System Volume Information: (not scanned)

D:\System Volume Information: (not scanned)

Trojan.Vundo has not been found on your computer.

Log z VundoFix:

VundoFix V4.2.22

Scan started at 13:44:21 2007-03-31


Listing files found while scanning....



C:\WINDOWS\system32\jlnmp.bak1

C:\WINDOWS\system32\jlnmp.ini

 Attempting to delete C:\WINDOWS\system32\jlnmp.bak1

C:\WINDOWS\system32\jlnmp.bak1 Has been deleted!


 Attempting to delete C:\WINDOWS\system32\jlnmp.ini

C:\WINDOWS\system32\jlnmp.ini Has been deleted!


Performing Repairs to the registry.

Done!

Log z ComboFix:

"Maciej" - 07-03-31 13:35:05 Dodatek Service Pack 2