Ferenz
(Ferenzoo)
20 Listopad 2006 13:59
#1
Prawdopodobnie moja siostra otworzyła link otrzymany przez gg i “zaraziła” kompa wirusem z gg ostatnio popularnym^^ moi koledzy skarżyli się, że otrzymywali odemnie jakis link chociaz ja nic do nich nie wysyłałem. Prosze o pomoc z uporaniem sie z tym wirusem
(prosze o dokladne wytlumaczenie jak sie z nim uporac bo ja sie na tym nie znam za dobrze )
oto log
Logfile of HijackThis v1.99.1 Scan saved at 14:59:36, on 2006-11-20 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\sstray.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe D:\steam\steam.exe D:\Gadu-Gadu\gg.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll O4 - HKLM…\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [bearShare] “D:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [keyboard] c:\keyboard3.exe O4 - HKLM…\Run: [mousepad] C:\mousepad3.exe O4 - HKLM…\Run: [newname] c:\newname3.exe O4 - HKLM…\Run: [installed] 103 O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [WinampAgent] D:\Winamp\winampa.exe O4 - HKCU…\Run: [steam] “d:\steam\steam.exe” -silent O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “D:\Gadu-Gadu\gg.exe” /tray O4 - Startup: UniSpiker-2.6.lnk = ? O4 - Startup: Xfire.lnk = D:\Xfire\Xfire.exe O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ? O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar1.google.com/data/pl/big/ … gleNav.cab O17 - HKLM\System\CCS\Services\Tcpip…{2C5973FD-2112-4611-AE28-A24972198E0E}: NameServer = 192.168.0.1 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v1.1.4322\aspnet_state.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
z gory thx
Bieniol
(Bbieniol)
20 Listopad 2006 14:04
#2
Użyj narzędzia -> SmitFraudFix (w trybie awaryjnym z opcji 2 )
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe” O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
Po zabiegach nowy log z Hijacka + log z Silent Runners + raprot ze SmitFraudFix
Ferenz
(Ferenzoo)
20 Listopad 2006 15:58
#3
Pytanie: Jak włączyć tryb awaryjny z wyłączonym przywracaniem systemu? (mowiłem, że sie nie znam xD) normalnie F8 przy starcie czy cos innego ?
adam9870
(adam9870)
20 Listopad 2006 16:01
#4
Przywracanie systemu wyłącza się tak:
A tryb awaryjny uruchamia się tak:
Po wciśnięciu klawisza włączającego komputer szybko naciskasz i trzymasz klawisz F5. W niektórych komputerach klawiszem tym nie można wejść to trzeba klawiszem F8. Potem będzie lista systemów do wyboru, wybierasz “Tryb awaryjny”, i system będzie uruchamiać się w trybie awaryjnym.
Ferenz
(Ferenzoo)
20 Listopad 2006 17:24
#5
@up
dzieki
Loga z Silent Runners nie mam… czekałem około 20 min., komp mulił jak cholera i sie nie kończyło nie wiem o co chodzi z tym
Nowy log z HijackThis:
Logfile of HijackThis v1.99.1 Scan saved at 17:43:48, on 2006-11-20 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\sstray.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe D:\Winamp\winampa.exe D:\steam\steam.exe C:\Program Files\Skype\Phone\Skype.exe D:\Gadu-Gadu\gg.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe D:\UniSpiker-2.6\uni_spiker-2.6.exe C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe D:\Xfire\Xfire.exe C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe C:\WINDOWS\System32\wuauclt.exe C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll O4 - HKLM…\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [bearShare] “D:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [installed] 103 O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [WinampAgent] D:\Winamp\winampa.exe O4 - HKCU…\Run: [steam] “d:\steam\steam.exe” -silent O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “D:\Gadu-Gadu\gg.exe” /tray O4 - Startup: UniSpiker-2.6.lnk = ? O4 - Startup: Xfire.lnk = D:\Xfire\Xfire.exe O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ? O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar1.google.com/data/pl/big/ … gleNav.cab O17 - HKLM\System\CCS\Services\Tcpip…{2C5973FD-2112-4611-AE28-A24972198E0E}: NameServer = 192.168.0.1 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v1.1.4322\aspnet_state.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
SmitFraudFix v2.123 Scan done at 17:20:01,53, 2006-11-20 Run from D:\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\secure32.html Deleted C:\WINDOWS\country.exe Deleted C:\WINDOWS\ms1.exe Deleted C:\WINDOWS\newname.dat Deleted C:\WINDOWS\tool2.exe Deleted C:\WINDOWS\tool3.exe Deleted C:\WINDOWS\tool4.exe Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End
Bieniol
(Bbieniol)
20 Listopad 2006 19:34
#6
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\System32\rpcc.dll
Klikasz X i restart kompa
Usuwasz Hijackiem ten wpis:
Po zabiegach nowe logi - z silentem czekaj cierpliwie - kiedyś skończy