Wirus

Doryl · 21 Styczeń 2006 11:31

Witam Mam problem z wirusem który włancza mi sam reklamy…

Log:

Logfile of HijackThis v1.99.1

Scan saved at 12:33:21, on 2006-01-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\wins\temp\rich\SvcfmgrList.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\rundll32.exe

D:\AD-AWA~1\Ad-Watch.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

D:\Gadu-Gadu\gg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\Documents and Settings\Wojtek\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.159.255.70:3127

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\FlashGet\fgiebar.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O5 "LPT1:" /M "Stylus CX3600"

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?166019fcf0bc48ce99d1db152c54ff3

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?166019fcf0bc48ce99d1db152c54ff3

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\flashget.exe

O15 - Trusted Zone: httpwww.streetofrace.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135424074187

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\en64l1jq1.dll

O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\V29qdGVrIFNpZfFrbw\command.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing)

O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

O23 - Service: svcwmplayer Debug (svclst) - Unknown owner - c:\WINDOWS\system32\wins\temp\rich\SvcfmgrList.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Gutek · 21 Styczeń 2006 11:44

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file) O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\V29qdGVrIFNpZfFrbw\command.exe (file missing)

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Command Service

Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku plik i folder, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log

zobacz Usuwanie VX2.BetterInternet i daj log nr 1 z narzędzia L2Mfix

Wygląda to albo na bandwidth monitora albo ten produkt MS:

http://support.microsoft.com/default.as … -us;812953

http://www.randyrants.com/2002/04/network_monitor.html

Czy był instalowany jakikolwiek soft o nazwie Network Monitor?

Doryl · 21 Styczeń 2006 11:51

niee nic takiego nieinstalowałem

Gutek · 21 Styczeń 2006 11:57

To tez usuwasz folder Network Monitor ale najpierw Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Network Monitor

Doryl · 21 Styczeń 2006 12:15

LOG:

L2MFIX find log 010406

Gutek · 21 Styczeń 2006 12:38

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Start do z Konsoli Odzyskiwania CD XP i komendy:

CD C:\WINDOWS\system32

ATTRIB -R-S-H guard.tmp

ATTRIB -R-S-H en28l1fu1.dll

ATTRIB -R-S-H o2660cjsefo60.dll

ATTRIB -R-S-H i260lcjm1foa.dll

ATTRIB -R-S-H i4420ehoeh4c0.dll

ATTRIB -R-S-H mstext35.dll

ATTRIB -R-S-H msjet35.dll

ATTRIB -R-S-H msltus35.dll

ATTRIB -R-S-H msexcl35.dll

ATTRIB -R-S-H msrepl35.dll

ATTRIB -R-S-H msjint35.dll

ATTRIB -R-S-H msjter35.dll

ATTRIB -R-S-H mspdox35.dll

ATTRIB -R-S-H Msxbse35.dll

ATTRIB -R-S-H Vbar332.dll

ATTRIB -R-S-H Msrd2x35.dll

DEL guard.tmp

DEL en28l1fu1.dll

DEL o2660cjsefo60.dll

DEL i260lcjm1foa.dll

DEL i4420ehoeh4c0.dll

DEL mstext35.dll

DEL msjet35.dll

DEL msltus35.dll

DEL msexcl35.dll

DEL msrepl35.dll

DEL msjint35.dll

DEL msjter35.dll

DEL mspdox35.dll

DEL Msxbse35.dll

DEL Vbar332.dll

DEL Msrd2x35.dll

EXIT

Przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG. Dajesz mi nowego loga L2MFix robionego z opcji 1.

No i mam dylemat tej dll nie znam - shehalx.dll - zobacz w C:\WINDOWS\system32\ shehalx.dll we wlasciowsci od czego on jest?

Doryl · 21 Styczeń 2006 13:21

siemq ale mam 1 pytanie czy da sie to usunac jakims antywirusem bo niemam cd z windowsa(200km w 2 domu)

i tu zaczyna sie problem

Złączono Posta : 21.01.2006 (Sob) 14:25

ee pisze nieznany

neiwiem od czego jest…

Gutek · 21 Styczeń 2006 17:29

Inaczej sie nie da ale spróbujmy, zrób tak:

Zrób tak, zapuść z tego narzędzia L2Mfix opcję 2. Run Fix = opcja automatycznego usuwania VX2, jej wybranie spowoduje uruchomienie procedury czyszczącej oraz prośbę kompa o reset. W trakcie resetu zastartuje plik second.bat, który zabije rundll32.exe + explorer.exe (zniknie wam Pulpit) i dokończy procedurę czyszczącą.

To może trwać DO PIĘCIU MINUT! Na koniec dostaniecie loga co znaleziono i co usunięto.

Po tym daj nowy log nr 1 z L2Mfix , czekam - ale wątpię

Doryl · 21 Styczeń 2006 19:09

L2mfix 010406

Creating Account.

Polecenie zostaˆo wykonane pomy˜lnie.


Adding Administrative privleges. 

Checking for L2MFix account(0=no 1=yes): 

1

 Granting SeDebugPrivilege to L2MFIX ... successful


Running From:

C:\WINDOWS\system32


Killing Processes! 


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 652 'smss.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 724 'winlogon.exe'

Killing PID 724 'winlogon.exe'

Killing PID 724 'winlogon.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 176 'explorer.exe'

Killing PID 176 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 404 'rundll32.exe'

Killing PID 1124 'rundll32.exe'

Killing PID 3940 'rundll32.exe'

Restoring Sedebugprivilege:

 Granting SeDebugPrivilege to Administratorzy ... successful


Scanning First Pass. Please Wait!


First Pass Completed 


Second Pass Scanning 


Second pass Completed!

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Liczba skopiowanych plik˘w: 1.

Deleting: C:\WINDOWS\system32\arcups.dll  

Successfully Deleted: C:\WINDOWS\system32\arcups.dll  

Deleting: C:\WINDOWS\system32\gp2ql3f51.dll  

Successfully Deleted: C:\WINDOWS\system32\gp2ql3f51.dll  

Deleting: C:\WINDOWS\system32\i260lcjm1foa.dll  

Successfully Deleted: C:\WINDOWS\system32\i260lcjm1foa.dll  

Deleting: C:\WINDOWS\system32\i4420ehoeh4c0.dll  

Successfully Deleted: C:\WINDOWS\system32\i4420ehoeh4c0.dll  

Deleting: C:\WINDOWS\system32\j42q0ef5eh2.dll  

Successfully Deleted: C:\WINDOWS\system32\j42q0ef5eh2.dll  

Deleting: C:\WINDOWS\system32\j8j60i1se8.dll  

Successfully Deleted: C:\WINDOWS\system32\j8j60i1se8.dll  

Deleting: C:\WINDOWS\system32\k0no0a53ed.dll  

Successfully Deleted: C:\WINDOWS\system32\k0no0a53ed.dll  

Deleting: C:\WINDOWS\system32\guard.tmp  

Successfully Deleted: C:\WINDOWS\system32\guard.tmp  


msg11?.dll 

Liczba skopiowanych plik˘w: 0.




Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

  6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll]

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000000


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\j8j60i1se8.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



The following are the files found: 

****************************************************************************

C:\WINDOWS\system32\arcups.dll 

C:\WINDOWS\system32\gp2ql3f51.dll 

C:\WINDOWS\system32\i260lcjm1foa.dll 

C:\WINDOWS\system32\i4420ehoeh4c0.dll 

C:\WINDOWS\system32\j42q0ef5eh2.dll 

C:\WINDOWS\system32\j8j60i1se8.dll 

C:\WINDOWS\system32\k0no0a53ed.dll 

C:\WINDOWS\system32\guard.tmp 


Registry Entries that were Deleted: 

Please verify that the listing looks ok.  

If there was something deleted wrongly there are backups in the backreg folder. 

****************************************************************************

Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{5356CF19-7892-4C12-905B-09FB1159B276}]

@=""


[HKEY_CLASSES_ROOT\CLSID\{5356CF19-7892-4C12-905B-09FB1159B276}\Implemented Categories]

@=""


[HKEY_CLASSES_ROOT\CLSID\{5356CF19-7892-4C12-905B-09FB1159B276}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""


[HKEY_CLASSES_ROOT\CLSID\{5356CF19-7892-4C12-905B-09FB1159B276}\InprocServer32]

@="C:\\WINDOWS\\system32\\arcups.dll"

"ThreadingModel"="Apartment"


REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{5356CF19-7892-4C12-905B-09FB1159B276}"=-

[-HKEY_CLASSES_ROOT\CLSID\{5356CF19-7892-4C12-905B-09FB1159B276}]

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents: 

****************************************************************************


****************************************************************************

Checking for L2MFix account(0=no 1=yes): 

0

Zipping up files for submission:

  adding: dlls/arcups.dll (164 bytes security) (deflated 5%)

  adding: dlls/gp2ql3f51.dll (164 bytes security) (deflated 5%)

  adding: dlls/guard.tmp (164 bytes security) (deflated 5%)

  adding: dlls/i260lcjm1foa.dll (164 bytes security) (deflated 5%)

  adding: dlls/i4420ehoeh4c0.dll (164 bytes security) (deflated 5%)

  adding: dlls/j42q0ef5eh2.dll (164 bytes security) (deflated 5%)

  adding: dlls/j8j60i1se8.dll (164 bytes security) (deflated 5%)

  adding: dlls/k0no0a53ed.dll (164 bytes security) (deflated 5%)

  adding: backregs/5356CF19-7892-4C12-905B-09FB1159B276.reg (212 bytes security) (deflated 70%)

  adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

  adding: backregs/shell.reg (164 bytes security) (deflated 73%)

CHyba Zadziałało zobaczymy ;]

Pozdr

Gutek · 21 Styczeń 2006 19:19

Daj log nr 1 z narzędzia L2Mfix oraz log z silenta - Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989