Rapcio
(Rapciorek)
24 Czerwiec 2006 09:03
#1
Na moim komputerze dzisiaj zaczeły pojawiać sie trojany i inne virusy, proszę więc o sprawzenie loga.
Logfile of HijackThis v1.99.1
Scan saved at 11:02:10, on 2006-07-25
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\win32host.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\mssvcc.exe
C:\WINDOWS\System32\rwqn.exe
C:\WINDOWS\System32\winsystems.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\DOCUME~1\Jaco\USTAWI~1\Temp\Rar$EX00.125\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKLM\..\Run: [secures23] mssecure.exe
O4 - HKLM\..\Run: [Windows ASN4 Services] rwqn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winsystems25] winsystems.exe
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe
O4 - HKLM\..\RunServices: [secures23] mssecure.exe
O4 - HKLM\..\RunServices: [Windows ASN4 Services] rwqn.exe
O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe
Bieniol
(Bbieniol)
24 Czerwiec 2006 09:11
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Win32 Kernel Update
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz Win32Kernel i ok
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox ):
Po zabiegach nowy log z Hijacka + log z Silent Runners
Rapcio
(Rapciorek)
24 Czerwiec 2006 09:15
#3
Mam 3 znaczki zielone i 2 czerowne x to co mam zrobic?
Bieniol
(Bbieniol)
24 Czerwiec 2006 09:16
#4
Zmień czerwone na zielone I zrestartuj komputer
Rapcio
(Rapciorek)
24 Czerwiec 2006 09:41
#6
"Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Win32 Kernel Update " Mozesz napisac co mam pokoleji zrobic? iknonka zatrzymaj jest nieaktywna wiec neiwiem co mam zrobic
Bieniol
(Bbieniol)
24 Czerwiec 2006 09:47
#7
Możesz to zrobić poprzez: Start --> uruchom --> cmd i wpisać:
sc stop Win32Kernel
sc delete Win32Kernel
Rapcio
(Rapciorek)
24 Czerwiec 2006 09:49
#8
Prosze o szybką pomoc gdyż sam probuje sie mi wylonczyc kompter i wyskakuje duzo stron z reklamami
Gutek
(Gutek)
24 Czerwiec 2006 09:50
#9
Rapcio
(Rapciorek)
24 Czerwiec 2006 09:58
#10
" Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz Win32Kernel i ok " Wyskakuje mi " Unable to delete service Win32Kernel. Make sure the name is correct and the service is not runing"
Zaraz dam loga z silenta.
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] “Ooaa” = ““C:\PROGRA~1\COMMON~1\STEM~1\dexplore.exe” -vt yazr” [null data] “fori” = “C:\PROGRA~1\COMMON~1\fori\forim.exe” [empty string] “sys_up1” = “C:\Program Files\Common Files\svchostsys\svchostsys.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “autoclk” = “autoclk.exe” [file not found] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “adiras” = “adiras.exe” [file not found] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “msconfig38” = “mssvcc.exe” [null data] “secures23” = “mssecure.exe” [file not found] “Windows ASN4 Services” = “rwqn.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “winsystems25” = “winsystems.exe” [null data] “Win32 Kernel Update” = “C:\WINDOWS\System32\win32update.exe” [null data] “defender” = “c:\dfndra_1.exe” ["."] “keyboard” = “c:\kybrd_1.exe” ["."] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = “SnagIt” -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{CF74B903-3389-469c-B3B6-0204D204FCBD}” = “SnagIt Shell Extension” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] “{AA0E2EB3-ADC2-4559-AE7F-D702CE8F5843}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\mfxmlr.dll” [null data] “{6660A24A-7278-4A05-B39B-850984213F0E}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\agmeter.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! Controls Folder\DLLName = “C:\WINDOWS\system32\mfxmlr.dll” [null data] INFECTION WARNING! MS-DOS Emulation\DLLName = “C:\WINDOWS\system32\agmeter.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Jaco\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Jaco” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] “{C49DD894-C6DE-4910-8C41-BA20F852D8BC}” -> {HKLM…CLSID} = “Affiliate Beta” \InProcServer32(Default) = “C:\Program Files\Affiliate Beta\untitled.dll” [“IE Toolbar”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = (no title provided) -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{C49DD894-C6DE-4910-8C41-BA20F852D8BC}” = (no title provided) -> {HKLM…CLSID} = “Affiliate Beta” \InProcServer32(Default) = “C:\Program Files\Affiliate Beta\untitled.dll” [“IE Toolbar”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {C49DD894-C6DE-4910-8C41-BA20F852D8BC}\ “ButtonText” = “Affiliate Beta” “MenuText” = “Affiliate Beta” “CLSIDExtension” = “{C49DD894-C6DE-4910-8C41-BA20F852D8BC}” -> {HKLM…CLSID} = “Affiliate Beta” \InProcServer32(Default) = “C:\Program Files\Affiliate Beta\untitled.dll” [“IE Toolbar”] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] “{C49DD894-C6DE-4910-8C41-BA20F852D8BC}” = (no title provided) -> {HKLM…CLSID} = “Affiliate Beta” \InProcServer32(Default) = “C:\Program Files\Affiliate Beta\untitled.dll” [“IE Toolbar”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] Command Service, cmdService, “C:\WINDOWS\V2F3cnlzemN6dWs\command.exe” [null data] Network Monitor, Network Monitor, “C:\Program Files\Network Monitor\netmon.exe service” [null data] Sunbelt Kerio Personal Firewall 4, KPF4, “C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe” [“Sunbelt Software”] Win32 Kernel Update, Win32Kernel, ““C:\WINDOWS\win32host.exe”” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 229 seconds, including 13 seconds for message boxes)
Bieniol
(Bbieniol)
24 Czerwiec 2006 10:04
#11
Log jest urwany
Poczekaj na komunikat, że log skończony - dopiero wtedy wklej go na forum
Wczesniej wykonaj moje powyższe polecenia
Rapcio
(Rapciorek)
24 Czerwiec 2006 10:09
#12
Niemoge tego zrobic gdyż Wyskakuje mi " Unable to delete service Win32Kernel. Make sure the name is correct and the service is not runing"
Zedytowalem i dalem nowego calego loga.
Proszę o dalsze instrukcje.
Złączono Posta : 24.06.2006 (Sob) 12:41
Prosze o pomoc wyskakuje mi coraz wiecej nieznanych mi ikonek nieiwem co mam robic.
Złączono Posta : 24.06.2006 (Sob) 12:44
Prosze o pomoc wyskakuje mi coraz wiecej nieznanych mi ikonek nieiwem co mam robic.
Misq
(Miśq)
24 Czerwiec 2006 16:41
#13
Jeśli masz możliwość, to ściągnij EWIDO
Bieniol
(Bbieniol)
24 Czerwiec 2006 16:51
#14
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (jeżeli jakieś znaczki są żółte, to niech takie zostaną). Po użyciu tego narzędzia wymagany jest reset sysa.
Otwórz notatnik i wklej w nim to:
Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pod nazwą FIX.REG
Uruchamiasz tryb awaryjny --> Start --> uruchom --> cmd i wpisujesz:
sc stop Win32Kernel
sc delete Win32Kernel
Usuwasz ręcznie z dysku foldery:
C:\PROGRA~1\COMMON~1\ fori
C:\Program Files\Common Files\ svchostsys
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot i All Files , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\mfxmlr.dll
C:\WINDOWS\system32\agmeter.dll
C:\PROGRA~1\COMMON~1\STEM~1\dexplore.exe
C:\WINDOWS\System32\mssvcc.exe
C:\WINDOWS\System32\rwqn.exe
C:\WINDOWS\System32\winsystems.exe
C:\WINDOWS\System32\win32update.exe
c:\dfndra_1.exe
c:\kybrd_1.exe
Klikasz X i restart kompa
W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Po zabiegach nowe logi