Sheyy
(Soldiers92)
29 Grudzień 2008 12:38
#1
Witam tak jak w temacie mam zblokowane te dwie rzeczy
Hijack
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:37:00, on 2008-12-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\Documents and Settings\Sheyy\Pulpit\HijackThis.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\DOCUME~1\Sheyy\USTAWI~1\Temp\winhdmjr.exe C:\DOCUME~1\Sheyy\USTAWI~1\Temp\winqkrlj.exe C:\DOCUME~1\Sheyy\USTAWI~1\Temp\winfilpf.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKLM…\Run: [iSTray] “C:\Program Files\Spyware Doctor\pctsTray.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe” O4 - HKLM…\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe – End of file - 2915 bytes
Próbowałem usunąć to, ale wraca
A tu log z SilentRunnera:
“Silent Runners.vbs”, revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe /boot” [“Simply Super Software”] “ISTray” = ““C:\Program Files\Spyware Doctor\pctsTray.exe”” [“PC Tools”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “WinampAgent” = ““C:\Program Files\Winamp\winampa.exe”” [null data] “Tau Monitor” = “C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe” [“Agnitum Ltd.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}” = “Tauscan Menu” -> {HKLM…CLSID} = “Tauscan Menu” \InProcServer32(Default) = “C:\Program Files\Agnitum\Tauscan 1.6\Taumenu.dll” [“Agnitum Ltd.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ Tauscan Menu(Default) = “{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}” -> {HKLM…CLSID} = “Tauscan Menu” \InProcServer32(Default) = “C:\Program Files\Agnitum\Tauscan 1.6\Taumenu.dll” [“Agnitum Ltd.”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ Tauscan Menu(Default) = “{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}” -> {HKLM…CLSID} = “Tauscan Menu” \InProcServer32(Default) = “C:\Program Files\Agnitum\Tauscan 1.6\Taumenu.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Tauscan Menu(Default) = “{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}” -> {HKLM…CLSID} = “Tauscan Menu” \InProcServer32(Default) = “C:\Program Files\Agnitum\Tauscan 1.6\Taumenu.dll” [“Agnitum Ltd.”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) dword:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “DisableRegistryTools” = (REG_DWORD) dword:0x00000001 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “EnableLUA” = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ WinampMTPHandler\ “Provider” = “Winamp” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files\Winamp\winamp.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “ShellExecute HW Event Handler” \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] WinampPlayMediaOnArrival\ “Provider” = “Winamp” “InvokeProgID” = “Winamp.File” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = "“C:\Program Files\Winamp\winamp.exe” “%1"” [“Nullsoft”] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = “{46986115-84D6-459c-8F95-52DD653E532E}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = ““C:\Program Files\Winamp\winamp.exe”” [“Nullsoft”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] PC Tools Auxiliary Service, sdAuxService, “C:\Program Files\Spyware Doctor\pctsAuxs.exe” [“PC Tools”] PC Tools Security Service, sdCoreService, “C:\Program Files\Spyware Doctor\pctsSvc.exe” [“PC Tools”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- (launch time: 2008-12-29 13:26:59) + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 17 seconds. ---------- (total run time: 94 seconds)
huber2t
(huber2t)
29 Grudzień 2008 12:42
#2
fix w hijackthis
Podaj log z Combofix
Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link
Sheyy
(Soldiers92)
29 Grudzień 2008 12:57
#3
huber2t
(huber2t)
29 Grudzień 2008 12:58
#4
Pobierz ComboFix , ale nie uruchamiaj
Wklej do notatnika:
File::
c:\windows\system32\drivers\elsikn.sys
Driver::
abp470n5
Plik -> zapisz jako -> CFScript.txt .
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->
Rozpocznie się usuwanie i powstanie log, który dasz na forum.
Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link
Sheyy
(Soldiers92)
29 Grudzień 2008 13:26
#5
Zrobiłem tak jak ty kazałeś… ale gdzies mi usuneło loga :F a i jak juz przy tym combofixie jestemy… pod koniec był jakis błąd z mapowaniem użytkownika,czy bitowaniem… nie wiem
Sheyy
(Soldiers92)
29 Grudzień 2008 13:38
#6
Hmm a sprawdziłeś ten wczesnieszy log z combofixa?
huber2t
(huber2t)
29 Grudzień 2008 13:39
#7
Tak, daj log z usuwania z combofix
Sheyy
(Soldiers92)
29 Grudzień 2008 13:45
#8
http://wklej.eu/index.php?id=a8b4cc8c3c
Hm to ejst to? znalazłem gdzies na dysku od combofixa
huber2t
(huber2t)
29 Grudzień 2008 13:52
#9
W logu nic nie widzę
usuń ręcznie folder C:\Qoobox , usuń instalkę Combofix z dysku.
Przeczyść system Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
lub
Dr.WEB CureIt!