chen1
(Chen1)
6 Wrzesień 2007 11:58
#1
Witam,
surfowałem po necie, nagle komputer się na chwilę powiesił, jak próbowałem wejść do Menadżera Zadań wyskoczyło, że opcja ta została zablokowana przez administratora (którym byłem jeszcze chwilę temu). Na dodatek jak wyskakuje mi jakieś głupie okienko, o treści “Windows Security Alert - Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unathorised access to your files! Click YES to download spyware remover …” namawiające mnie do ściągnięcia softu antywirusowego, cyniczne. Przetrząsnąłem dysk skanerem online, nic nie wykrył, Spybot wykrył i usunął coś takiego Mircrosoft.expolrer.xxx (3 takie różne wpisy), ale nadal dzieje się to samo. Ponadto co chwilę coś chce mi się dobrać do rejestr, reydent Spybota to blokuje, ale jest to nieco wkurzające.
Poniżej zamieszczam logi, ale z SR jest nie pełny ze względu na jakiś błąd przepełnienia, bardzo proszę o pomoc:
HijackThis:
Logfile of HijackThis v1.99.1 Scan saved at 13:41:02, on 2007-09-06 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\WinAvXX.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\All\Pulpit\Użytki\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKLM…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime O4 - HKLM…\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe O4 - Startup: system.exe O4 - Global Startup: autorun.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab O16 - DPF: {4BDAF1F5-6D21-42F9-AAB9-CE0050407803} (GameDesire Uninstaller) - http://67.15.101.3/g_bin/ginuser_pl_2_0_0_4.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi … ebscan.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l … cfscan.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\systems.txt O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
SilentRunners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] “WinAVX” = “C:\WINDOWS\System32\WinAvXX.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “ATIModeChange” = “Ati2mdxx.exe” [“ATI Technologies, Inc.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “Adobe Reader Speed Launcher” = ““C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”” [“Adobe Systems Incorporated”] “QuickTime Task” = ““C:\Program Files\QuickTime\QTTask.exe” -atboottime” [“Apple Inc.”] “WinAVX” = “C:\WINDOWS\System32\WinAvXX.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\WINDOWS\System32\systems.txt” [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoControlPanel” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoWindowsUpdate” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove links and access to Windows Update} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoControlPanel” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “DisableRegistryTools” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ “NoUpdateCheck” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableRegistryTools” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “DisableTaskMgr” = (REG_DWORD) hex:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]
Combofix:
“All” - 2007-09-06 13:43:05 - ComboFix 07-06-25.3 NTFS ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\eeeeedfdfa3_g.dll ((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 ))))))))))))))))))))))))))))))) 2007-09-06 12:05 7,680 --a------ C:\WINDOWS\system32\winavxx.exe 2007-09-06 12:05 7,680 --a------ C:\WINDOWS\system32\printer.exe 2007-09-06 12:05 39,424 --a------ C:\WINDOWS\system32\vtr.dll 2007-09-04 14:53 545 --a------ C:\WINDOWS\UC.PIF 2007-09-04 14:53 545 --a------ C:\WINDOWS\RAR.PIF 2007-09-04 14:53 545 --a------ C:\WINDOWS\PKZIP.PIF 2007-09-04 14:53 545 --a------ C:\WINDOWS\PKUNZIP.PIF 2007-09-04 14:53 545 --a------ C:\WINDOWS\NOCLOSE.PIF 2007-09-04 14:53 545 --a------ C:\WINDOWS\LHA.PIF 2007-09-04 14:53 545 --a------ C:\WINDOWS\ARJ.PIF 2007-09-04 14:53 2007-09-04 14:42 2007-09-03 10:39 2007-09-03 10:35 2007-08-31 12:54 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-08-31 12:54 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-08-31 12:53 2007-08-30 19:03 2007-08-28 19:09 2007-08-28 19:09 2007-08-25 08:05 2007-08-25 08:04 2007-08-20 20:17 2007-08-20 20:17 2007-08-13 22:16 2007-08-13 22:16 2007-08-13 22:15 2007-08-13 21:57 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-06 10:04:03 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Skype 2007-08-20 18:18:10 -------- d-----w C:\Program Files\QuickTime 2007-08-20 10:12:15 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-08-13 20:01:43 -------- d-----w C:\Program Files\SkanerOnline 2007-08-13 16:22:11 64,412 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-08-13 16:22:11 397,726 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-08-10 15:43:33 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-10 15:43:33 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-02 22:14:13 -------- d-----w C:\Program Files\IObit 2007-08-01 18:02:58 -------- d-----w C:\Program Files\RegSupreme 2007-08-01 17:54:49 -------- d-----w C:\Program Files\AusLogics Registry Defrag 2007-08-01 16:47:28 -------- d-----w C:\Program Files\Lavasoft 2007-08-01 16:46:41 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-08-01 12:50:00 -------- d-----w C:\Program Files\jv16 PowerTools 2007-07-31 13:21:34 -------- d-----w C:\DOCUME~1\All\DANEAP~1\Gadu-Gadu 2007-07-31 13:14:47 -------- d-----w C:\Program Files\Gadu-Gadu 2007-07-31 12:31:18 -------- d-----w C:\Program Files\Creative 2007-07-30 22:29:54 206 ----a-w C:\WINDOWS\system32\eafdfefbb5_r.dll 2007-07-30 19:50:12 -------- d-----w C:\Program Files\ArcaMicroScan 2007-07-30 13:06:31 -------- d-----w C:\Program Files\Ganymede 2007-07-30 13:05:48 -------- d-----w C:\Program Files\Common Files\Skype 2007-07-26 10:37:45 -------- d-----w C:\DOCUME~1\All\DANEAP~1\GanymedeNet 2007-07-20 10:01:52 767,280 ----a-w C:\WINDOWS\system32\ArcaMicroScanUpdater.exe 2007-07-20 08:34:38 847,872 ----a-w C:\WINDOWS\system32\ArcaOnline.dll 2007-06-26 14:59:44 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe 2007-06-21 18:15:30 0 ----a-w C:\WINDOWS\PowerReg.dat 2007-06-19 10:08:46 524,288 ----a-w C:\WINDOWS\opuc.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 04:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2004-02-05 17:07] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2004-02-05 17:07] “ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 18:24 C:\WINDOWS\system32\Ati2mdxx.exe] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-02-24 21:10] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00] “Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06] “QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2007-06-29 06:24] “WinAVX”=“C:\WINDOWS\System32\WinAvXX.exe” [2007-09-06 12:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2005-05-31 01:04] “WinAVX”=“C:\WINDOWS\System32\WinAvXX.exe” [2007-09-06 12:05] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “LinkResolveIgnoreLinkInfo”=0 (0x0) “NoResolveSearch”=1 (0x1) “NoControlPanel”=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “LinkResolveIgnoreLinkInfo”=0 (0x0) “NoControlPanel”=1 (0x1) “NoWindowsUpdate”=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “appinit_dlls”=C:\WINDOWS\System32\systems.txt [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-06 13:46:48 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-06 13:49:24 C:\ComboFix-quarantined-files.txt … 2007-09-06 13:49 — E O F —
i drugi z ComboFix:
2007-08-01 20:02 5 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\eeeeedfdfa3_g.dll.vir
Zmienna PATH folderu
Numer seryjny woluminu: 71F5E346 B0CF:6C37
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| \---system32
| eeeeedfdfa3_g.dll.vir
|
\---Registry_backups
z góry bardzo dziękuję za pomoc,
pozdrawiam
jessica
(jessica)
6 Wrzesień 2007 13:03
#2
Jeśli nie masz jakiegoś narzędzia usuwającego, to ściągnij OTMoveIt
Do pola Paste List of Files/Folders to be Moved wklej poniższe ścieżki:
Następnie wciśnij przycisk MoveIt !
Pojawi się komunikat, że jest potrzebny restart do usunięcia podanych plików/folderów- wciśnij Yes .
Po restarcie usuń ręcznie folder C:* * _OTMoveIt** (Prawoklik >>> Usuń >>> Opróżnij Kosz).
O4 - HKLM…\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe O4 - HKCU…\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe O4 - Startup: system.exe O4 - Global Startup: autorun.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O20 - AppInit_DLLs: C:\WINDOWS\System32\systems.txt
Potem te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked .
Następnie:
Wklej do Notatnika:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000000
Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na Wszystkie pliki >>> Zapisz jako FIX.REG >>>
plik uruchom (dwuklik i OK).
Zrestartuj komputer.
Potem nowe logi (dłuższe: wklej na http://wklej.org/ , a w poście daj tylko link.)
jessi
chen1
(Chen1)
6 Wrzesień 2007 14:16
#3
Zrobiłem jak kazałaś, z pewnymi wyjątkami:
po uzyciu OTMoveIt, tego:
już nie było w HijackThis, a tego:
HijackThis nie chce usunąć, wyrzuca jakiś błąd:
http://wklej.org/id/b1fa49fa87
Komp zaczął chyba działać normalnie, mogę dostać się do rejestru i menadżera zadań, poniżej przedstawiam logi.
HijackThis:
http://www.wklej.org/id/8fdd5b1738
SilentRunners:
http://www.wklej.org/id/88a4ec1ded
ComboFix:
http://wklej.org/id/c440f8da80
Coś jeszcze mi siedzi w systemie ??
Gutek
(Gutek)
6 Wrzesień 2007 19:20
#4
Użyj SmitFraudFix wybierz opcji nr 2 oraz:
Pobierz program SDFix
jessica
(jessica)
7 Wrzesień 2007 08:29
#6
Jeśli użyłeś, zgodnie z zaleceniem @Gutka2222 , także SmitfraudFix, to pokaż z niego raport z C:\SmitfraudFix.txt.
Sprawdź, czy ten pogrubiony plik jest jeszcze na dysku, a jeśli jest, to spróbuj usunąć ręcznie.
Potem (dopiero po usunięciu pliku!) sfiksuj ten wpis w Hijacku.
jessi
chen1
(Chen1)
7 Wrzesień 2007 08:41
#7
wcześniej zapomniałem o SmitFraudFix, oto log z niego:
http://www.wklej.org/id/fe9f9d02b2
a tutaj jest log z SDFixa:
http://www.wklej.org/id/2b9f35d136
Plik usunąłem ręcznie, zaraz spróbuję sfiksować wpis w Hijacku
Plik da się usunąć ręcznie, ale wpisu się sfiksować nie da, co więcej, po restarcie plik znowu się pojawia.
Gutek
(Gutek)
7 Wrzesień 2007 21:37
#8
Daj jeszcze nowy log z Combo
chen1
(Chen1)
7 Wrzesień 2007 22:12
#9
chen1
(Chen1)
8 Wrzesień 2007 21:51
#11
Jak to już koniec to bardzo dziękuję za pomoc