tak, wiem mniej wiecej oco chodzi...jak by co to bede pytał...dzieki za pomoc, pozdrawiam

tak, wiem mniej wiecej oco chodzi...jak by co to bede pytał...dzieki za pomoc, pozdrawiam

Bedziemy sie teraz bawic w kotka i myszke :P

FIX i do Killboxa:
O20 – Winlogon Notify: MS–DOS Emulation – D:\WINDOWS\system32\jt6u07j9e.dll
Odlaczasz kabel od neta, sam sobie robisz log z FindIt i usuwasz wymienione pliki w Killboxie i klucze w rejestrze
Wiesz juz na jakiej zasadzie je odrozniac sposrod informacji z loga FindIt ??

no zobacz teraz...
Logfile of HijackThis v1.99.1
Scan saved at 17:13:10, on 2005–03–05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Gadu–Gadu\gg.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlen.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100:3128
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – F:\PROGRA~1\FLASHGET\fgiebar.dll
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [Ad–aware] "D:\Program Files\Lavasoft\Ad–aware 6\Ad–aware.exe" +c
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O8 – Extra context menu item: Download All by FlashGet – F:\program files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – F:\program files\FlashGet\jc_link.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – F:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – F:\PROGRA~1\FLASHGET\flashget.exe
O12 – Plugin for .bmp: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {B8BE5E93–A60C–4D26–A2DC–220313175592} (ZoneIntro Class) – http://zone.msn.com/binFramework/v10/ZIntro.cab32651.cab
O16 – DPF: {E5D419D6–A846–4514–9FAD–97E826C84822} (HeartbeatCtl Class) – http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: MS–DOS Emulation – D:\WINDOWS\system32\jt6u07j9e.dll
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe

Nadal jest
D:\WINDOWS\System32\??plorer.exe
Zamykasz proces i wpisujesz raz jeszcze w Killboxie scieche D:\WINDOWS\System32\??plorer.exe zaznaczasz >> delete on reboot i resetujesz system


FIX:

R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – D:\Program Files\SurfSideKick 2\SskBho.dll
O4 – HKLM\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O20 – Winlogon Notify: Group Policy – D:\WINDOWS\system32\fp6203joe.dll

Usuwasz cały katalog D:\Program Files\SurfSideKick 2
D:\WINDOWS\system32\fp6203joe.dll tez dopisujesz do Killboxa

w tym problem ze ja je wczesniej usuwąłem kilka razy a one na nowo sie pojawiały, teraz usunałem te powiązane z ??plorer i nie ma ich, przynajmniej ja ich nie widze...oto log z hijacka:
Logfile of HijackThis v1.99.1
Scan saved at 16:27:59, on 2005–03–05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Gadu–Gadu\gg.exe
D:\WINDOWS\System32\??plorer.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Winamp\Winamp.exe
D:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlen.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100:3128
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – D:\Program Files\SurfSideKick 2\SskBho.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – F:\PROGRA~1\FLASHGET\fgiebar.dll
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [Ad–aware] "D:\Program Files\Lavasoft\Ad–aware 6\Ad–aware.exe" +c
O4 – HKLM\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O8 – Extra context menu item: Download All by FlashGet – F:\program files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – F:\program files\FlashGet\jc_link.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – F:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – F:\PROGRA~1\FLASHGET\flashget.exe
O12 – Plugin for .bmp: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {B8BE5E93–A60C–4D26–A2DC–220313175592} (ZoneIntro Class) – http://zone.msn.com/binFramework/v10/ZIntro.cab32651.cab
O16 – DPF: {E5D419D6–A846–4514–9FAD–97E826C84822} (HeartbeatCtl Class) – http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: Group Policy – D:\WINDOWS\system32\fp6203joe.dll
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe

Dobra skoro ich nie m to okey, niemniej jednak w logu z Findit widnieja
Skasuj jeszcze te klucze o ktroych pisalem wczesniej i przeszukaj rejest pod katem ??plorer.exe. Wpisy ktore znajdzie pousuwaj.
Wklej aktualnego loga z Hijack This

no pisze ze usuwałem, dwa razy nawet...a w konsoli przywracania to jest tak ze wklepuje komende del z plikiem i wyskauje ze nie znaleziono pasujacych plików

Nie masz widziec tych plikow tylko masz je usunać "w ciemno"
Odpalasz konsole odzyskiwania z płyty XP i walisz polecenia:
del D:\WINDOWS\System32\o4ns0e57eh.dll
del D:\WINDOWS\System32\fp4003hme.dll
del D:\WINDOWS\System32\??plorer.exe

Odpowiadaj na moje pytania, usuwałes klucze czy nie ?? Nie ma sensu w kołko pokazywac loga skoro plikow nie usuwasz

usuwałem, a w konsoli odzyskiwania tez nie widze tych plików...
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–05 12:28 222904 o4ns0e57eh.dll
2005–03–04 23:07 225840 fp4003hme.dll
2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 01:26 Microsoft
2004–11–16 00:40 dllcache
3 plik(w) 837864 bajtw
2 katalog(w) 158894080 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 00:56 488 logonui.exe.manifest
2004–11–16 00:56 488 WindowsLogon.manifest
2004–11–16 00:56 749 wuaucpl.cpl.manifest
2004–11–16 00:56 749 cdplayer.exe.manifest
2004–11–16 00:56 749 sapi.cpl.manifest
2004–11–16 00:56 749 nwc.cpl.manifest
2004–11–16 00:56 749 ncpa.cpl.manifest
2004–11–16 00:40 dllcache
8 plik(w) 393841 bajtw
1 katalog(w) 158894080 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–05 12:49 226214 guard.tmp
1 plik(w) 226214 bajtw
0 katalog(w) 158894080 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–05 12:49 226214 guard.tmp
2001–10–26 16:45 2596 CONFIG.TMP
2 plik(w) 228810 bajtw
0 katalog(w) 158894080 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EEA7F0D8–C027–4562–9A04–31EC4F3CEE10}"=""


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\fp4003hme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Results –––––––––––––––––

D:\WINDOWS\System32\FP4003~1.DLL +++ File read error

–––––––––––––– Locate.com Results –––––––––––––––


D:\WINDOWS\SYSTEM32\
fp4003~1.dll Fri 2005–03–04 23:07:38 ..S.R 225 840 220,55 K
o4ns0e~1.dll Sat 2005–03–05 12:28:46 ..S.R 222 904 217,68 K

2 items found: 2 files, 0 directories.
Total of file sizes: 448 744 bytes 438,23 K


naski7:

wpisy usunałem z rejestru, a z ??plorer.exe, rjml5111.dll to bedzie problem bo w killboxie mi pokazuje ze ich nie ma

W takim razie usun z konsoli odzyskiwania

Klucze do usuniecia znow te same.
Usuwałes i sie przywrociły czy wcale nie ruszałes ??

wpisy usunałem z rejestru, a z ??plorer.exe, rjml5111.dll to bedzie problem bo w killboxie mi pokazuje ze ich nie ma, oto log z findit:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 21:59 222365 irjml5111.dll
2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 01:26 Microsoft
2004–11–16 00:40 dllcache
2 plik(w) 611485 bajtw
2 katalog(w) 170004480 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 00:56 488 logonui.exe.manifest
2004–11–16 00:56 488 WindowsLogon.manifest
2004–11–16 00:56 749 wuaucpl.cpl.manifest
2004–11–16 00:56 749 cdplayer.exe.manifest
2004–11–16 00:56 749 sapi.cpl.manifest
2004–11–16 00:56 749 nwc.cpl.manifest
2004–11–16 00:56 749 ncpa.cpl.manifest
2004–11–16 00:40 dllcache
8 plik(w) 393841 bajtw
1 katalog(w) 170004480 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 23:07 225840 guard.tmp
1 plik(w) 225840 bajtw
0 katalog(w) 170004480 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 23:07 225840 guard.tmp
2001–10–26 16:45 2596 CONFIG.TMP
2 plik(w) 228436 bajtw
0 katalog(w) 170004480 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EEA7F0D8–C027–4562–9A04–31EC4F3CEE10}"=""


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\hr4u05h9e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Results –––––––––––––––––

D:\WINDOWS\System32\HR4U05~1.DLL +++ File read error

–––––––––––––– Locate.com Results –––––––––––––––


D:\WINDOWS\SYSTEM32\
irjml5~1.dll Fri 2005–03–04 21:59:28 ..S.R 222 365 217,15 K

1 item found: 1 file, 0 directories.
Total of file sizes: 222 365 bytes 217,15 K


naski7:

czym usunac te wpisy w rejestrze?

Odpalasz start/uruchom wpisujesz regedit, idziesz po kluczach i usuwasz te w cudzysłowiach

naski7:

gdzie znalesc ??plorer ??

W tym problem ze mozesz go wcale nie znalezc wiec zaproponowałem wklepanie sciezki do niego w Killboxie
Do rjml5111.dll tez bo wszystko odrodzi sie pod innymi nazwami jesli jeszcze tego nie zrobilo

czym usunac te wpisy w rejestrze? i gdzie znalesc ??plorer ??

No prawie prawie...
Usun w rejestrze (regedit):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EEA7F0D8–C027–4562–9A04–31EC4F3CEE10}"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"DllName"="D:\\WINDOWS\\system32\\hr4u05h9e.dll"

Zapodaj jeszcze nowy z HiJacka

Nie usunałes ??plorer.exe, rjml5111.dll

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 21:59 222365 irjml5111.dll
2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 01:26 Microsoft
2004–11–16 00:40 dllcache
2 plik(w) 611485 bajtw
2 katalog(w) 170643456 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 00:56 488 logonui.exe.manifest
2004–11–16 00:56 488 WindowsLogon.manifest
2004–11–16 00:56 749 wuaucpl.cpl.manifest
2004–11–16 00:56 749 cdplayer.exe.manifest
2004–11–16 00:56 749 sapi.cpl.manifest
2004–11–16 00:56 749 nwc.cpl.manifest
2004–11–16 00:56 749 ncpa.cpl.manifest
2004–11–16 00:40 dllcache
8 plik(w) 393841 bajtw
1 katalog(w) 170643456 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 23:07 225840 guard.tmp
1 plik(w) 225840 bajtw
0 katalog(w) 170643456 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 23:07 225840 guard.tmp
2001–10–26 16:45 2596 CONFIG.TMP
2 plik(w) 228436 bajtw
0 katalog(w) 170643456 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EEA7F0D8–C027–4562–9A04–31EC4F3CEE10}"=""


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\hr4u05h9e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Results –––––––––––––––––

D:\WINDOWS\System32\HR4U05~1.DLL +++ File read error

–––––––––––––– Locate.com Results –––––––––––––––


D:\WINDOWS\SYSTEM32\
irjml5~1.dll Fri 2005–03–04 21:59:28 ..S.R 222 365 217,15 K

1 item found: 1 file, 0 directories.
Total of file sizes: 222 365 bytes 217,15 K


Odłaczasz kabel od neta
W Pocked Killbox wpisujesz sciezki do plikow

D:\WINDOWS\System32\...

2005–03–03 12:58 224091 hr4u05h9e.dll
2005–03–03 12:47 222365 g0lmla311d.dll
2005–03–02 18:28 222365 ir84l5lq1.dll
2005–02–25 04:03 222967 k4pm0e71eh.dll
2005–02–18 13:34 223965 d00mlad11d0.dll
2005–02–17 15:31 224456 l0p2la7o1d.dll
2005–02–17 15:14 224536 fn4021hmg.dll
2005–02–17 13:50 225497 enrul1991.dll
2005–02–04 02:02 225089 jbpl.dll
2005–01–21 15:51 223166 ihctl.dll
2005–01–11 03:28 224143 en84l1lq1.dll
2005–01–11 03:02 223178 f2l0lc3m1f.dll
2005–01–11 00:23 225877 ir42l5ho1.dll
2005–01–09 19:01 222430 k4440ehqeh4e0.dll
2005–01–09 15:18 225877 ilctl.dll
2005–01–07 13:55 224922 azau0539e.dll
2005–01–04 15:57 225179 kgdne.dll
2005–01–04 11:59 223254 j06mlaj11do.dll
2005–01–03 19:14 225714 cHrds.dll
2004–12–31 20:23 224699 khdes.dll
2004–12–29 00:04 223206 kudne.dll
2004–12–22 13:14 224986 ir00l5dm1.dll
2004–12–16 02:57 222907 lvp4097qe.dll
2004–12–16 02:28 224050 hrj6051se.dll
2004–12–16 02:23 222695 m2460chsef460.dll
2004–12–16 01:26 223580 l0j80a1ued.dll
2004–12–14 23:21 224030 ir8ol5l31.dll
2004–12–14 00:18 223580 irr2l59o1.dll
2004–12–14 00:16 222692 irrml5911.dll
2004–12–11 13:14 223183 m8640ijqe8oe0.dll
2004–12–10 18:31 224620 hrlu0539e.dll
2004–12–10 18:24 224671 k0080adued080.dll
2004–12–10 18:22 224592 f6l02g3mg6.dll
2004–12–10 17:22 224318 enn4l15q1.dll
2004–12–10 15:00 225457 q6pslg7716.dll
2004–12–10 15:00 224646 hrn8055ue.dll
2004–12–10 13:43 223636 h60qlgd5160.dll
2004–12–10 13:41 224924 f40o0ed3eh0.dll
2004–12–08 16:39 389120 ??plorer.exe

Dat i tych numerkow dalej nie obcinałem bo mi sie nie chce ale wiesz ze dodajesz tylko nazwe pliku w miejsce kropek

Z rejestru wylatuje:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
>> {CE541094–5A19–44EE–B383–70AD79D1C10A}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility
>> D:\\WINDOWS\\system32\\ir84l5lq1.dll

Neta nie łaczasz dopoki nie wypitolisz tych wszystkich plikow i kluczy.
Po zabiegach nowy log dla mnie

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 21:59 222365 guard.tmp
2005–03–03 12:58 224091 hr4u05h9e.dll
2005–03–03 12:47 222365 g0lmla311d.dll
2005–03–02 18:28 222365 ir84l5lq1.dll
2005–02–25 04:03 222967 k4pm0e71eh.dll
2005–02–18 13:34 223965 d00mlad11d0.dll
2005–02–17 15:31 224456 l0p2la7o1d.dll
2005–02–17 15:14 224536 fn4021hmg.dll
2005–02–17 13:50 225497 enrul1991.dll
2005–02–04 02:02 225089 jbpl.dll
2005–01–21 15:51 223166 ihctl.dll
2005–01–11 03:28 224143 en84l1lq1.dll
2005–01–11 03:02 223178 f2l0lc3m1f.dll
2005–01–11 00:23 225877 ir42l5ho1.dll
2005–01–09 19:01 222430 k4440ehqeh4e0.dll
2005–01–09 15:18 225877 ilctl.dll
2005–01–07 13:55 224922 azau0539e.dll
2005–01–04 15:57 225179 kgdne.dll
2005–01–04 11:59 223254 j06mlaj11do.dll
2005–01–03 19:14 225714 cHrds.dll
2004–12–31 20:23 224699 khdes.dll
2004–12–29 00:04 223206 kudne.dll
2004–12–22 13:14 224986 ir00l5dm1.dll
2004–12–16 02:57 222907 lvp4097qe.dll
2004–12–16 02:28 224050 hrj6051se.dll
2004–12–16 02:23 222695 m2460chsef460.dll
2004–12–16 01:26 223580 l0j80a1ued.dll
2004–12–14 23:21 224030 ir8ol5l31.dll
2004–12–14 00:18 223580 irr2l59o1.dll
2004–12–14 00:16 222692 irrml5911.dll
2004–12–11 13:14 223183 m8640ijqe8oe0.dll
2004–12–10 18:31 224620 hrlu0539e.dll
2004–12–10 18:24 224671 k0080adued080.dll
2004–12–10 18:22 224592 f6l02g3mg6.dll
2004–12–10 17:22 224318 enn4l15q1.dll
2004–12–10 15:00 225457 q6pslg7716.dll
2004–12–10 15:00 224646 hrn8055ue.dll
2004–12–10 13:43 223636 h60qlgd5160.dll
2004–12–10 13:41 224924 f40o0ed3eh0.dll
2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 01:26 Microsoft
2004–11–16 00:40 dllcache
40 plik(w) 9127028 bajtw
2 katalog(w) 175133696 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2004–12–08 16:39 389120 ??plorer.exe
2004–11–16 00:56 488 logonui.exe.manifest
2004–11–16 00:56 488 WindowsLogon.manifest
2004–11–16 00:56 749 wuaucpl.cpl.manifest
2004–11–16 00:56 749 cdplayer.exe.manifest
2004–11–16 00:56 749 sapi.cpl.manifest
2004–11–16 00:56 749 nwc.cpl.manifest
2004–11–16 00:56 749 ncpa.cpl.manifest
2004–11–16 00:40 dllcache
8 plik(w) 393841 bajtw
1 katalog(w) 175133696 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 21:59 222365 guard.tmp
1 plik(w) 222365 bajtw
0 katalog(w) 175133696 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji D nie ma etykiety.
Numer seryjny woluminu: 4199–4B9F

Katalog: D:\WINDOWS\System32

2005–03–04 21:59 222365 guard.tmp
2001–10–26 16:45 2596 CONFIG.TMP
2 plik(w) 224961 bajtw
0 katalog(w) 175133696 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CE541094–5A19–44EE–B383–70AD79D1C10A}"=""


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\ir84l5lq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Results –––––––––––––––––

D:\WINDOWS\System32\GUARD.TMP +++ File read error

–––––––––––––– Locate.com Results –––––––––––––––


D:\WINDOWS\SYSTEM32\
jbpl.dll Fri 2005–02–04 2:02:50 ..S.R 225 089 219,81 K
enrul1~1.dll Thu 2005–02–17 13:50:20 ..S.R 225 497 220,21 K
fn4021~1.dll Thu 2005–02–17 15:14:24 ..S.R 224 536 219,27 K
guard.tmp Fri 2005–03–04 21:59:28 ..S.R 222 365 217,15 K
l0p2la~1.dll Thu 2005–02–17 15:31:52 ..S.R 224 456 219,20 K
d00mla~1.dll Fri 2005–02–18 13:34:52 ..S.R 223 965 218,71 K
k4pm0e~1.dll Fri 2005–02–25 4:03:32 ..S.R 222 967 217,74 K
g0lmla~1.dll Thu 2005–03–03 12:47:54 ..S.R 222 365 217,15 K
hr4u05~1.dll Thu 2005–03–03 12:58:02 ..S.R 224 091 218,84 K
ir84l5~1.dll Wed 2005–03–02 18:28:10 ..S.R 222 365 217,15 K

10 items found: 10 files, 0 directories.
Total of file sizes: 2 237 696 bytes 2,13 M


Dobra mamy hardcore czyli VX2

Na poczatek wylacz przywracanie
Zakoncz proces:
??plorer.exe >> plik tez usun pozniej

FIX i usuwasz pliki recznie:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – D:\Program Files\SurfSideKick 2\SskBho.dll
F3 – REG:win.ini: run=D:\WINDOWS\inet10055\services.exe
O4 – HKLM\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 – HKCU\..\Run: [xp_system] D:\WINDOWS\inet10055\services.exe
O4 – HKCU\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.crazywinnings.com
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.iframedollars.biz
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.topconverting.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.crazywinnings.com (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.iframedollars.biz (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.topconverting.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 213.159.117.202
O15 – Trusted IP range: 213.159.117.202 (HKLM)
O15 – ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 – ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 – ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 – ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=2732
O18 – Filter: text/html – {B72F75B8–93F3–429D–B13E–660B206D897A} – D:\WINDOWS\System32\porynt.dll
O18 – Filter: text/plain – {B72F75B8–93F3–429D–B13E–660B206D897A} – D:\WINDOWS\System32\porynt.dll
O20 – Winlogon Notify: ShellCompatibility – D:\WINDOWS\system32\ir84l5lq1.dll

Uzyj Pocked Killbox jesli jakiejs biblioteki nie mozesz znalezc
Do zmasakrowania 015 uzyj KillTrusted

To załatw LSP–Fix

O10 – Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 – Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 – Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 – Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll

VX2:

O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch

Pokaz log z FindIt