VX2 ponownie

zdaje się, źe to jakaś plaga...

przejrzałam poprzednie posty, ściągnęłam juź nawet KillBox'a ale jak widzę i tak potrzebuję pomocy. poniźej jest mój log:

Logfile of HijackThis v1.98.2
Scan saved at 00:33:02, on 2005–02–19
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSSYSTEM32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesTGTSoftStyleXPStyleXPService.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1COMMON~1StardockSDMCP.exe
C:WINDOWSSystem32Ati2evxx.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesWinampwinampa.exe
C:Program FilesJavajre1.5.0_01injusched.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:PROGRA~1SYMANT~1VPTray.exe
C:WINDOWSSystem32ctfmon.exe
D:Program FilesCursorXPCursorXP.exe
C:Program FilesSensivaSymbol Commander ProSensiva.exe
C:Program FilesTuneUp Utilities 2004memoptimizer.exe
C:Program FilesTGTSoftStyleXPStyleXP.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesStardockObject DesktopDesktopXDesktopX.exe
D:Program FilesObjectDockObjectDock.exe
C:PROGRA~1INCRED~1inIMAPP.EXE
C:WINDOWSIntegrator.exe
C:Program FilesGPSoftwareDirectory OpusDOpus.exe
C:WINDOWSSYSTEM32 undll32.exe
C:Program FilesMaxthonMaxthon.exe
C:Program FilesReGetDx egetdx.exe
E:Programy instalacyjneSYSTEMANTYSPYhijackthisHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.interia.pl/
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = about:blank
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSPCHealthHelpCtrSystempanelslank.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSPCHealthHelpCtrSystempanelslank.htm
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: ReGet Bar – {17939A30–18E2–471E–9D3A–56DD725F1215} – C:Program FilesReGetDxiebar.dll
O4 – HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [WinampAgent] "C:Program FilesWinampwinampa.exe"
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_01injusched.exe
O4 – HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [vptray] C:PROGRA~1SYMANT~1VPTray.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [IncrediMail] C:Program FilesIncrediMailinIncMail.exe /c
O4 – HKCU..Run: [CursorXP] D:Program FilesCursorXPCursorXP.exe
O4 – HKCU..Run: [Sensiva] "C:Program FilesSensivaSymbol Commander ProSensiva.exe"
O4 – HKCU..Run: [TuneUp MemOptimizer] "C:Program FilesTuneUp Utilities 2004memoptimizer.exe" autostart
O4 – HKCU..Run: [STYLEXP] C:Program FilesTGTSoftStyleXPStyleXP.exe –Hide
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – HKCU..Run: [DesktopX] "C:Program FilesStardockObject DesktopDesktopXDesktopX.exe"
O4 – Startup: Stardock ObjectDock.lnk = D:Program FilesObjectDockObjectDock.exe
O4 – Startup: AntiCrash.lnk = C:Program FilesDachshund SoftwareAntiCrashAntiCrash.exe
O4 – Startup: Hare.lnk = C:Program FilesDachshund SoftwareHareHare.exe
O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:PROGRA~1INCRED~1in esourcesWebMenuImg.htm
O8 – Extra context menu item: &Pobierz przez ReGet Deluxe – C:Program FilesCommon FilesReGet SharedCC_Link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 – Extra context menu item: Pobierz &wszystko przez ReGet Deluxe – C:Program FilesCommon FilesReGet SharedCC_All.htm
O8 – Extra context menu item: Save F&lash with FlashCapture – res://C:Program FilesFlashCapturefciext.dll/FCIEXT.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0_01in pjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0_01in pjpi150_01.dll
O9 – Extra button: FlashCapture – {753BBC4B–CC73–4fb8–A5B5–CA09C804C1DD} – res://C:Program FilesFlashCapturefciext.dll/FCIEXT.htm (file missing)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100992120265
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O21 – SSODL: MSTask – {8291E06B–1626–48F9–8055–41ADE385D324} – (no file)

podaję teź log z findIt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–19 00:23 231608 l88mlil118q.dll
2005–02–19 00:11 228547 m0820aloedqc0.dll
2005–02–18 23:53 231668 i0600ajmedoa0.dll
2005–02–18 23:41 231671 h4l2le3o1h.dll
2005–02–18 23:04 231608 lvnm0951e.dll
2005–02–18 22:48 230841 ktn6l75s1.dll
2005–02–18 22:43 231855 gp60l3jm1.dll
2005–02–18 22:24 229181 ir0ul5d91.dll
2005–02–18 22:16 230645 mv8ol9l31.dll
2005–02–08 15:37 417792 ??anregw.exe
2005–02–08 07:43 49152 gpsB2.dll
2004–11–19 21:34 Microsoft
2004–11–19 20:58 dllcache
1995–03–14 05:22 80 argtmp39.dll
12 plik(w) 2544648 bajtw
2 katalog(w) 3963846656 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–08 15:37 417792 ??anregw.exe
2005–02–08 07:43 49152 gpsB2.dll
2004–11–19 21:21 488 logonui.exe.manifest
2004–11–19 21:21 488 WindowsLogon.manifest
2004–11–19 21:21 749 cdplayer.exe.manifest
2004–11–19 21:21 749 ncpa.cpl.manifest
2004–11–19 21:21 749 sapi.cpl.manifest
2004–11–19 21:21 749 wuaucpl.cpl.manifest
2004–11–19 21:21 749 nwc.cpl.manifest
2004–11–19 20:58 dllcache
9 plik(w) 471665 bajtw
1 katalog(w) 3963838464 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–19 06:50 0 guard.txt
2005–02–19 06:30 228547 guard.tmp
2 plik(w) 228547 bajtw
0 katalog(w) 3963830272 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–19 06:30 228547 guard.tmp
2002–09–29 01:00 2596 CONFIG.TMP
2 plik(w) 231143 bajtw
0 katalog(w) 3963822080 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{113722D2–E1B7–4CE9–B133–3A4E678E22D7}"=""

–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyApp Management]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\m0820aloedqc0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyMCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyNavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\WINDOWS\System32\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyWB]
"Asynchronous"=dword:00000000
"DllName"="D:\PROGRA~1\WINDOW~1\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

–––––––––––––––– Xfind Locked Files –––––––––––––––––

Nazwa 'Xfind' nie jest rozpoznawana jako polecenie wewn©trzne lub zewn©trzne,
program wykonywalny lub plik wsadowy.

–––––––––––––– XFind Qoologic Results ––––––––––––––

Nazwa 'Xfind' nie jest rozpoznawana jako polecenie wewn©trzne lub zewn©trzne,
program wykonywalny lub plik wsadowy.
Nazwa 'Xfind' nie jest rozpoznawana jako polecenie wewn©trzne lub zewn©trzne,
program wykonywalny lub plik wsadowy.

–––––––––––––– XFind Aspack Results –––––––––––––––

Nazwa 'Xfind' nie jest rozpoznawana jako polecenie wewn©trzne lub zewn©trzne,
program wykonywalny lub plik wsadowy.
Nazwa 'Xfind' nie jest rozpoznawana jako polecenie wewn©trzne lub zewn©trzne,
program wykonywalny lub plik wsadowy.

–––––––––––––– Locate.com Results –––––––––––––––

sugerując się poprzednimi postami zaczęłam "co nieco" usuwać ale, źe jak rozumiem na raty to nie działa, poczekam na pomoc.

powalczę jeszcze z tym .exe ale juź teraz dziękuję za pomoc.

nja

Dodano: 19.02.2005 23:06:56

Jest dobrze
Do usuniecia został ten kluczyk:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyShellScrap
C:\WINDOWS\system32\fp2203foe.dll"
+ znalezienie i usuniecie tego pliku wykonywalnego: ??anregw.exe
Wszystko jedno jak, Killbox ale po reboot'cie, pokazanie ukrytych i systemowych i reczne wyszukanie, konsola odzyskiwania – jest wiele drog

Wyglada na to ze sie udało

Bobi

Dodano: 19.02.2005 22:33:48

co prawda nie zrobiłam znów wszystkiego, dopiero teraz przeczytałam odpowiedź a w międzyczasie zaźarcie z tym śmieciem walczyłam i log na teraz wygląda tak:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–08 15:37 417792 ??anregw.exe
2004–11–19 21:34 Microsoft
2004–11–19 20:58 dllcache
1 plik(w) 417792 bajtw
2 katalog(w) 5858172928 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–08 15:37 417792 ??anregw.exe
2004–11–19 21:21 488 logonui.exe.manifest
2004–11–19 21:21 488 WindowsLogon.manifest
2004–11–19 21:21 749 wuaucpl.cpl.manifest
2004–11–19 21:21 749 cdplayer.exe.manifest
2004–11–19 21:21 749 sapi.cpl.manifest
2004–11–19 21:21 749 nwc.cpl.manifest
2004–11–19 21:21 749 ncpa.cpl.manifest
2004–11–19 20:58 dllcache
8 plik(w) 422513 bajtw
1 katalog(w) 5858172928 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–19 19:20 229715 guard.tmp
1 plik(w) 229715 bajtw
0 katalog(w) 5858172928 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–19 19:20 229715 guard.tmp
2002–09–29 01:00 2596 CONFIG.TMP
2 plik(w) 232311 bajtw
0 katalog(w) 5858172928 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"Maxthon"="??"

–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyMCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyNavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\WINDOWS\System32\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\fp2203foe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyWB]
"Asynchronous"=dword:00000000
"DllName"="D:\PROGRA~1\WINDOW~1\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

–––––––––––––––– Xfind Locked Files –––––––––––––––––

–––––––––––––– XFind Qoologic Results ––––––––––––––

–––––––––––––– XFind Aspack Results –––––––––––––––

–––––––––––––– Locate.com Results –––––––––––––––

gdy próbowałam ten .exe usunąć wprost bez reboota killbox "odpowiedział", źe wydaje się jakby tego programu nie było.
na chwilę obecną nic nie wyskakuje, AD Adware teź milczy na temat czegokolwiek.

czyźby się udało??

nja

Dodano: 19.02.2005 20:51:35

Tez mialem – MIALEM tego skur#$%$# . Dokladnie pierwsze to odpiac interent. Mi pomoglo uruchomienie jeden po drugim MS Antispyware –> Ad–Aware SE Personal –> NAV 2004. I uff, udalo sie ale po 3dniach zmagan.

d00g1

Dodano: 19.02.2005 20:46:07

Cała trudnosc w usuwaniu tego syfu polega na tym ze po nieudanej probie wywalenia odtwarza sie pod innymi nazwami

Musisz wszystkie operacje wykonywać przy najlepiej odłoczonym kablu od internetu i nie właczac go dopoki nie masz pewnosci ze niczego juz nie ma

Teraz ma takie nazwy:
sQmlib.dll
f0l0la3m1d.dll
le32.dll
dnnq0155e.dll
mudex.dll
chmsvcs.dll
kt0sl7d71.dll
i0600ajmedoa0.dll
h4l2le3o1h.dll
lvnm0951e.dll
ktn6l75s1.dll
gp60l3jm1.dll
ir0ul5d91.dll
mv8ol9l31.dll
??anregw.exe
gpsB2.dll
>> te pliki sa w system32 wiec lokalizacje do Killboxa masz

W dllcache skolei jest:
argtmp39.dll którego tez trzeba usunać

W rejestrze usuwasz:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform
ten ciąg: {DDB0652F–BA40–42A2–B14D–B55E346ABB67}

A w:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyThemeManager
Ten podklucz: C:\WINDOWS\system32\dnnq0155e.dll
Plik dnnq0155e.dll rowniez dodaj do Killboxa tylko pozamieniaj te dwa slashe (\) na jeden

Oczywisice w HJT FIX:
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
reszta wpisow w logu okey

Bobi

Dodano: 19.02.2005 19:45:01

nie jestem w stanie sobie z tym poradzić. pomimo wklejenia nazw tych wszystkich dll do killboxa, po zresetowaniu kompa wszystko powraca.log przez chwilę wygldał na czysty, juź teraz nie. podejrzewam, źe głównie dalego, źe nie udało mi się uzunąć wszystkich wpisów w rejestrze, ale ich tak po prostu nie widzę – chodzi mi o pierwsz pozycję z ".../Notify/App.Manager. nie widzę teź m0820aloedqc0.dll pomimo, źe przy skanowaniu AD–Adware pokazuje, źe jest w systemie32

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–19 16:32 229680 sQmlib.dll
2005–02–19 16:29 230929 f0l0la3m1d.dll
2005–02–19 16:18 230929 le32.dll
2005–02–19 16:08 229680 dnnq0155e.dll
2005–02–19 15:51 231608 mudex.dll
2005–02–19 15:40 231608 chmsvcs.dll
2005–02–19 06:30 228547 kt0sl7d71.dll
2005–02–18 23:53 231668 i0600ajmedoa0.dll
2005–02–18 23:41 231671 h4l2le3o1h.dll
2005–02–18 23:04 231608 lvnm0951e.dll
2005–02–18 22:48 230841 ktn6l75s1.dll
2005–02–18 22:43 231855 gp60l3jm1.dll
2005–02–18 22:24 229181 ir0ul5d91.dll
2005–02–18 22:16 230645 mv8ol9l31.dll
2005–02–08 15:37 417792 ??anregw.exe
2005–02–08 07:43 49152 gpsB2.dll
2004–11–19 21:34 Microsoft
2004–11–19 20:58 dllcache
1995–03–14 05:22 80 argtmp39.dll
17 plik(w) 3697474 bajtw
2 katalog(w) 5793226752 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2005–02–08 15:37 417792 ??anregw.exe
2005–02–08 07:43 49152 gpsB2.dll
2004–11–19 21:21 488 logonui.exe.manifest
2004–11–19 21:21 488 WindowsLogon.manifest
2004–11–19 21:21 749 cdplayer.exe.manifest
2004–11–19 21:21 749 ncpa.cpl.manifest
2004–11–19 21:21 749 sapi.cpl.manifest
2004–11–19 21:21 749 wuaucpl.cpl.manifest
2004–11–19 21:21 749 nwc.cpl.manifest
2004–11–19 20:58 dllcache
9 plik(w) 471665 bajtw
1 katalog(w) 5793226752 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 546D–7EC0

Katalog: C:WINDOWSSystem32

2002–09–29 01:00 2596 CONFIG.TMP
1 plik(w) 2596 bajtw
0 katalog(w) 5793226752 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{DDB0652F–BA40–42A2–B14D–B55E346ABB67}"=""

–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyMCPClient]
"Asynchronous"=dword:00000000
"DllName"="C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll"
"Startup"="MCPSystemStartup"
"Logon"="MCPLogonStartup"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyNavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\WINDOWS\System32\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\dnnq0155e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyWB]
"Asynchronous"=dword:00000000
"DllName"="D:\PROGRA~1\WINDOW~1\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

–––––––––––––––– Xfind Locked Files –––––––––––––––––

–––––––––––––– XFind Qoologic Results ––––––––––––––

–––––––––––––– XFind Aspack Results –––––––––––––––

–––––––––––––– Locate.com Results –––––––––––––––

Logfile of HijackThis v1.98.2
Scan saved at 16:42:46, on 2005–02–19
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSSYSTEM32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesTGTSoftStyleXPStyleXPService.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1COMMON~1StardockSDMCP.exe
C:WINDOWSSystem32Ati2evxx.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSOUNDMAN.EXE
C:Program FilesWinampwinampa.exe
C:Program FilesJavajre1.5.0_01injusched.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:PROGRA~1SYMANT~1VPTray.exe
C:WINDOWSSystem32ctfmon.exe
D:Program FilesCursorXPCursorXP.exe
C:Program FilesSensivaSymbol Commander ProSensiva.exe
C:Program FilesTuneUp Utilities 2004memoptimizer.exe
C:Program FilesTGTSoftStyleXPStyleXP.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesStardockObject DesktopDesktopXDesktopX.exe
D:Program FilesObjectDockObjectDock.exe
C:WINDOWSIntegrator.exe
C:PROGRA~1INCRED~1inIMAPP.EXE
C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
C:Program FilesGPSoftwareDirectory OpusDOpus.exe
C:WINDOWSSystem32cmd.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program FilesMaxthonMaxthon.exe
C:WINDOWSSYSTEM32 undll32.exe
E:Programy instalacyjneSYSTEMANTYSPYhijackthisHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = about:blank
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSPCHealthHelpCtrSystempanelslank.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSPCHealthHelpCtrSystempanelslank.htm
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: ReGet Bar – {17939A30–18E2–471E–9D3A–56DD725F1215} – C:Program FilesReGetDxiebar.dll
O4 – HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM..Run: [WinampAgent] "C:Program FilesWinampwinampa.exe"
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_01injusched.exe
O4 – HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [vptray] C:PROGRA~1SYMANT~1VPTray.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [IncrediMail] C:Program FilesIncrediMailinIncMail.exe /c
O4 – HKCU..Run: [CursorXP] D:Program FilesCursorXPCursorXP.exe
O4 – HKCU..Run: [Sensiva] "C:Program FilesSensivaSymbol Commander ProSensiva.exe"
O4 – HKCU..Run: [TuneUp MemOptimizer] "C:Program FilesTuneUp Utilities 2004memoptimizer.exe" autostart
O4 – HKCU..Run: [STYLEXP] C:Program FilesTGTSoftStyleXPStyleXP.exe –Hide
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – HKCU..Run: [DesktopX] "C:Program FilesStardockObject DesktopDesktopXDesktopX.exe"
O4 – Startup: Stardock ObjectDock.lnk = D:Program FilesObjectDockObjectDock.exe
O4 – Startup: AntiCrash.lnk = C:Program FilesDachshund SoftwareAntiCrashAntiCrash.exe
O4 – Startup: Hare.lnk = C:Program FilesDachshund SoftwareHareHare.exe
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:PROGRA~1INCRED~1in esourcesWebMenuImg.htm
O8 – Extra context menu item: &Pobierz przez ReGet Deluxe – C:Program FilesCommon FilesReGet SharedCC_Link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 – Extra context menu item: Pobierz &wszystko przez ReGet Deluxe – C:Program FilesCommon FilesReGet SharedCC_All.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0_01in pjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0_01in pjpi150_01.dll
O9 – Extra button: FlashCapture – {753BBC4B–CC73–4fb8–A5B5–CA09C804C1DD} – res://C:Program FilesFlashCapturefciext.dll/FCIEXT.htm (file missing)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100992120265
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab

nja

Dodano: 19.02.2005 17:43:12

Wylaczasz kabel od neta, ładujesz sie do awaryjnego i wylaczasz przywracanie

FIX:

O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O9 – Extra button: FlashCapture – {753BBC4B–CC73–4fb8–A5B5–CA09C804C1DD} – res://C:Program FilesFlashCapturefciext.dll/FCIEXT.htm (file missing)
O21 – SSODL: MSTask – {8291E06B–1626–48F9–8055–41ADE385D324} – (no file)

W Pocked Killbox wpisujesz do wywalenia po reboot'cie

Z C:WINDOWSSystem32:

l88mlil118q.dll
m0820aloedqc0.dll
i0600ajmedoa0.dll
h4l2le3o1h.dll
lvnm0951e.dll
ktn6l75s1.dll
gp60l3jm1.dll
ir0ul5d91.dll
mv8ol9l31.dll
??anregw.exe
gpsB2.dll

Z dllcache:
argtmp39.dll

W rejestrze do wywalenia:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{113722D2–E1B7–4CE9–B133–3A4E678E22D7}"=""

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyApp Management]
C:\WINDOWS\system32\m0820aloedqc0.dll

Bobi

Dodano: 19.02.2005 09:56:36

VX2 ponownie

Odpowiedzi: 7