wirus który włącza w nieskończoność internet explorer 6
jak usunąć wirusa, który w nieskończoność uruchamia kolejne okna internet explorer 6?
wirus działa tak: pracuję sobie na komputerze a tu nagle zaczynają się otwierać kolejne okna ie6 (różnymi adresami www)
skanowałem komputer antywirusem NOD32 (z aktualną bazą wirusów) i nic nie wykrył
może da się usunąć jakoś ten wirus ręcznie?
Odpowiedzi: 6
To nie wszystko:
Wklej do [b]Notatnika[/b]:
[CODE]
File::
C:\WINDOWS\system32\nmllm.bak2
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C90F55-57D4-48DC-AA3D-6482214CACD2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40205287-E793-41AC-B95C-D8D064BA33CA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95366A5D-D866-4FF7-8B24-604F254DAE97}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjiig]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble][/code]
[b]>>Plik>>Zapisz jako... >>> [color=red]CFScript[/color][/b] (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka [b]CFScript.txt[/b] znalazła się obok ikonki [b]ComboFix.exe[/b])
Przeciągnij i upuść plik [color=red][b]CFScript.txt[/b][/color] na plik [b]ComboFix.exe[/b] (czyli ikonkę [b]CFScript.txt[/b] na ikonkę [b]ComboFix.exe[/b])
– podobnie jak na tym obrazku [b][color=blue]-->[/color][/b][img]http://img.wklej.org/images/88953CFScript-createdbyMiekiemoes.gif[/img]
(jeśli pojawi się pytanie "[b]1 or 2[/b]" - to wpisz [b]1[/b] i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
[b]Po restarcie[/b] usuń ręcznie folder [b]C: \[color=red]Qoobox[/color][/b].
Ten log z ComboFixa wklej na [url=http://wklej.org/][b][color=blue][u]http://wklej.org/[/u][/color][/b][/url], a w poście daj tylko link.(czyli skopiuj adres z paska adresów).
.
Co do C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe nie jestem pewny, nie powinien się znajdować w tym katalogu.
fixuj w hyjacku te
[quote]O2 - BHO: (no name) - {10C90F55-57D4-48DC-AA3D-6482214CACD2} - C:\WINDOWS\system32\gfkpitbr.dll (file missing)
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {95366A5D-D866-4FF7-8B24-604F254DAE97} - C:\WINDOWS\system32\mllmn.dll (file missing)
O20 - Winlogon Notify: mljjiig - mljjiig.dll (file missing)
O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)[/quote]
i podaj log .
HiJack
[quote]Logfile of HijackThis v1.99.1
Scan saved at 18:14:35, on 2007-10-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\English Translator 3\HandyDict.exe
C:\Program Files\TC PowerPack\totalcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiRootKits\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10C90F55-57D4-48DC-AA3D-6482214CACD2} - C:\WINDOWS\system32\gfkpitbr.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {95366A5D-D866-4FF7-8B24-604F254DAE97} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] "C:\Acer\ePM\ePM.exe" boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [pdfFactory Dyspozytor v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Skrót do HandyDict.lnk = C:\Program Files\English Translator 3\HandyDict.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://sygnet
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://localhost/SOSWeb/sos/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130014574468
O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFA7AF-1015-41CF-80FD-74630EF0D3A6}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljjiig - mljjiig.dll (file missing)
O20 - Winlogon Notify: mllmn - C:\WINDOWS\system32\mllmn.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDB1 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
[/quote]
ComboFix
[quote]ComboFix 07-10-07.2 - kicaj 2007-10-08 17:47:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.435 [GMT 2:00]
Running from: C:\Documents and Settings\kicaj\Pulpit\ComboFix.exe
.
[i] ADS - system32: deleted 12 bytes in 1 streams. [/i]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\inetget2
C:\Program Files\WinAble
C:\Program Files\WinAble\UnInstall.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
G:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.
2007-10-08 17:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 16:59 339,527 ---hs---- C:\WINDOWS\system32\nmllm.bak2
2007-10-08 00:06 d-------- C:\Program Files\AntiRootKits
2007-10-07 23:51 d-------- C:\VundoFix Backups
2007-10-06 16:51 2,904 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-06 16:51 d-------- C:\WINDOWS\system32\AdCache
2007-10-06 16:00 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-01 14:45 d-------- C:\Documents and Settings\jkowalski\Dane aplikacji\Gadu-Gadu
2007-10-01 10:46 212 --a------ C:\WINDOWS\ildasmfnt.bin
2007-09-30 12:36 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-30 12:36 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-30 12:36 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-30 11:51 d-------- C:\Documents and Settings\kicaj\Dane aplikacji\Ethereal
2007-09-30 11:35 d-------- C:\Program Files\WinPcap
2007-09-30 11:34 d-------- C:\Program Files\Ethereal
2007-09-30 10:20 d-------- C:\Documents and Settings\kicaj\Contacts
2007-09-30 10:18 d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-21 18:49 d-------- C:\Program Files\Common Files\Autodata Limited Shared
2007-09-20 18:47 d-------- C:\Documents and Settings\kicaj\Dane aplikacji\MSN6
2007-09-19 23:48 d-------- C:\Program Files\Lavalys
2007-09-12 20:51 d-------- C:\Program Files\MagicISO
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-30 11:56 --------- d-------- C:\Program Files\Common Files\Panda Software
2007-09-30 10:18 --------- d-------- C:\Program Files\MSN Messenger
2007-09-28 20:20 --------- d-------- C:\Program Files\Gadu-Gadu
2007-09-28 20:20 --------- d-------- C:\Program Files\FlashGet
2007-09-28 20:20 --------- d-------- C:\Program Files\English Translator 3
2007-09-19 23:39 --------- d-------- C:\Program Files\Wanadoo
2007-09-13 20:26 --------- d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2007-09-12 21:02 --------- d-------- C:\Program Files\CommViewWiFi
2007-09-07 20:28 96 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2007-08-29 17:50 --------- d-------- C:\Documents and Settings\kicaj\Dane aplikacji\Gadu-Gadu
2007-08-25 09:32 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-08-25 09:32 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:32 --------- d-------- C:\Program Files\SAGEM
2007-08-24 19:48 --------- d-------- C:\Program Files\Privoxy
2007-08-24 19:47 --------- d-------- C:\Program Files\SYGNITY
2007-08-16 17:47 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-15 13:45 --------- d-------- C:\Program Files\png2ico
2007-08-13 17:55 --------- d-------- C:\Program Files\Western Digital Technologies
2007-08-12 13:02 --------- d-------- C:\Program Files\Rocznik Ekspert 2002-2007
2007-08-12 12:43 --------- d-------- C:\Program Files\The KMPlayer
2007-08-12 12:11 --------- d-------- C:\Documents and Settings\kicaj\Dane aplikacji\Apple Computer
2007-08-09 12:11 --------- d-------- C:\Program Files\IrfanView
2007-08-09 12:00 --------- d-------- C:\Documents and Settings\kicaj\Dane aplikacji\ACD Systems
2007-08-09 11:59 --------- d-------- C:\Program Files\Common Files\ACD Systems
2007-08-09 11:59 --------- d-------- C:\Program Files\ACD Systems
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C90F55-57D4-48DC-AA3D-6482214CACD2}]
C:\WINDOWS\system32\gfkpitbr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40205287-E793-41AC-B95C-D8D064BA33CA}]
C:\WINDOWS\system32\mscfg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95366A5D-D866-4FF7-8B24-604F254DAE97}]
C:\WINDOWS\system32\mllmn.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 08:37]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 08:19]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 07:38 C:\WINDOWS\AGRSMMSG.exe]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-12-21 12:41]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-12-08 14:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"pdfFactory Dyspozytor v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-01-29 19:07]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-26 21:56]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-30 12:35]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
C:\Documents and Settings\All Users\Menu Start\Programy\AutostartMicrosoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
Skr˘t do HandyDict.lnk - C:\Program Files\English Translator 3\HandyDict.exe [2002-09-23 22:20:40]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjiig]
mljjiig.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmn]
C:\WINDOWS\system32\mllmn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jkowalski^Menu Start^Programy^Autostart^Mp3tag Quick Pick.lnk]
path=C:\Documents and Settings\jkowalski\Menu Start\Programy\Autostart\Mp3tag Quick Pick.lnk
backup=C:\WINDOWS\pss\Mp3tag Quick Pick.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^jkowalski^Menu Start^Programy^Autostart^Skrót do mygate.lnk]
path=C:\Documents and Settings\jkowalski\Menu Start\Programy\Autostart\Skrót do mygate.lnk
backup=C:\WINDOWS\pss\Skrót do mygate.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^kicaj^Menu Start^Programy^Autostart^BitComet Acceleration Patch.lnk]
path=C:\Documents and Settings\kicaj\Menu Start\Programy\Autostart\BitComet Acceleration Patch.lnk
backup=C:\WINDOWS\pss\BitComet Acceleration Patch.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDonkey2000]
"C:\Program Files\eDonkey2000\edonkey2000.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
C:\Program Files\Browser MOUSE\mouse32a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
"C:\Program Files\Gadu-Gadu\gg.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyWay]
C:\Program Files\ProxyWay\proxyway.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000520.exe 61A847B5BBF72813329B385370F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Time]
C:\Windows\smssasasd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
"C:\Program Files\WeatherCast\Weather.exe" /q
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp3\winampa.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]
C:\PROGRA~1\Wanadoo\Watch.exe
R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
S3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE
S3 OracleServiceDB1;OracleServiceDB1;c:\oracle\ora92\bin\ORACLE.EXE DB1
S3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
S3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice
S4 OracleServiceDB;OracleServiceDB;c:\oracle\ora92\bin\ORACLE.EXE DB
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 17:58:05
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-08 18:01:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 18:00
.
--- E O F ---
[/quote]
Ściągnij VundoFix - [url]http://www.atribune.org/ccount/click.php?id=4[/url] uruchom go i Scan for Vundo potem Remove Vundo - zrób kilka razy aż do momentu kiedy Scan for Vundo nic nie zwróci.
Po robocie logi Hijack This i ComboFix - [url]http://cybertrash.pl/images/tata/ComboFix.html[/url] bo pewnie jakies resztki zostaną do usunięcia.
HIjack
[quote]
Logfile of HijackThis v1.99.1
Scan saved at 18:15:40, on 2007-10-06
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\English Translator 3\HandyDict.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] "C:\Acer\ePM\ePM.exe" boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [pdfFactory Dyspozytor v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\mukfpbrr.dll",sitypnow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Skrót do HandyDict.lnk = C:\Program Files\English Translator 3\HandyDict.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://sygnet
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://localhost/SOSWeb/sos/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130014574468
O17 - HKLM\System\CCS\Services\Tcpip\..\{35BFA7AF-1015-41CF-80FD-74630EF0D3A6}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDB1 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
[/quote]
Pokaz logi - HIjack This, Silent Runners i ComboFix.
Strona 1 / 1