Wirusy częśc 2

[konan12]

Siema . Już wczoraj pisałem posta na taki sam temat ale nie wiele to pomogło . A więc tak, mam programy zabezpieczające takie : Nod 32 .. ZoneAlarm Free .. Ad-Aware SE Personal . hijackthis mam następujący


Logfile of HijackThis v1.99.1
Scan saved at 14:50:23, on 2006-11-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32oneLabsvsmon.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesEset
od32krn.exe
C:WINDOWSExplorer.EXE
C:Program FilesJavajre1.5.0_07injusched.exe
C:Program FilesWinampwinampa.exe
C:
wnmff_e57.exe
C:Program FilesAd MuncherAdMunch.exe
C:Program Filesone LabsoneAlarmzlclient.exe
C:Program FilesEset
od32kui.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGadu-Gadugg.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesWinRARWinRAR.exe
C:DOCUME~1Pierug2USTAWI~1TempRar$EX00.422HijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yourstartingpage.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM..Run: [keyboard] C:\kybrdff_e70.exe
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_07injusched.exe
O4 - HKLM..Run: [BearShare] "C:Program FilesBearShareBearShare.exe" /pause
O4 - HKLM..Run: [BearFlix] "C:Program FilesBearFlixBearFlix.exe" /pause
O4 - HKLM..Run: [outlook] C:Program Filesoutlookoutlook.exe /auto
O4 - HKLM..Run: [WinampAgent] C:Program FilesWinampwinampa.exe
O4 - HKLM..Run: [ISUSPM Startup] C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [newname] C:\nwnmff_e57.exe
O4 - HKLM..Run: [PCSuiteTrayApplication] C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE -startup
O4 - HKLM..Run: [Ad Muncher] C:Program FilesAd MuncherAdMunch.exe /bt
O4 - HKLM..Run: [Zone Labs Client] "C:Program Filesone LabsoneAlarmzlclient.exe"
O4 - HKLM..Run: [nod32kui] "C:Program FilesEset
od32kui.exe" /WAITSERVICE
O4 - HKLM..RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [ADS] C:WindowsADS.exe
O4 - HKCU..Run: [Start First] C:DOCUME~1Pierug2DANEAP~1LITESC~1Soft Heart.exe
O4 - HKCU..Run: [Gadu-Gadu] "C:Program FilesGadu-Gadugg.exe" /tray
O4 - Startup: Adobe Gamma.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_b ... u_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_b ... u_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_b ... nu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_b ... ie_exclude
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_b ... _ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07inssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_07inssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLMSystemCCSServicesTcpip..{08342847-52CD-431E-BDF1-443146FB7C8C}: NameServer = 194.204.152.34,194.204.159.1
O17 - HKLMSystemCS1ServicesTcpip..{08342847-52CD-431E-BDF1-443146FB7C8C}: NameServer = 194.204.152.34,194.204.159.1
O17 - HKLMSystemCS2ServicesTcpip..{08342847-52CD-431E-BDF1-443146FB7C8C}: NameServer = 194.204.152.34,194.204.159.1
O17 - HKLMSystemCS3ServicesTcpip..{08342847-52CD-431E-BDF1-443146FB7C8C}: NameServer = 194.204.152.34,194.204.159.1
O20 - AppInit_DLLs: smss.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEset
od32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:Program FilesCommon FilesPCSuiteServicesServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32oneLabsvsmon.exe


Najgorsze wirusy : te co reklamy pokazują i takie co jak włanczam kompa to sie włacza a pisze ze sie nazwa tak roject1

I co z tym zrobić . opisze jakoś dokładnie bo ja sie za bardzo na tym nie znam

[pp3088]

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yourstartingpage.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM..RunServices: [p2p networking] p2pnetworking.exe
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_b ... u_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_b ... u_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_b ... nu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_b ... ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_b ... _ie_report
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O20 - AppInit_DLLs: smss.dll
O4 - HKLM.nServices: [p2p networking] p2pnetworking.exe
RuO4 - HKLM..Run: [Ad Muncher] C:Program FilesAd MuncherAdMunch.exe /bt
O4 - HKLM..Run: [newname] C:
wnmff_e57.exe
O4 - HKLM..Run: [keyboard] C:kybrdff_e70.exe

Użyj unlockera i skasuj te szity(prawy przycisk myszy->wyberasz unlocker->opcja skasuj->uwolnij wszystko.

Poproszę o loga z L2Mfix i Silent Runners.
https://www.instalki.pl/download/programy/windows/narzedzia/narzedzia-dyskowe/unlocker/

[konan12]

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001