spysheriff i cos jeszcze:(

**Posty:** 4 · przez **claustrum** 18 Lis 2005, 12:50

Prosze o pomoc

Kod: Zaznacz wszystko: Logfile of HijackThis v1.99.1 Scan saved at 11:31:05, on 2005-11-18 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe D:\=programy=\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\D-Tools\daemon.exe c:\windows\system32\mdms.exe C:\WINDOWS\system32\paytime.exe C:\WINDOWS\tool2.exe c:\windows\adtech2005.exe C:\WINDOWS\system32\dumprep.exe D:\=programy=\Gadu-Gadu\gg.exe C:\winstall.exe C:\WINDOWS\system32\sysvcs.exe C:\WINDOWS\system32\paytime.exe C:\PROGRA~1\COMMON~1\zrfi\zrfim.exe C:\WINDOWS\tool2.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\Khjaiooe.exe C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe C:\PROGRA~1\COMMON~1\zrfi\zrfia.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\COMMON~1\zrfi\zrfil.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = dupa action O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [iTunesHelper] "D:\=programy=\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KB] "C:\WINDOWS\KB\KBXPC.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe O4 - HKLM\..\Run: [adtech2005] c:\windows\adtech2005.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [Gadu-Gadu] "D:\=programy=\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU\..\Run: [zrfi] C:\PROGRA~1\COMMON~1\zrfi\zrfim.exe O4 - HKCU\..\Run: [klop] C:\WINDOWS\C2.tmp O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129046498206 O20 - Winlogon Notify: chk - C:\WINDOWS\SYSTEM32\chke.dll O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\r06ulaj91do.dll O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O21 - SSODL: D0E0BIHB - {2ECE7A29-4518-267A-2037-6C0065920A48} - C:\WINDOWS\system32\Goeopl32.dll O21 - SSODL: mtklef - {F7B74DA3-4CE9-4BC5-EE87-76A81CFC788F} - C:\WINDOWS\system32\weqjri32.dll O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\adpjchjl.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[ Dodano: Dzisiaj o 12:39 ]
a oto objawy niedomogi ze strony pc:
1.cpu po ok 5minutach dziala na 100% i wiesza system
2. nawet w trybie awaryjnym wlanczają sie automatycznie strony internetowe i zapisują na pulpicie
3. co ok 30sec nastepuje restart pulpitu
4. wszystkie objawy wystąpily po zainstalowaniu cracka

lz0luf01.exe

**Posty:** 8694 · przez **Red** 18 Lis 2005, 15:49

wstapnie zajmieny sie hijackiem ,w trybie awaryjnym usuwasz:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] c:\windows\adtech2005.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [zrfi] C:\PROGRA~1\COMMON~1\zrfi\zrfim.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\C2.tmp
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll

to co masz pogrubione usuwasz recznie a reszte fixem w hijacku
po zabiegach dasz dwa logi :
z hijacka i z programu http://www.silentrunners.org/

syfem VX2 zajmiemy sie pozniej bo sie zakrecisz

ps
jesli bedzie problem z usunieciem tego co pogrubiłem to uzyj killboxa:
Uruchomić Pocket Killbox

http://www.bleepingcomputer.com/files/killbox.php

zaznaczyć Standard File fill + End explorer shell wkleic sciezki(to co ci pogrubilem) i na koniec zatwierdzasz X

**Posty:** 4 · przez **claustrum** 18 Lis 2005, 15:52

dzieki biore sie do pracy

**Posty:** 8694 · przez **Red** 18 Lis 2005, 15:55

czytaj co ci napisałem powyzej
dodatkowo jeszcze uzyj narzedzia http://securityresponse.symantec.com/avcenter/UnHookExec.inf
Po ściągnięciu pliku UnHookExec.inf na dysk należy kliknąć na niego prawym i wybrać opcję Instaluj.Zadanie samo sie wykona i odblokujesz exeki

I wykonaj wstepnie to co ci napisałem powyzej >>>dokladnie

**Posty:** 4 · przez **claustrum** 18 Lis 2005, 16:40

Zniecierpliwiony oczekując pomocy usunąlem wszystko co dalo sie usunąć hijackiem..
Za pomocą KILLBOXA usunąlem wszystko pogrubione poza

Kod: Zaznacz wszystko: c:\windows\system32\mdms.exe

ktory jest oporny na wszelkie moje starania

A oto logi

Kod: Zaznacz wszystko: Logfile of HijackThis v1.99.1 Scan saved at 15:25:31, on 2005-11-18 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\svchost.exe c:\windows\system32\mdms.exe C:\WINDOWS\system32\dumprep.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\dwwin.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\guard.tmp (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

a to z silenta

Kod: Zaznacz wszystko: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows Server 2003 (interpreted as Windows XP) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "SysMemory manager" = "c:\windows\system32\mdms.exe" [MS] "UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "hticons.dll" [file not found] "{4648F940-EFE3-4BAB-9211-3BE45CD5029D}" = "VSSShellExt" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\vssui.dll" [MS] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\=programy=\7-Zip\7-zipn.dll" ["Igor Pavlov"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "D:\=programy=\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.5\program\shlxthdl.dll" ["Sun Microsystems, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "st" -> {CLSID}\InProcServer32\(Default) = "c:\windows\system32\winacpi.dll" [null data] "{9B9FDAA3-9140-4671-BA81-0BAC07E5D2C6}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\guard.tmp" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! App Management\DLLName = "C:\WINDOWS\system32\guard.tmp" [file not found] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {CLSID}\InProcServer32\(Default) = "D:\=programy=\7-Zip\7-zipn.dll" ["Igor Pavlov"] sysacpildap\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}" -> {CLSID}\InProcServer32\(Default) = "c:\windows\system32\winacpi.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {CLSID}\InProcServer32\(Default) = "D:\=programy=\7-Zip\7-zipn.dll" ["Igor Pavlov"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 11 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Application Experience Lookup Service, AeLookupSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\aelupsvc.dll" [MS]} NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service" ["RealVNC Ltd."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 108 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 31 seconds. ---------- (total run time: 193 seconds)

zablokowalem active desktop poprzez stworzenie fixa

jedyny problem ktory zauwazylem po dzialaniach naprawczych;) to restart pulpitu co 5 sec wiec ciezko operowac w jakimkolwiek programie

[ Dodano: Dzisiaj o 15:46 ]
unhookexec.inf juz zainstalowany

czekam na dalsze wskazowki:)

**Posty:** 8694 · przez **Red** 18 Lis 2005, 17:04

1.
odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej scieżke:
C:\WINDOWS\system32\guard.tmp
następnie program będzie pytał o restart-potwierdzasz
2.
i pozostaje jeszcze :c:\windows\system32\mdms.exe >>>i jego konsekwencje

Zrobisz tak:
Otwórz Notatnik i wklej(przekopiuj) w nim 1-1:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysMemory manager"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5E2121EE-0300-11D4-8D3B-444553540000}"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\sysacpildap]

[-HKEY_CURRENT_USER\Software\mzs]

[-HKEY_CLASSES_ROOT\acpi.acpi.1]

[-HKEY_CLASSES_ROOT\acpi.ext]

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG.
dalsze działanie:
odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej scieżke:
C:\WINDOWS\System32\winacpi.dll
zatwierdzasz x i restart

ponownie startujesz do trybu awaryjnego i klikasz podwójnie plik FIX.REG
jesli bedzie jeszcze w logu :
C:\WINDOWS\system32\mdms.exe>>>>to wkleisz go do killboxa i wykonasz to co zawsze sie robi killboxem
wracasz po wszystkim z logami szt.2

**Posty:** 4 · przez **claustrum** 18 Lis 2005, 17:08

Ok wielkie dzieki:)

spysheriff i cos jeszcze:(

spysheriff i cos jeszcze:(

Kto jest na forum