| Author |
Message
|
oleq_30
Poziom 21
Joined: 17 Jan 2005
Posts: 1445
Location: Nysa
|
 #1
 22 May 2005 19:27 Log z hijackins |
|
|
|
witam
czy moglby ktos fachowo ocenic czy jest on ok ?
Logfile of HijackThis v1.99.1
Scan saved at 19:58:54, on 2005-05-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Perl\bin\Tunel.exe
C:\uzytki\mIRCpl\mirc.exe
C:\WINDOWS\system32\cmd.exe
C:\Perl\bin\perl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\programy\ad-aware\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\uzytki\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115761996448
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F2B3FD9-2ECF-41AB-9C1C-8A8B2A1CC461}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
z gory dzieki
|
|
| Back to top |
|
 |
jankolo
Poziom 26
Joined: 10 Jan 2005
Posts: 28258
Location: Łódź
|
#2
22 May 2005 19:32 Re: Log z hijackins |
|
|
|
Moim zdaniem czysto.
|
|
| Back to top |
|
|
Google
|
| #
22 May 2005 19:32 |
|
|
|
|
|
| Back to top |
|
|
BENO99
Poziom 19
Joined: 29 Oct 2003
Posts: 741
Location: Kościerzyna
|
|
| Back to top |
|
|
childmaker
Poziom 22
Joined: 16 Oct 2004
Posts: 2273
|
#4
22 May 2005 22:32 Re: Log z hijackins |
|
|
|
Skoro tak mówisz to wklej tam to - C:\Documents and Settings\fx\Pulpit\EdtPadPL\EdtPadPL\EditPad.exe, zobacz co Ci "zasugerują" ;), a potem ścągnij sobie EdtPadPL.zip (Edit Pad PL - Mały edytor tekstu o nieco większych możliwościach od standardowego notatnika Windows), uruchom i odpal hijacka.
Co Ty na to??? :P
|
|
| Back to top |
|
|
kRiS001
Poziom 11
Joined: 02 May 2004
Posts: 70
Location: Zakopane
|
#5
26 May 2005 00:21 Re: Log z hijackins |
|
|
|
Witam Wszystkich
Dołącze do tematu zeby nie zaśmiecać forum....
Logfile of HijackThis v1.99.1
Scan saved at 00:16:53, on 2005-05-26
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PULPIT\PROCEXP.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WANADOO\PROFIL1\MY SKYPE RECEIVED FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = cza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\svhost.exe
O2 - BHO: (no name) - {C92B1C5D-9074-4ACE-8FF1-501F79B5117B} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O2 - BHO: (no name) - {DB420ECA-9ECB-45C7-923A-A099A9AE50EF} - C:\WINDOWS\SYSTEM\FCJO.DLL (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O4 - HKLM\..\Run: [Windows Millennium Edition Intro Video] C:\WINDOWS\Applic~1\Micros~1\Intro\content.hta
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [CMS16 CDROM FixLoader] CMSFIXLD.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [hwbrio] c:\windows\system\hwbrio.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [gxun] C:\WINDOWS\gxun.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Media Pass] C:\PROGRAM FILES\MEDIA PASS\MediaPassK.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\SYSTEM\WMPLAYER.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [FNATEbBGf] C:\WINDOWS\KRQOOHES.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [wlexufyl] C:\WINDOWS\wlexufyl.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunOnce: [271718403] C:\WINDOWS\TEMP\108AEC7F.EXE delete
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\SYSTEM\WMPLAYER.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpywareNo] C:\PROGRAM FILES\SPYWARENO\SpywareNo.exe
O4 - HKCU\..\Run: [Rcib] C:\WINDOWS\Dane aplikacji\alru.exe
O4 - HKCU\..\Run: [Pduyfl] \uosdparq.exe
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\RunServices: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [System backup] C:\WINDOWS\SYSTEM\WMPLAYER.EXE
O4 - HKCU\..\RunServices: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunServices: [SpywareNo] C:\PROGRAM FILES\SPYWARENO\SpywareNo.exe
O4 - HKCU\..\RunServices: [Rcib] C:\WINDOWS\Dane aplikacji\alru.exe
O4 - HKCU\..\RunServices: [Pduyfl] \uosdparq.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht!http://www.kazaalite.pl/stats/xaw.chm::/bridge-c18.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {118DB0A0-6D82-4309-D1FA-6F5E259E71A8} - http://67.19.178.86/1/rdgPL1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548
O16 - DPF: {2D1E56DB-A977-727E-D421-0D1764832802} - http://67.19.178.86/1/rdgPL1742.exe
O18 - Filter: text/html - {FEF85193-58BB-4239-BFA7-1B6019C5900E} - C:\WINDOWS\SYSTEM\FCJO.DLL
O18 - Filter: text/plain - {FEF85193-58BB-4239-BFA7-1B6019C5900E} - C:\WINDOWS\SYSTEM\FCJO.DLL
O21 - SSODL: nGvkNqF - {10321804-BA98-B2AE-E39F-BB4851AF0ED4} - C:\WINDOWS\SYSTEM\LZH.DLL
usuwanie po koleji w HijackThis jak i programami (Spyware Nuker, Spy Sweeper, Doctor Spyware, Ad-Aware itp.) jest skuteczne do pierwszego połączenia z netem.... kilka minut i wszystko wraca.
Przywracanie systemu wyłączone.
Explorer.exe i Telnet.exe zaifekowane trojanem Admincash.B (antywiry wykrywają ale nic pozatym)
Od czego tutaj zacząć?
|
|
| Back to top |
|
|
Paweł_swobodny
Poziom 17
Joined: 11 Oct 2004
Posts: 442
|
#6
26 May 2005 00:35 Re: Log z hijackins |
|
|
|
ja tam jestem w te klocki głupi ale kiedyś udało mi się jakies takie ścierwo wywalić . Też iałem tak że antywir znajdował trojana , usuwał a jak się zrobiło reset kompa to trojan znowu był . Więc ja zrobiłem to tak:
przeskanowałem komputer , usunąłem trojana zrobiłem reset ale po drodze wlazłem w BIOSa i popedziłem kalendarz o miesiąc do przodu . Po uruchomieniu kompa zacżąłem przegladać wszytkie pliki i folderu użyte w ostatnim jednym dniu . I znalazłem wtedy dwa foldery - w przeglądarce o nazwie w stylu K5REV54 . Usunąłem je oraz wszytkie wpisy w rejestrze które odnosiły się do tych folderów . Pomogło ale Windows stracił na szybkości . Te foldery wysłąłem do MKSa i potwierdzili że faktycznie to było jakieś ścierwo .
|
|
| Back to top |
|
|
Kolobos
Poziom 26
Joined: 13 Jun 2003
Posts: 26220
Location: Warszawa
|
#7
26 May 2005 02:12 Re: Log z hijackins |
|
|
|
:arrow: kRiS001
Jak mozna zrobic sobie taki syf? Klikasz na wszystko co zobaczysz na stronach? Do tego instalujesz wszystko jak leci.
Sciagasz to:
http://www.derbilk.de/SpSeHjfix109.zip
W dodaj usun programy odinstalowujesz te wszystkie Miedia Access, Toolbary i inne Search'e, SideFind itd
W hijackthis kasujesz to:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = cza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\svhost.exe
O2 - BHO: (no name) - {C92B1C5D-9074-4ACE-8FF1-501F79B5117B} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O2 - BHO: (no name) - {DB420ECA-9ECB-45C7-923A-A099A9AE50EF} - C:\WINDOWS\SYSTEM\FCJO.DLL (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O4 - HKLM\..\Run: [Windows Millennium Edition Intro Video] C:\WINDOWS\Applic~1\Micros~1\Intro\content.hta
Tego nie znam, jak sam tego nie instalowales to tez zaznacz:
O4 - HKLM\..\Run: [CMS16 CDROM FixLoader] CMSFIXLD.EXE
O4 - HKLM\..\Run: [hwbrio] c:\windows\system\hwbrio.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\O4 - HKLM\..\Run: [gxun] C:\WINDOWS\gxun.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Media Pass] C:\PROGRAM FILES\MEDIA PASS\MediaPassK.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\SYSTEM\WMPLAYER.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [FNATEbBGf] C:\WINDOWS\KRQOOHES.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [wlexufyl] C:\WINDOWS\wlexufyl.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunOnce: [271718403] C:\WINDOWS\TEMP\108AEC7F.EXE delete
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\SYSTEM\WMPLAYER.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpywareNo] C:\PROGRAM FILES\SPYWARENO\SpywareNo.exe
O4 - HKCU\..\Run: [Rcib] C:\WINDOWS\Dane aplikacji\alru.exe
O4 - HKCU\..\Run: [Pduyfl] \uosdparq.exe
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [System backup] C:\WINDOWS\SYSTEM\WMPLAYER.EXE
O4 - HKCU\..\RunServices: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunServices: [SpywareNo] C:\PROGRAM FILES\SPYWARENO\SpywareNo.exe
O4 - HKCU\..\RunServices: [Rcib] C:\WINDOWS\Dane aplikacji\alru.exe
O4 - HKCU\..\RunServices: [Pduyfl] \uosdparq.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht!http://www.kazaalite.pl/stats/xaw.chm::/bridge-c18.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {118DB0A0-6D82-4309-D1FA-6F5E259E71A8} - http://67.19.178.86/1/rdgPL1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548
O16 - DPF: {2D1E56DB-A977-727E-D421-0D1764832802} - http://67.19.178.86/1/rdgPL1742.exe
O18 - Filter: text/html - {FEF85193-58BB-4239-BFA7-1B6019C5900E} - C:\WINDOWS\SYSTEM\FCJO.DLL
O18 - Filter: text/plain - {FEF85193-58BB-4239-BFA7-1B6019C5900E} - C:\WINDOWS\SYSTEM\FCJO.DLL
O21 - SSODL: nGvkNqF - {10321804-BA98-B2AE-E39F-BB4851AF0ED4} - C:\WINDOWS\SYSTEM\LZH.DLL
I Fix Checked, nastepnie sciagasz killbox:
http://www.downloads.subratam.org/KillBox.zip
zaznacz Delete file on reboot i dodaj do killbox'a wszystkie pliki exe oraz dll , ktore wymienilem po dodaniu nie resetuj, zrob to dopiero jak dodasz wszystko.
Przeskanuj jeszcze tym:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.windowsecurity.com/trojanscan/
http://www.pandasoftware.com/activescan/pol/activescan_principal.htm
I zainstaluj to:
http://www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D -> przeskanuj i wlacz ochrone przegladarki
http://www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz ochrone przegladarki
http://www.wilderssecurity.net/spywareguard.html <- SpywareGuard
Jak juz wszystko zrobisz to wklej nowy log z hijackthis.
Powinni Ci zabronic korzystania z komputera podlaczonego do internetu ;-)
|
|
| Back to top |
|
|
oleq_30
Poziom 21
Joined: 17 Jan 2005
Posts: 1445
Location: Nysa
|
#8
26 May 2005 11:40 Log z hijackins |
|
|
|
ciekawe jak dlugo komp mu sie wlaczal z takimi "zasobami" ? :)
|
|
| Back to top |
|
|
Google
|
| #
26 May 2005 11:40 |
|
|
|
|
|
| Back to top |
|
|
kRiS001
Poziom 11
Joined: 02 May 2004
Posts: 70
Location: Zakopane
|
#9
26 May 2005 16:09 Re: Log z hijackins |
|
|
|
Witam wszystkich jeszcze raz.
tym razem loga z HijackThis nie bedzie...
Explorer: Ten program wymaga wiecej pamieci konwencjonalnej. Usuń sterowniki lub programy rezydentne pamieci konwencjonalnej lub zwieksz wartosc pamieci konwencjonalnej w oknie własciwisci programów na karcie pamieci.
taki komunikat zaczoł sie pojawiac po urzyciu SpSeHjfix.... z pluplitu została tylko tapeta.. brak ikon, paska zadań w trybie normalnym i awaryjnym...
Mozna cos z tym jeszcze zrobic ?
Ps. pytanie jak mozna zrobić sobie taki syf zostawie bez odpowiedzi bo to nie jest mój komputer.... dziewczyny potrafią wszystko :wink:
|
|
| Back to top |
|
|
Kolobos
Poziom 26
Joined: 13 Jun 2003
Posts: 26220
Location: Warszawa
|
#10
26 May 2005 16:15 Log z hijackins |
|
|
|
To napewno nie przez ten program tylko przez to, ze explorer byl zainfekowany.
Zgraj go sobie z plyty instalacyjnej, sprawdz tez czy w system.ini w sekcji [boot] masz wpis shell=explorer.exe
|
|
| Back to top |
|
|
Google
|
| #
26 May 2005 16:15 |
|
|
|
|
|
| Back to top |
|
|
kRiS001
Poziom 11
Joined: 02 May 2004
Posts: 70
Location: Zakopane
|
#11
26 May 2005 16:26 Re: Log z hijackins |
|
|
|
Nie sprawdze bo nie mam dostepu do plików na dysku... (pliki instalacyjne systemu są na twardym, nie mam zadnej płyty zeby uruchomić DOS'a) w opcjach uruchamiania nie ma mozliwości uruchomienia samego DOS'u.....
|
|
| Back to top |
|
|
childmaker
Poziom 22
Joined: 16 Oct 2004
Posts: 2273
|
#12
26 May 2005 17:39 Re: Log z hijackins |
|
|
|
Co prawda SpSeHjfix pod Me to jeszcze beta, ale czasem zmiany dokonane w systemie przez robactwo są tak duże, że nie ma szans na naprawę automatyczną i stąd Twoje problemy. Podepnij dysk do drugiego kompa i podmień plik Explorer.exe.
|
|
| Back to top |
|
|
kRiS001
Poziom 11
Joined: 02 May 2004
Posts: 70
Location: Zakopane
|
#13
27 May 2005 17:13 Re: Log z hijackins |
|
|
|
Kolobos, childmaker dzieki za próbe pomocy.... niestety pomógł dopiero format c:.... system sie rozsypał.
|
|
| Back to top |
|
|
oleq_30
Poziom 21
Joined: 17 Jan 2005
Posts: 1445
Location: Nysa
|
#14
12 Nov 2005 17:48 Log z hijackins |
|
|
|
temat uwazam za zamkniety dziekuje wszystkim za wypowiedzi
|
|
| Back to top |
|
|
