Analiza logu HiJackThis - zainfekowany Windows 98 SE

Witam, mam zainfekowany system i mam log z HiJackThis czy ktoś mi powie co tu jest szkodliwe ??

Logfile of HijackThis v1.99.1
Scan saved at 12:06:43, on 06-04-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DIT.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\MOUSEPAD8.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\WINSTALL.EXE
C:\PROGRAM FILES\COMMON FILES\IUON\RUNDLL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
A:\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: 127.0.0.5 makethemcry.com
O1 - Hosts: 127.0.0.5 loudcash.com
O1 - Hosts: 127.0.0.5 iframestat.com
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 hqcash.com
O1 - Hosts: 127.0.0.5 verybigcash.com
O1 - Hosts: 127.0.0.5 makethemcry.com
O1 - Hosts: 127.0.0.5 moviepartnership.com
O1 - Hosts: 127.0.0.5 callmachine.com
O1 - Hosts: 127.0.0.5 regcash.com
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 klikrevenue.com
O1 - Hosts: 127.0.0.5 p2dll.com
O1 - Hosts: 127.0.0.5 t73.com
O1 - Hosts: 127.0.0.5 www.makethemcry.com
O1 - Hosts: 127.0.0.5 www.loudcash.com
O1 - Hosts: 127.0.0.5 www.iframestat.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.hqcash.com
O1 - Hosts: 127.0.0.5 www.verybigcash.com
O1 - Hosts: 127.0.0.5 www.makethemcry.com
O1 - Hosts: 127.0.0.5 www.moviepartnership.com
O1 - Hosts: 127.0.0.5 www.callmachine.com
O1 - Hosts: 127.0.0.5 www.regcash.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.klikrevenue.com
O1 - Hosts: 127.0.0.5 www.p2dll.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKLM\..\Run: [keyboard] C:\WINDOWS\KEYBOARD8.exe
O4 - HKLM\..\Run: [mousepad] C:\WINDOWS\MOUSEPAD8.exe
O4 - HKLM\..\Run: [newname] C:\WINDOWS\NEWNAME8.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [Cwrm] "C:\Program Files\Common Files\iuon\rundll.exe" -vt yazr
O4 - HKCU\..\Run: [Peblzfy] install program could not read the registry?CAPI: The install failed. The rsabase.dll that is being installed doesn't match the signature file or the value in the registry?CAPI: The install program could not find the signature resource5CAPI: The install prog
O4 - HKCU\..\Run: [urio] C:\STUB_113_4_0_4_0.EXE
O4 - HKCU\..\RunServices: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\RunServices: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O4 - HKCU\..\RunServices: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunServices: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\RunServices: [Cwrm] "C:\Program Files\Common Files\iuon\rundll.exe" -vt yazr
O4 - HKCU\..\RunServices: [Peblzfy] install program could not read the registry?CAPI: The install failed. The rsabase.dll that is being installed doesn't match the signature file or the value in the registry?CAPI: The install program could not find the signature resource5CAPI: The install prog
O4 - HKCU\..\RunServices: [urio] C:\STUB_113_4_0_4_0.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -

Dlaczego nie masz zainstalowanych aktualizacji do IE?! -> www.windowsupdate.com i albo zainstalujesz najnowsza wersje albo zmien przegladarke na Opere lub Firefox i nie uzywaj wiecej IE.

alt+ctrl+del i zakoncz:
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\MOUSEPAD8.EXE
C:\WINSTALL.EXE

W hijackthis usun:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O1 - Hosts: 127.0.0.5 makethemcry.com
O1 - Hosts: 127.0.0.5 loudcash.com
O1 - Hosts: 127.0.0.5 iframestat.com
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 hqcash.com
O1 - Hosts: 127.0.0.5 verybigcash.com
O1 - Hosts: 127.0.0.5 makethemcry.com
O1 - Hosts: 127.0.0.5 moviepartnership.com
O1 - Hosts: 127.0.0.5 callmachine.com
O1 - Hosts: 127.0.0.5 regcash.com
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 klikrevenue.com
O1 - Hosts: 127.0.0.5 p2dll.com
O1 - Hosts: 127.0.0.5 t73.com
O1 - Hosts: 127.0.0.5 www.makethemcry.com
O1 - Hosts: 127.0.0.5 www.loudcash.com
O1 - Hosts: 127.0.0.5 www.iframestat.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.hqcash.com
O1 - Hosts: 127.0.0.5 www.verybigcash.com
O1 - Hosts: 127.0.0.5 www.makethemcry.com
O1 - Hosts: 127.0.0.5 www.moviepartnership.com
O1 - Hosts: 127.0.0.5 www.callmachine.com
O1 - Hosts: 127.0.0.5 www.regcash.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.klikrevenue.com
O1 - Hosts: 127.0.0.5 www.p2dll.com
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKLM\..\Run: [keyboard] C:\WINDOWS\KEYBOARD8.exe
O4 - HKLM\..\Run: [mousepad] C:\WINDOWS\MOUSEPAD8.exe
O4 - HKLM\..\Run: [newname] C:\WINDOWS\NEWNAME8.exe
O4 - HKLM\..\RunServices: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [Cwrm] "C:\Program Files\Common Files\iuon\rundll.exe" -vt yazr <- usun katalog iuon
O4 - HKCU\..\Run: [Peblzfy] install program could not read the registry?CAPI: The install failed. The rsabase.dll that is being installed doesn't match the signature file or the value in the registry?CAPI: The install program could not find the signature resource5CAPI: The install prog
O4 - HKCU\..\Run: [urio] C:\STUB_113_4_0_4_0.EXE
O4 - HKCU\..\RunServices: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O4 - HKCU\..\RunServices: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunServices: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\RunServices: [Cwrm] "C:\Program Files\Common Files\iuon\rundll.exe" -vt yazr
O4 - HKCU\..\RunServices: [Peblzfy] install program could not read the registry?CAPI: The install failed. The rsabase.dll that is being installed doesn't match the signature file or the value in the registry?CAPI: The install program could not find the signature resource5CAPI: The install prog
O4 - HKCU\..\RunServices: [urio] C:\STUB_113_4_0_4_0.EXE
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab

Wymienione pliki usun z dysku.

Zrob tez skan tym:
http://www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D -> przeskanuj i wlacz ochrone przegladarki

Po wszystkim wklej nowy log.

Tu masz opis ze strony http://www.hijackthis.de/
najlepiej sam wklej tam log i poddaj go analizie . Jeżeli nie znasz angielskiego to wszystkie wpisy "nasty" są szkodliwe , a "unknown" - nieznane lub podejrzane .

Zostało tyle i ikonka o zainfekowanym systemie znikła


Logfile of HijackThis v1.99.1
Scan saved at 12:45:53, on 06-04-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\PROGRAM FILES\COMMON FILES\IUON\RUNDLL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
A:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\Run: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [Cwrm] "C:\Program Files\Common Files\iuon\rundll.exe" -vt yazr
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Jeszcze poprawki zaraz wgram

Zostalo jeszcze to:
O4 - HKLM\..\RunServices: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe
O4 - HKCU\..\Run: [shellbn] C:\WINDOWS\SYSTEM\shellbn.exe <- plik do kasacji.
O4 - HKCU\..\Run: [Cwrm] "C:\Program Files\Common Files\iuon\rundll.exe" -vt yazr <- katalog iuon do kasacji jak juz pisalem.

Do tego zainstaluj sobie tez antyvirus:
http://www.avast.com/eng/avast_4_home.html

No powinno być chyba ok z poprawkami już


Logfile of HijackThis v1.99.1
Scan saved at 13:45:55, on 06-04-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
A:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Log jest ok ale zainstaluj antyvirus oraz aktualizacje do IE poniewaz dalej masz 5.0 zamiast 6!

Jeszcze jedna sprawa co jakiś czas wyskakują mi reklamy, jak się tego pozbyć ?? A tak wogóle wielkie dzięki za poświęcony mi czas, komputer chodzi dużo lepiej

Jakie reklamy? Jaki maja adres strony?

np. takie:

http://www.buyer-shabit.com/tau.html

http://www.mediapurchases.com/tau.html

i to same od siebie nie otwieram nawet przeglądarki i co niecałe 10 min wyskakuje ;/ cały czas są to dwie piowtarzające się raklamy

Przeskanuj tym:
http://www.simplytech.it/L2MRemover/index_e.htm
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Killme.shtml

Ten pierwszy jest pod XP

Dodano po 33 [minuty]:

Ten drugi za wiele nie pokazywał ale pomógł Dzięki Ci wielkie Bardzo mi dziś pomogłeś Pozdrawiam