EL NINO:

Wydrukuj, wbij se gwozdzia w sciane obok muszli i powies "dowody" :mrgreen: .

Tia... tylko IMO spacje w cudzysłowiu zgubiłeś :lol:

Bobi:

Nawet screeny mam jako dowód :mrgreen:

Wydrukuj, wbij se gwozdzia w sciane obok muszli i powies "dowody" :mrgreen: .

EL NINO:

Bobi:

Update: Tym oto sposobem 200.000 post na forum stał sie moja własnością. :lol:

*** tam. Post nr 200.000 byl napisany dwa miesiace temu :P :P
http://forum.centrumxp.pl/viewtopic.php?p=200000#200000

A *** tam bo te wywalone się nie liczą.
Nawet screeny mam jako dowód :mrgreen:

Bobi:

Update: Tym oto sposobem 200.000 post na forum stał sie moja własnością. :lol:

*** tam. Post nr 200.000 byl napisany dwa miesiace temu :P :P
http://forum.centrumxp.pl/viewtopic.php?p=200000#200000

Nie ma sprawy :P

Update: Tym oto sposobem 200.000 post na forum stał sie moja własnością. :lol:

Jak na razie wszystko dziala jak powinno :)
Ogromnie dziekuje i pozdrawiam.

Nie potrzeba juź logów przysyłać, przeciez wiemy z czym mamy do czynienia.

Ciachnij:

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php

Co do tej usługi to znajdz ja na liście w services.msc
Zatrzymaj ja, ustaw typ uruchamiania na wyłączony i dopiero wtedy spróbuj ponowić zabieg w narzedziu HJT.
Jeslie nie przyniesie to skutku zresetuj system, badz uruchom go od razu w trybie awaryjnym.

Wykonujac ostatnie polecenie, dostaje komunikat, ze usluga svchost.exe nie zostala uruchomiona. Komunikat w HJT brzmi: The service 'moto' is enabled and/or running. Disable it first using HJT (from the scan result or the services.msc window.
Przesylam aktualnego loga.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:38, on 2005–07–13
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jarek\Ustawienia lokalne\Temp\Katalog tymczasowy 12 dla hijackthis.zip\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{377CC049–05F3–400A–9D3E–D0E5AB8EF764}: NameServer = 194.204.152.34 217.98.63.164
O21 – SSODL: Adobe Photoshop 7.0.1 – {037D9D22–5366–BB01–22DA–3A0CD72ABC90} – c:\program files\adobe\photoshop 7.0\wlzim5.dll
O21 – SSODL: Adobe Photoshop 7.0.1 – {037D9D22–5366–BB01–22DA–3A0CD72ABC90} – c:\program files\adobe\photoshop 7.0\wlzim5.dll
O23 – Service: svchost.exe (moto) – Unknown owner – C:\WINDOWS\svchost.exe (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

I guzik z tego co wymieniłem usunąłeś.

Podane niźej wpisy zaznaczasz ptaszkiem w Hijacku natmiast pliki i katalogi wyboldowane przeze mnie usuwasz z dysku.

C:\WINDOWS\System32\winldra.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php

O2 – BHO: Net Safe – {49CAC2AD–79FB–4B91–BB70–0239D2E43485} – C:\PROGRA~1\PhshSwpr\netsafe.dll (file missing)
O2 – BHO: (no name) – {B75F75B8–93F3–429D–FF34–660B206D897A} – C:\WINDOWS\System32\zolker004.dll
O2 – BHO: ZToolbar Activator Class – {FFF5092F–7172–4018–827B–FA5868FB0478} – C:\WINDOWS\System32\ztoolb004.dll
O3 – Toolbar: ZToolbar – {A6790AA5–C6C7–4BCF–A46D–0FDAC4EA90EB} – C:\WINDOWS\System32\ztoolb004.dll
O4 – HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe

O15 – Trusted Zone: *.iframedollars.biz
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.iframedollars.biz (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O16 – DPF: {11111111–1111–1111–1111–111111111111} – mhtml:file://C:NXSFT.MHT!http://69.31.82.26:80/iex/ofile.exe?url=http://69.31.82.26:80/rdgPL10.exe
O16 – DPF: {24311111–1111–1121–1111–111191113457} – file://c:\eied_s7.cab
O16 – DPF: {33331111–1111–1111–1111–611111193457} – file://c:\ex.cab
O16 – DPF: {33331111–1111–1111–1111–611111193458} – file://c:\ex.cab
O20 – Winlogon Notify: bsvcxsrv – C:\WINDOWS\System32\bsvcxsrv.dll
O21 – SSODL: SystemCheck2 – {54645654–2225–4455–44A1–9F4543D34545} – C:\WINDOWS\System32\vbsys2.dll (file missing)

O23 – Service: svchost.exe (moto) – Unknown owner – C:\WINDOWS\svchost.exe (file missing)

Odpalasz wiersz poleceń, Start Uruchom >> CMD
Wpisujesz: NET STOP moto
Teraz w HJT: Config >> Misc Tools >> Delete an NT service, w okno wpisujesz: moto i potwierdzasz.
Resetujesz system i plik z podanej lokalizacji usuwasz.

Logfile of HijackThis v1.99.1
Scan saved at 11:28:42, on 2005–07–13
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jarek\Ustawienia lokalne\Temp\Katalog tymczasowy 3 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Net Safe – {49CAC2AD–79FB–4B91–BB70–0239D2E43485} – C:\PROGRA~1\PhshSwpr\netsafe.dll (file missing)
O2 – BHO: (no name) – {B75F75B8–93F3–429D–FF34–660B206D897A} – C:\WINDOWS\System32\zolker004.dll
O2 – BHO: ZToolbar Activator Class – {FFF5092F–7172–4018–827B–FA5868FB0478} – C:\WINDOWS\System32\ztoolb004.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: ZToolbar – {A6790AA5–C6C7–4BCF–A46D–0FDAC4EA90EB} – C:\WINDOWS\System32\ztoolb004.dll
O4 – HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 – Trusted Zone: *.iframedollars.biz
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.iframedollars.biz (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O16 – DPF: {11111111–1111–1111–1111–111111111111} – mhtml:file://C:NXSFT.MHT!http://69.31.82.26:80/iex/ofile.exe?url=http://69.31.82.26:80/rdgPL10.exe
O16 – DPF: {24311111–1111–1121–1111–111191113457} – file://c:\eied_s7.cab
O16 – DPF: {33331111–1111–1111–1111–611111193457} – file://c:\ex.cab
O16 – DPF: {33331111–1111–1111–1111–611111193458} – file://c:\ex.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{377CC049–05F3–400A–9D3E–D0E5AB8EF764}: NameServer = 194.204.152.34 217.98.63.164
O20 – Winlogon Notify: bsvcxsrv – C:\WINDOWS\System32\bsvcxsrv.dll
O21 – SSODL: SystemCheck2 – {54645654–2225–4455–44A1–9F4543D34545} – C:\WINDOWS\System32\vbsys2.dll (file missing)
O21 – SSODL: Adobe Photoshop 7.0.1 – {037D9D22–5366–BB01–22DA–3A0CD72ABC90} – c:\program files\adobe\photoshop 7.0\wlzim5.dll
O21 – SSODL: Adobe Photoshop 7.0.1 – {037D9D22–5366–BB01–22DA–3A0CD72ABC90} – c:\program files\adobe\photoshop 7.0\wlzim5.dll
O23 – Service: svchost.exe (moto) – Unknown owner – C:\WINDOWS\svchost.exe (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

Wylącz przywracanie systemu
Zakończ proces:
svchost.exe (uruchomiony w tasku przez usera, nie system)

Usuń:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php

O2 – BHO: Net Safe – {49CAC2AD–79FB–4B91–BB70–0239D2E43485} – C:\PROGRA~1\PhshSwpr\netsafe.dll
O2 – BHO: (no name) – {B75F75B8–93F3–429D–FF34–660B206D897A} – C:\WINDOWS\System32\zolker003.dll
O2 – BHO: (no name) – {FFF5092F–7172–4018–827B–FA5868FB0478} – C:\WINDOWS\System32\ztoolb003.dll
O3 – Toolbar: (no name) – {A6790AA5–C6C7–4BCF–A46D–0FDAC4EA90EB} – C:\WINDOWS\System32\ztoolb003.dll

O4 – HKLM\..\RunOnce: [AVP] C:\WINDOWS\System32\677644.exe
O4 – HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe

O15 – Trusted Zone: *.iframedollars.biz
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.iframedollars.biz (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O16 – DPF: {11111111–1111–1111–1111–111111111111} – mhtml:file://C:NXSFT.MHT!http://69.31.82.26:80/iex/ofile.exe?url=http://69.31.82.26:80/rdgPL10.exe
O16 – DPF: {24311111–1111–1121–1111–111191113457} – file://c:\eied_s7.cab
O16 – DPF: {33331111–1111–1111–1111–611111193457} – file://c:\ex.cab
O16 – DPF: {33331111–1111–1111–1111–611111193458} – file://c:\ex.cab

O20 – Winlogon Notify: bsvcxsrv – C:\WINDOWS\System32\bsvcxsrv.dll
O21 – SSODL: SystemCheck2 – {54645654–2225–4455–44A1–9F4543D34545} – C:\WINDOWS\System32\vbsys2.dll
O23 – Service: svchost.exe (moto) – Unknown owner – C:\WINDOWS\svchost.exe

023 usuniesz na podstawie tego topicu