Help sprawdźcie loga z hijack :(

Prosze o sprawdzenie loga z hijack:

Logfile of HijackThis v1.99.1
Scan saved at 13:39:10, on 2005–06–05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\newdial1.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\msmsgrxp.exe
C:\WINDOWS\System32\cssrs.exe
c:\windows\system32\eccswn.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\rrau\etap.exe
C:\WINDOWS\System32\??xplore.exe
C:\WINDOWS\System32\newdial1.exe
C:\bsw.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Services\{A9F38EEF–F82E–40DC–A3BC–B786642853A6}\SVCHOST.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\xx\Pulpit\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 – BHO: VBRunDLL Class – {197B8CA4–E215–46DD–8F33–E0544A80E5C4} – C:\WINDOWS\System32\vbrundll.dll
O2 – BHO: Loader Class – {2E246FAE–8420–11D9–870D–000C2917DE7F} – C:\WINDOWS\SYSTEM\Loader.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: ohb – {9ADE0443–2AB2–4B23–A3F8–AC520773DE12} – (no file)
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{A9F38EEF–F82E–40DC–A3BC–B786642853A6}\SVCHOST.EXE
O4 – HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 – HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 – HKLM\..\Run: [hvijdks] c:\windows\system32\eccswn.exe
O4 – HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{A9F38EEF–F82E–40DC–A3BC–B786642853A6}\SECURITY.EXE
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Eula] C:\Program Files\rrau\etap.exe
O4 – HKCU\..\Run: [Xbvji] C:\WINDOWS\System32\??xplore.exe
O4 – HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 – HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll
O9 – Extra button: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll (HKCU)
O15 – Trusted Zone: *.bestcounter.biz
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 195.95.218.170
O15 – Trusted IP range: 195.95.218.170 (HKLM)
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O21 – SSODL: System – {05A8DFB0–8CD2–4032–BB5C–AAE0FC9773CD} – vr_sys.dll (file missing)
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe

dzięki wszystko juź zrobione :) dzięki za pomoc pozdroo

roman_22

Dodano: 05.06.2005 17:36:57

ok porobiłem pare spraw i log wygląda teraz tak :

Logfile of HijackThis v1.99.1
Scan saved at 15:04:06, on 2005–06–05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\xx\Pulpit\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 – Trusted IP range: 195.95.218.170
O15 – Trusted IP range: 195.95.218.170 (HKLM)
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab

roman_22

Dodano: 05.06.2005 17:05:00

Standardowy zestawik ostatnich czasów

Wylącz przywracanie systemu i uruchom go w awaryjnym

Usuń pogrubione pliki/katalogi z HDD,a wpisy zahaczasz i Fix Checked:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R3 – Default URLSearchHook is missing
F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 – BHO: VBRunDLL Class – {197B8CA4–E215–46DD–8F33–E0544A80E5C4} – C:\WINDOWS\System32\vbrundll.dll
O2 – BHO: Loader Class – {2E246FAE–8420–11D9–870D–000C2917DE7F} – C:\WINDOWS\SYSTEM\Loader.dll
O2 – BHO: ohb – {9ADE0443–2AB2–4B23–A3F8–AC520773DE12} – (no file)
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{A9F38EEF–F82E–40DC–A3BC–B786642853A6}\SVCHOST.EXE
O4 – HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 – HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 – HKLM\..\Run: [hvijdks] c:\windows\system32\eccswn.exe
O4 – HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{A9F38EEF–F82E–40DC–A3BC–B786642853A6}\SECURITY.EXE
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Eula] C:\Program Files\rrau\etap.exe

O4 – HKCU\..\Run: [Xbvji] C:\WINDOWS\System32\??xplore.exe
Bedzie w katalogu wyglądało jak iexplore.exe
Prawdziwy Internet Explorer jest w swoim katalogu w Program Files i stamtad tez się uruchamia

O4 – HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 – HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe

O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
Prawidłowy svchost jest w system32 i nie dodaje się do RUN.

O9 – Extra button: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll
O9 – Extra button: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {F365F959–CF7D–4588–8394–302A38B9C10F} – C:\WINDOWS\System32\wldr.dll (HKCU)
Paskudna ściema i podróbka MS AntiSpyware

O15 – Trusted Zone: *.bestcounter.biz
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 195.95.218.170
O15 – Trusted IP range: 195.95.218.170 (HKLM)
Jakby wpisy powracały to ściągnij i uruchom KillTrusted

O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
Backdoor.Haxdoor.D
Więcej o nim w archiwalnych postach, uźyj szukajki i jako słowo kluczowe wpisz "drct16"

O21 – SSODL: System – {05A8DFB0–8CD2–4032–BB5C–AAE0FC9773CD} – vr_sys.dll (file missing)

O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
Więcej w tym temacie http://forum.centrumxp.pl/viewtopic.php?t=35002

Na koniec zostawiam sobie najlepsze czyli reprymendę.
Nie widze źadnego antywirusa, a sam Spybot to troche za mało.
Zainstaluj choćby darmowego Avasta jeśli nie masz mozliwosci zakupu droźszego – lepszego programu.

Bobi

Dodano: 05.06.2005 15:58:01

Help sprawdźcie loga z hijack :(

Odpowiedzi: 3