Hi Jack Log
Witam.
Kolega ma problem z kompem. Standartowo – stronki porno, blue screeny itp. Zalaczam log, gdyz sam za bardzo nie moge sie polapac.
Kolega ma problem z kompem. Standartowo – stronki porno, blue screeny itp. Zalaczam log, gdyz sam za bardzo nie moge sie polapac.
Logfile of HijackThis v1.99.1
Scan saved at 16:01:23, on 2005–06–20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
d:\windows\system32\emstljo.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
D:\WINDOWS\System32\gta.exe
D:\WINDOWS\System32\gglib.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\j?vaw.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Gadu–Gadu\gg.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\msnmssgr.exe
D:\Documents and Settings\Tomek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla
hijackthis.zip\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://
D:\DOCUME~1\Tomek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://
D:\DOCUME~1\Tomek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{CFBFAE00–17A6–11D0–99CB–00C04FD64497} – (no file)
F2 – REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 – BHO: DownloadRedirect Class – {00000000–6CB0–410C–8C3D–8FA8D2011D0A} – D:\Program
Files\iMesh\iMesh5\iMeshBHO.dll
O2 – BHO: VBRunDLL Class – {197B8CA4–E215–46DD–8F33–E0544A80E5C4} – D:\WINDOWS\System32\vbrundll.dll
O2 – BHO: iMeshBar BHO – {5345A7A1–805A–4923–B505–86B2FEBA3FE0} – D:\Program
Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 – BHO: (no name) – {7E227A5A–5210–1518–152D–C2D8F854313C} – D:\WINDOWS\System32\inscdm\avpobtwqht.dll
O2 – BHO: (no name) – {8B214146–89AD–892E–D0E6–AC0FD4961ABD} – D:\WINDOWS\System32\udek.dll (file
missing)
O2 – BHO: (no name) – {B3FE91E8–953F–4F76–8974–5C69951C6C38} – D:\WINDOWS\System32\ahma.dll
O2 – BHO: (no name) – {DF2F1445–DAA8–D87E–D0E6–AC0FD4974CB4} – D:\WINDOWS\System32\ued.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: iMeshBar – {5345A7A9–805A–4923–B505–86B2FEBA3FE0} – D:\Program
Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 – HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [hcj8odi3] D:\WINDOWS\System32\hcj8odi3.exe
O4 – HKLM\..\Run: [WeirdOnTheWeb] "D:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 – HKLM\..\Run: [Gta San Andreas] gta.exe
O4 – HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\Tomek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [hrzjjr] d:\windows\system32\emstljo.exe r
O4 – HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 – HKLM\..\RunServices: [Gta San Andreas] gta.exe
O4 – HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 – HKLM\..\RunOnce: [AAW] "D:\Program Files\Lavasoft\Ad–Aware SE Personal\Ad–Aware.exe" "+b1"
O4 – HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Rptmmo] D:\WINDOWS\System32\j?vaw.exe
O4 – HKCU\..\Run: [Gta San Andreas] gta.exe
O4 – Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare
software\bin\EasyShare.exe
O4 – Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software
Updater\7288971\Program\Kodak Software Updater.exe
O15 – Trusted Zone: *.bestcounter.biz
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/
SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{B1C2C342–2A4C–4E16–B4A7–1A564C8EA4A7}: NameServer =
194.204.159.1,195.205.178.20
O18 – Filter: text/html – {ADA8C5CF–45C9–426B–B240–A1C33EC3EC0A} – D:\WINDOWS\System32\ahma.dll
O18 – Filter: text/plain – {ADA8C5CF–45C9–426B–B240–A1C33EC3EC0A} – D:\WINDOWS\System32\ahma.dll
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O21 – SSODL: SysTray.Exsh – {E1B7D0BE–5f02–4255–96DB–388DFA241900} – D:\WINDOWS\System32\bmglbbgl.dll
O23 – Service: Kodak Camera Connection Software (KodakCCS) – Eastman Kodak Company –
D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 – Service: System Startup Service (SvcProc) – Unknown owner – D:\WINDOWS\svcproc.exe
O23 – Service: Webroot Spy Sweeper Engine (svcWRSSSDK) – Webroot Software, Inc. – D:\Program
Files\Webroot\Spy Sweeper\WRSSSDK.exe
Odpowiedzi: 4
Dzieki za instrukcje. Przekaze je kumplowi i zobaczymy co z tego wyjdzie
HJT nie pokazuje jak ten plik startuje więc skombinuj jeszcze log z Silent Runners.
Update: Zapuść tego fixa na Nail i svcproc
Download
Uruchom po rozpakowaniu plik Nailfix.cmd, zrób to w trybie awaryjnym najlepiej.
Update: Zapuść tego fixa na Nail i svcproc
Download
Uruchom po rozpakowaniu plik Nailfix.cmd, zrób to w trybie awaryjnym najlepiej.
Jeszcze to z dysku usun:
D:\WINDOWS\System32\gglib.exe
D:\WINDOWS\System32\gglib.exe
Blue screenami to pewnie Haxdoor rzuca.
Wyłacz przywracanie
Zakoncz procesy:
emstljo.exe
WeirdOnTheWeb.exe
gta.exe
gglib.exe
j?vaw.exe (w tasku zamist pytanika będzie jakaś literka)
msnmssgr.exe
Sciagnij fixa na sp.dll i uruchom go
Link w FAQ
Do usuniecia:
Dziwnie ten Ad–Awere startuje,
Wyłacz przywracanie
Zakoncz procesy:
emstljo.exe
WeirdOnTheWeb.exe
gta.exe
gglib.exe
j?vaw.exe (w tasku zamist pytanika będzie jakaś literka)
msnmssgr.exe
Sciagnij fixa na sp.dll i uruchom go
Link w FAQ
Do usuniecia:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://
D:\DOCUME~1\Tomek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://
D:\DOCUME~1\Tomek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 – URLSearchHook: (no name) – _{CFBFAE00–17A6–11D0–99CB–00C04FD64497} – (no file)
Recznie z klucza: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
F2 – REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 – BHO: DownloadRedirect Class – {00000000–6CB0–410C–8C3D–8FA8D2011D0A} – D:\Program
Files\iMesh\iMesh5\iMeshBHO.dll
Temu panu podziękujemy – odinstalowac
O2 – BHO: VBRunDLL Class – {197B8CA4–E215–46DD–8F33–E0544A80E5C4} – D:\WINDOWS\System32\vbrundll.dll
O2 – BHO: iMeshBar BHO – {5345A7A1–805A–4923–B505–86B2FEBA3FE0} – D:\Program
Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 – BHO: (no name) – {7E227A5A–5210–1518–152D–C2D8F854313C} – D:\WINDOWS\System32\inscdm\avpobtwqht.dll
O2 – BHO: (no name) – {8B214146–89AD–892E–D0E6–AC0FD4961ABD} – D:\WINDOWS\System32\udek.dll (file
missing)
O2 – BHO: (no name) – {B3FE91E8–953F–4F76–8974–5C69951C6C38} – D:\WINDOWS\System32\ahma.dll
O2 – BHO: (no name) – {DF2F1445–DAA8–D87E–D0E6–AC0FD4974CB4} – D:\WINDOWS\System32\ued.dll
O3 – Toolbar: iMeshBar – {5345A7A9–805A–4923–B505–86B2FEBA3FE0} – D:\Program
Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 – HKLM\..\Run: [hcj8odi3] D:\WINDOWS\System32\hcj8odi3.exe
O4 – HKLM\..\Run: [WeirdOnTheWeb] "D:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 – HKLM\..\Run: [Gta San Andreas] gta.exe
O4 – HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\Tomek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [hrzjjr] d:\windows\system32\emstljo.exe r
O4 – HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 – HKLM\..\RunServices: [Gta San Andreas] gta.exe
O4 – HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 – HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 – HKCU\..\Run: [Rptmmo] D:\WINDOWS\System32\j?vaw.exe
O4 – HKCU\..\Run: [Gta San Andreas] gta.exe
O15 – Trusted Zone: *.bestcounter.biz
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O18 – Filter: text/html – {ADA8C5CF–45C9–426B–B240–A1C33EC3EC0A} – D:\WINDOWS\System32\ahma.dll
O18 – Filter: text/plain – {ADA8C5CF–45C9–426B–B240–A1C33EC3EC0A} – D:\WINDOWS\System32\ahma.dll
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
Haxdoor zostawia kupe innych śmieci w systemie, które juź parokrotnie wymieniałem
O21 – SSODL: SysTray.Exsh – {E1B7D0BE–5f02–4255–96DB–388DFA241900} – D:\WINDOWS\System32\bmglbbgl.dll
O23 – Service: System Startup Service (SvcProc) – Unknown owner – D:\WINDOWS\svcproc.exe
Opis usuwania w przyklejonym/
Dziwnie ten Ad–Awere startuje,
O4 – HKLM\..\RunOnce: [AAW] "D:\Program Files\Lavasoft\Ad–Aware SE Personal\Ad–Aware.exe" "+b1"
Strona 1 / 1