Prosze o sprawdzenie loga – sam nie poradze!!!
Witam
Ponizej log z mojego kompa, objawy sa rozne , wlaczaja sie informacje ze sa na dysku trojany, ze jest blad krytyczny, komputer wlasciwie chodzi tylko w trybie awaryjnym, w norrmalnym wciaz liczy i liczy. Strony sie laduja jakies inne, miomo ze ma byc blank jako startowa, no w ogole jeden wielki burdel, prosze o pomoc, bardzo bardzo!
UWAGA!Ten log jest z trybu awaryjnego bo na zwyklym nic sie nie da zrobic–on wciaz cos liczy :cry:
Logfile of HijackThis v1.99.1
Scan saved at 22:32:28, on 2005–05–14
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Staszek\Pulpit\fix,log itp\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez BPH S.A.
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{9368D063–44BE–49B9–BD14–BB9663FD38FC} – (no file)
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.pizdato.biz
O1 – Hosts: 127.0.0.3 pizdato.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
O1 – Hosts: 17.145.117.11 d–ru–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 – Hosts: 17.145.117.11 www.kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky–labs.com
O1 – Hosts: 17.145.117.11 www.kaspersky–labs.com
O1 – Hosts: 82.146.42.123 lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 online.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.com
O1 – Hosts: 82.146.42.123 personal.barclays.co.uk
O1 – Hosts: 82.146.42.123 barclays.co.uk
O1 – Hosts: 82.146.42.123 ibank.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.nwolb.com
O1 – Hosts: 82.146.42.123 nwolb.com
O1 – Hosts: 82.146.42.123 hsbc.co.uk
O1 – Hosts: 82.146.42.123 www.hsbc.co.uk
O2 – BHO: (no name) – {016235BE–59D4–4CEB–ADD5–E2378282A1D9} – C:\Program Files\CxtPls\cxtpls.dll
O2 – BHO: myBar BHO – {0494D0D1–F8E0–41ad–92A3–14154ECE70AC} – C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 – BHO: IE Update Class – {5B4AB8E2–6DC5–477A–B637–BF3C1A2E5993} – C:\WINDOWS\isrvs\sysupd.dll
O2 – BHO: (no name) – {8952A998–1E7E–4716–B23D–3DBE03910972} – C:\PROGRA~1\Toolbar\toolbar.dll
O2 – BHO: (no name) – {A0269420–A638–4509–889C–8FC3CC85DA7E} – C:\WINDOWS\drexinit.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar4.dll
O2 – BHO: (no name) – {CBF4E7CB–1AA6–4E9A–9F56–08CFE1BFA3A0} – C:\WINDOWS\System32\dnjl.dll
O3 – Toolbar: &SearchBar – {0494D0D9–F8E0–41ad–92A3–14154ECE70AC} – C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: (no name) – {44BE0690–5429–47f0–85BB–3FFD8020233E} – (no file)
O3 – Toolbar: &Search Toolbar – {339BB23F–A864–48C0–A59F–29EA915965EC} – C:\PROGRA~1\Toolbar\toolbar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe –k
O4 – HKLM\..\Run: [RDLL] RunDll16.exe
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 – HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 – HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 – HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 – HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 – HKLM\..\Run: [Egudjqub] c:\Program Files\Dxjxfi\Oxqmev.exe
O4 – HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{D518EDC6–C430–4F48–995A–1C7A9F077C4F}\SVCHOST.EXE
O4 – HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 – HKLM\..\Run: [zqbov] C:\WINDOWS\zqbov.exe
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 – HKLM\..\Run: [q67O36g] efsund3d.exe
O4 – HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 – HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 – HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [bxoERWM7i] dx7dsk.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 – Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 – Startup: WPKontakt.lnk = C:\Program Files\Wirtualna Polska\Kontakt\Kontakt.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 – Global Startup: HP Image Zone – szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 – Extra context menu item: Download Links As... – file://C:\WINDOWS\System32\page.htm
O8 – Extra context menu item: Download Target(s) As... – file://C:\WINDOWS\System32\link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 – Extra button: Microsoft AntiSpyware helper – {3EE76E23–D0E9–4947–B9D3–DAFAF481D7A7} – (no file) (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {3EE76E23–D0E9–4947–B9D3–DAFAF481D7A7} – (no file) (HKCU)
O9 – Extra button: BPH Sez@m – {5674E0A0–71D3–11DB–9265–F4F7DE33F84C} – http:\\e–bank.bph.pl (file missing) (HKCU)
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O16 – DPF: BPHOnl – http://e–sezam.bph.pl/BPHOnl.cab
O16 – DPF: Cdm.Sdig – https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab
O16 – DPF: CDMNet – https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab
O16 – DPF: ECOnline – https://www.cdm.net.pl/component/ECOnline.cab
O16 – DPF: {11111111–1111–1111–1111–111111111111} – http://17.pl/wejscie.exe
O16 – DPF: {5CBA93A3–E0ED–11D5–A70E–00C12601EADE} – http://nina.of.pl/galeria.exe
O16 – DPF: {89122070–4199–11D4–8BAF–0050045B552C} – http://download.rocketpipe.com/bundles/2565.cab
O16 – DPF: {A67BA5E3–5B79–11D6–A711–00C12601EADE} – http://www.brzoskwinki.fotosex.pl/sex.exe
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O18 – Protocol: tpro – {FF76A5DA–6158–4439–99FF–EDC1B3FE100C} – C:\PROGRA~1\Toolbar\toolbar.dll
O18 – Filter: text/html – {FB08826C–79AB–4057–8E12–F964113B8749} – C:\WINDOWS\System32\dnjl.dll
O18 – Filter: text/plain – {FB08826C–79AB–4057–8E12–F964113B8749} – C:\WINDOWS\System32\dnjl.dll
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: GEARSecurity – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: GEARSecurity_BackUp – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: InCD Helper (InCDsrv) – AHEAD Software – C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
O23 – Service: ZESOFT – Unknown owner – C:\WINDOWS\zeta.exe (file missing)
Ponizej log z mojego kompa, objawy sa rozne , wlaczaja sie informacje ze sa na dysku trojany, ze jest blad krytyczny, komputer wlasciwie chodzi tylko w trybie awaryjnym, w norrmalnym wciaz liczy i liczy. Strony sie laduja jakies inne, miomo ze ma byc blank jako startowa, no w ogole jeden wielki burdel, prosze o pomoc, bardzo bardzo!
UWAGA!Ten log jest z trybu awaryjnego bo na zwyklym nic sie nie da zrobic–on wciaz cos liczy :cry:
Logfile of HijackThis v1.99.1
Scan saved at 22:32:28, on 2005–05–14
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\svchost.exe
C:\Documents and Settings\Staszek\Pulpit\fix,log itp\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez BPH S.A.
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{9368D063–44BE–49B9–BD14–BB9663FD38FC} – (no file)
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.pizdato.biz
O1 – Hosts: 127.0.0.3 pizdato.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
O1 – Hosts: 17.145.117.11 d–ru–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 – Hosts: 17.145.117.11 www.kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky–labs.com
O1 – Hosts: 17.145.117.11 www.kaspersky–labs.com
O1 – Hosts: 82.146.42.123 lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 online.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.com
O1 – Hosts: 82.146.42.123 personal.barclays.co.uk
O1 – Hosts: 82.146.42.123 barclays.co.uk
O1 – Hosts: 82.146.42.123 ibank.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.nwolb.com
O1 – Hosts: 82.146.42.123 nwolb.com
O1 – Hosts: 82.146.42.123 hsbc.co.uk
O1 – Hosts: 82.146.42.123 www.hsbc.co.uk
O2 – BHO: (no name) – {016235BE–59D4–4CEB–ADD5–E2378282A1D9} – C:\Program Files\CxtPls\cxtpls.dll
O2 – BHO: myBar BHO – {0494D0D1–F8E0–41ad–92A3–14154ECE70AC} – C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 – BHO: IE Update Class – {5B4AB8E2–6DC5–477A–B637–BF3C1A2E5993} – C:\WINDOWS\isrvs\sysupd.dll
O2 – BHO: (no name) – {8952A998–1E7E–4716–B23D–3DBE03910972} – C:\PROGRA~1\Toolbar\toolbar.dll
O2 – BHO: (no name) – {A0269420–A638–4509–889C–8FC3CC85DA7E} – C:\WINDOWS\drexinit.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar4.dll
O2 – BHO: (no name) – {CBF4E7CB–1AA6–4E9A–9F56–08CFE1BFA3A0} – C:\WINDOWS\System32\dnjl.dll
O3 – Toolbar: &SearchBar – {0494D0D9–F8E0–41ad–92A3–14154ECE70AC} – C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: (no name) – {44BE0690–5429–47f0–85BB–3FFD8020233E} – (no file)
O3 – Toolbar: &Search Toolbar – {339BB23F–A864–48C0–A59F–29EA915965EC} – C:\PROGRA~1\Toolbar\toolbar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe –k
O4 – HKLM\..\Run: [RDLL] RunDll16.exe
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 – HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 – HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 – HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 – HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 – HKLM\..\Run: [Egudjqub] c:\Program Files\Dxjxfi\Oxqmev.exe
O4 – HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{D518EDC6–C430–4F48–995A–1C7A9F077C4F}\SVCHOST.EXE
O4 – HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 – HKLM\..\Run: [zqbov] C:\WINDOWS\zqbov.exe
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 – HKLM\..\Run: [q67O36g] efsund3d.exe
O4 – HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 – HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 – HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [bxoERWM7i] dx7dsk.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 – Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 – Startup: WPKontakt.lnk = C:\Program Files\Wirtualna Polska\Kontakt\Kontakt.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 – Global Startup: HP Image Zone – szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 – Extra context menu item: Download Links As... – file://C:\WINDOWS\System32\page.htm
O8 – Extra context menu item: Download Target(s) As... – file://C:\WINDOWS\System32\link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 – Extra button: Microsoft AntiSpyware helper – {3EE76E23–D0E9–4947–B9D3–DAFAF481D7A7} – (no file) (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {3EE76E23–D0E9–4947–B9D3–DAFAF481D7A7} – (no file) (HKCU)
O9 – Extra button: BPH Sez@m – {5674E0A0–71D3–11DB–9265–F4F7DE33F84C} – http:\\e–bank.bph.pl (file missing) (HKCU)
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O16 – DPF: BPHOnl – http://e–sezam.bph.pl/BPHOnl.cab
O16 – DPF: Cdm.Sdig – https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab
O16 – DPF: CDMNet – https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab
O16 – DPF: ECOnline – https://www.cdm.net.pl/component/ECOnline.cab
O16 – DPF: {11111111–1111–1111–1111–111111111111} – http://17.pl/wejscie.exe
O16 – DPF: {5CBA93A3–E0ED–11D5–A70E–00C12601EADE} – http://nina.of.pl/galeria.exe
O16 – DPF: {89122070–4199–11D4–8BAF–0050045B552C} – http://download.rocketpipe.com/bundles/2565.cab
O16 – DPF: {A67BA5E3–5B79–11D6–A711–00C12601EADE} – http://www.brzoskwinki.fotosex.pl/sex.exe
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O18 – Protocol: tpro – {FF76A5DA–6158–4439–99FF–EDC1B3FE100C} – C:\PROGRA~1\Toolbar\toolbar.dll
O18 – Filter: text/html – {FB08826C–79AB–4057–8E12–F964113B8749} – C:\WINDOWS\System32\dnjl.dll
O18 – Filter: text/plain – {FB08826C–79AB–4057–8E12–F964113B8749} – C:\WINDOWS\System32\dnjl.dll
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: GEARSecurity – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: GEARSecurity_BackUp – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: InCD Helper (InCDsrv) – AHEAD Software – C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
O23 – Service: ZESOFT – Unknown owner – C:\WINDOWS\zeta.exe (file missing)
Odpowiedzi: 8
wszystko dziala bez zarzutów. Dzieki Bobi – flaszka ci sie nalezy i to wcale nie wirtualna :D .
Czy sadzisz ze warto zaistalowac service packa, a moze cos innego. Podobno strasznie spowalnia kompa
pozdr
su
Czy sadzisz ze warto zaistalowac service packa, a moze cos innego. Podobno strasznie spowalnia kompa
pozdr
su
Przeciez nie kazałem usuwać gearsec.exe !
To soft od DVD
FIX:
Oproznij całą zawartosc katalogu C:\Documents and Settings\Staszek\Ustawienia lokalne\Temp
Jesli to nie podziała bedziemy musieli szukać jakiegos krytego installera tego syfu bo to nowa jego wersja
Dopraw SpSeHjfix112 oraz gdyby cos jeszcze CWShredderem
To soft od DVD
FIX:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
Oproznij całą zawartosc katalogu C:\Documents and Settings\Staszek\Ustawienia lokalne\Temp
Jesli to nie podziała bedziemy musieli szukać jakiegos krytego installera tego syfu bo to nowa jego wersja
Dopraw SpSeHjfix112 oraz gdyby cos jeszcze CWShredderem
kolejny log:
Logfile of HijackThis v1.99.1
Scan saved at 12:33:46, on 2005–05–16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dialer Killer\DialKill.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DLMage\DnloadMage.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Staszek\Pulpit\fix,log itp\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez BPH S.A.
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 – Startup: WPKontakt.lnk = C:\Program Files\Wirtualna Polska\Kontakt\Kontakt.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 – Global Startup: HP Image Zone – szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 – Extra context menu item: Download Links As... – file://C:\WINDOWS\System32\page.htm
O8 – Extra context menu item: Download Target(s) As... – file://C:\WINDOWS\System32\link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 – DPF: BPHOnl – http://e–sezam.bph.pl/BPHOnl.cab
O16 – DPF: Cdm.Sdig – https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab
O16 – DPF: CDMNet – https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab
O16 – DPF: ECOnline – https://www.cdm.net.pl/component/ECOnline.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: GEARSecurity – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: GEARSecurity_BackUp – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: InCD Helper (InCDsrv) – AHEAD Software – C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
gearsec.exe nioe chce sie usunac z dysku
Logfile of HijackThis v1.99.1
Scan saved at 12:33:46, on 2005–05–16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dialer Killer\DialKill.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DLMage\DnloadMage.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Staszek\Pulpit\fix,log itp\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez BPH S.A.
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 – Startup: WPKontakt.lnk = C:\Program Files\Wirtualna Polska\Kontakt\Kontakt.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 – Global Startup: HP Image Zone – szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 – Extra context menu item: Download Links As... – file://C:\WINDOWS\System32\page.htm
O8 – Extra context menu item: Download Target(s) As... – file://C:\WINDOWS\System32\link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 – DPF: BPHOnl – http://e–sezam.bph.pl/BPHOnl.cab
O16 – DPF: Cdm.Sdig – https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab
O16 – DPF: CDMNet – https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab
O16 – DPF: ECOnline – https://www.cdm.net.pl/component/ECOnline.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: GEARSecurity – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: GEARSecurity_BackUp – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: InCD Helper (InCDsrv) – AHEAD Software – C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
gearsec.exe nioe chce sie usunac z dysku
Log nieco lepszy, ale i tak nie taki jak powinien być.
KillTrusted wykonał swoja robote czego dowoldem sa wywalone Trusted (015)
Do usuniecia (juz nie wyroznialem plików poniewaz zrobiłem to wczesniej, cofnij sie i przeczytaj jeszcze raz):
Najbardziej skup sie na Haxdoor–ze
Pliki z 023 rowniez maja wyleciec z dysku, nie zaznaczyłem ich wczesniej
KillTrusted wykonał swoja robote czego dowoldem sa wywalone Trusted (015)
Do usuniecia (juz nie wyroznialem plików poniewaz zrobiłem to wczesniej, cofnij sie i przeczytaj jeszcze raz):
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 – URLSearchHook: (no name) – _{9368D063–44BE–49B9–BD14–BB9663FD38FC} – (no file)
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: (no name) – {0582C756–5F74–4A46–AF4C–2D05A4EAB2EF} – C:\WINDOWS\System32\dnjl.dll
O4 – HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 – HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 – HKLM\..\Run: [Egudjqub] c:\Program Files\Dxjxfi\Oxqmev.exe
O4 – HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe
O4 – HKLM\..\Run: [zqbov] C:\WINDOWS\zqbov.exe
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [q67O36g] efsund3d.exe
O18 – Filter: text/html – {646B5F72–79F5–439F–9E55–B682734D6AA6} – C:\WINDOWS\System32\dnjl.dll
O18 – Filter: text/plain – {646B5F72–79F5–439F–9E55–B682734D6AA6} – C:\WINDOWS\System32\dnjl.dll
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
Najbardziej skup sie na Haxdoor–ze
Pliki z 023 rowniez maja wyleciec z dysku, nie zaznaczyłem ich wczesniej
Nie wiem czy killtrusted cos zdzialal czy nie bo jakos ta aplikacja w ogóle nie reaguje na moje klikniecia(klikam dowolny przycisk w celu uruchomienia ale bez reackji –chyba ze tak ma byc)
Przedstawiam kolejny log ,mam nadzieje ze duzo lepszy od pierwszego :)
Logfile of HijackThis v1.99.1
Scan saved at 23:03:54, on 2005–05–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\Dialer Killer\DialKill.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\DLMage\DnloadMage.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Staszek\Pulpit\fix,log itp\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez BPH S.A.
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{9368D063–44BE–49B9–BD14–BB9663FD38FC} – (no file)
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: (no name) – {0582C756–5F74–4A46–AF4C–2D05A4EAB2EF} – C:\WINDOWS\System32\dnjl.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 – HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 – HKLM\..\Run: [Egudjqub] c:\Program Files\Dxjxfi\Oxqmev.exe
O4 – HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [zqbov] C:\WINDOWS\zqbov.exe
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [q67O36g] efsund3d.exe
O4 – HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 – Startup: WPKontakt.lnk = C:\Program Files\Wirtualna Polska\Kontakt\Kontakt.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 – Global Startup: HP Image Zone – szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 – Extra context menu item: Download Links As... – file://C:\WINDOWS\System32\page.htm
O8 – Extra context menu item: Download Target(s) As... – file://C:\WINDOWS\System32\link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 – DPF: BPHOnl – http://e–sezam.bph.pl/BPHOnl.cab
O16 – DPF: Cdm.Sdig – https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab
O16 – DPF: CDMNet – https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab
O16 – DPF: ECOnline – https://www.cdm.net.pl/component/ECOnline.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O18 – Filter: text/html – {646B5F72–79F5–439F–9E55–B682734D6AA6} – C:\WINDOWS\System32\dnjl.dll
O18 – Filter: text/plain – {646B5F72–79F5–439F–9E55–B682734D6AA6} – C:\WINDOWS\System32\dnjl.dll
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: GEARSecurity – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: GEARSecurity_BackUp – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: InCD Helper (InCDsrv) – AHEAD Software – C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
Przedstawiam kolejny log ,mam nadzieje ze duzo lepszy od pierwszego :)
Logfile of HijackThis v1.99.1
Scan saved at 23:03:54, on 2005–05–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\Dialer Killer\DialKill.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\DLMage\DnloadMage.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Staszek\Pulpit\fix,log itp\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program Microsoft Internet Explorer dostarczony przez BPH S.A.
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{9368D063–44BE–49B9–BD14–BB9663FD38FC} – (no file)
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: (no name) – {0582C756–5F74–4A46–AF4C–2D05A4EAB2EF} – C:\WINDOWS\System32\dnjl.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar4.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 – HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 – HKLM\..\Run: [Egudjqub] c:\Program Files\Dxjxfi\Oxqmev.exe
O4 – HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [zqbov] C:\WINDOWS\zqbov.exe
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [q67O36g] efsund3d.exe
O4 – HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 – Startup: WPKontakt.lnk = C:\Program Files\Wirtualna Polska\Kontakt\Kontakt.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 – Global Startup: HP Image Zone – szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 – Extra context menu item: Download Links As... – file://C:\WINDOWS\System32\page.htm
O8 – Extra context menu item: Download Target(s) As... – file://C:\WINDOWS\System32\link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 – DPF: BPHOnl – http://e–sezam.bph.pl/BPHOnl.cab
O16 – DPF: Cdm.Sdig – https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab
O16 – DPF: CDMNet – https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab
O16 – DPF: ECOnline – https://www.cdm.net.pl/component/ECOnline.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O18 – Filter: text/html – {646B5F72–79F5–439F–9E55–B682734D6AA6} – C:\WINDOWS\System32\dnjl.dll
O18 – Filter: text/plain – {646B5F72–79F5–439F–9E55–B682734D6AA6} – C:\WINDOWS\System32\dnjl.dll
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: GEARSecurity – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: GEARSecurity_BackUp – GEAR Software – C:\WINDOWS\system32\gearsec.exe
O23 – Service: InCD Helper (InCDsrv) – AHEAD Software – C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
Moze zaczne od tego...
IE wypadałoby podbić przynajmniej do opcji SP1, Windowsa tez nie zawadzi poczęstowac service packiem, ale jesli juz to dopiero gdy bedzie czysciuto – wszystko pozamiatane.
Wierzyc to moze i wierze, ale pojąc nie moge czemu klikasz w link do strony porno skoro kostki brukowej szukasz :wink:
services.msc odpal przez uruchom i jesli bedzie trzeba zatrzymaj podane usługi.
Wpisy hosts usun z pomocą Hijacka lub szybciej edytujac plik recznie i usuwajac z niego zbedne linijki.
PS: KillTrusted odpal w trybie normalny gdyz ta wersja nie działa w awaryjnym.
Po prostu otwierasz program i klikasz w dowolny klawisz, reszte robi sam.
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
IE wypadałoby podbić przynajmniej do opcji SP1, Windowsa tez nie zawadzi poczęstowac service packiem, ale jesli juz to dopiero gdy bedzie czysciuto – wszystko pozamiatane.
Wierzyc to moze i wierze, ale pojąc nie moge czemu klikasz w link do strony porno skoro kostki brukowej szukasz :wink:
services.msc odpal przez uruchom i jesli bedzie trzeba zatrzymaj podane usługi.
Wpisy hosts usun z pomocą Hijacka lub szybciej edytujac plik recznie i usuwajac z niego zbedne linijki.
PS: KillTrusted odpal w trybie normalny gdyz ta wersja nie działa w awaryjnym.
Po prostu otwierasz program i klikasz w dowolny klawisz, reszte robi sam.
Powoli wyrzucam te smieci, nie uwierzysz Bobi ale od dluzszego czasu nie mialem zadnych klopotów, przedwczoraj wpisalem w wyszukiwarce temat kostka brukowa, pojawilo sie mase stron, przegladnalem je , wsrod nich byla jakas tam w temacie sex, kliknalem i strona sie nawet nie otworzyla, za to za pare sekund cos sie wgralo zaczelo instalowac i od tej pory kicha. Az sie sam dziwie ze z jednego klikniecia w klawiaturte wyszlo cos takiego. Wracajac do tematu, powiedz mi jak uruchomic teko killtrusted bo z tego zrodla ktore ty podales nic nie ma,gdzie znalezc servies.msc ?
Co zrobic z tym?
Kod:
O1 – Hosts: 17.145.117.11 d–ru–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 – Hosts: 17.145.117.11 www.kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky–labs.com
O1 – Hosts: 17.145.117.11 www.kaspersky–labs.com
O1 – Hosts: 82.146.42.123 lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 online.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.com
O1 – Hosts: 82.146.42.123 personal.barclays.co.uk
O1 – Hosts: 82.146.42.123 barclays.co.uk
O1 – Hosts: 82.146.42.123 ibank.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.nwolb.com
O1 – Hosts: 82.146.42.123 nwolb.com
O1 – Hosts: 82.146.42.123 hsbc.co.uk
O1 – Hosts: 82.146.42.123 www.hsbc.co.uk
Co zrobic z tym?
Kod:
O1 – Hosts: 17.145.117.11 d–ru–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 – Hosts: 17.145.117.11 www.kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky–labs.com
O1 – Hosts: 17.145.117.11 www.kaspersky–labs.com
O1 – Hosts: 82.146.42.123 lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 online.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.com
O1 – Hosts: 82.146.42.123 personal.barclays.co.uk
O1 – Hosts: 82.146.42.123 barclays.co.uk
O1 – Hosts: 82.146.42.123 ibank.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.nwolb.com
O1 – Hosts: 82.146.42.123 nwolb.com
O1 – Hosts: 82.146.42.123 hsbc.co.uk
O1 – Hosts: 82.146.42.123 www.hsbc.co.uk
Wyłacz przywracanie
Zakoncz proces:
svchost.exe (uruchomiony przez uzytkownika a nie przez system)
Usun z dysku pogrubione pliki/katalogi oraz wpisy:
Oproznij całosc z Temp
Recznie usun w regedit z klucza HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks ciag {9368D063–44BE–49B9–BD14–BB9663FD38FC}
Otworz notatnikiem plik hosts (z C:\WINDOWS\system32\drivers\etc) i zamien wszystkie 3 na 1 (czyli 127.0.0.1)
Usuń programem KillTrusted
Backdoor.Haxdoor.D:
Wiecej w TYM temacie
Idziesz do servies.msc i zatrzymujesz usługi: System Startup Service oraz ZESOFT
Teraz Hijacku, Config >> Mics Tools >> Delete an Nt service: Wklepujesz najpierw SvcProc >> potwierdzasz, nastepnie ZESOFT
Nawet nie bede opierdzielał bo mysle ze wiesz, ze syfu jest niemiłosiernie duzo.
Z tej racji chciałbym rowniez nowego loga po wszystkim obejrzec.
Zakoncz proces:
svchost.exe (uruchomiony przez uzytkownika a nie przez system)
Usun z dysku pogrubione pliki/katalogi oraz wpisy:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
Oproznij całosc z Temp
R3 – URLSearchHook: (no name) – _{9368D063–44BE–49B9–BD14–BB9663FD38FC} – (no file)
Recznie usun w regedit z klucza HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks ciag {9368D063–44BE–49B9–BD14–BB9663FD38FC}
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.Pamela.biz
O1 – Hosts: 127.0.0.3 Pamela.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
Otworz notatnikiem plik hosts (z C:\WINDOWS\system32\drivers\etc) i zamien wszystkie 3 na 1 (czyli 127.0.0.1)
O1 – Hosts: 17.145.117.11 d–ru–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–ru–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–2h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–eu–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1f.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 d–us–1h.kaspersky–labs.com
O1 – Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 – Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 – Hosts: 17.145.117.11 www.kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky.ru
O1 – Hosts: 17.145.117.11 kaspersky–labs.com
O1 – Hosts: 17.145.117.11 www.kaspersky–labs.com
O1 – Hosts: 82.146.42.123 lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 online.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.co.uk
O1 – Hosts: 82.146.42.123 www.lloydstsb.com
O1 – Hosts: 82.146.42.123 personal.barclays.co.uk
O1 – Hosts: 82.146.42.123 barclays.co.uk
O1 – Hosts: 82.146.42.123 ibank.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.barclays.co.uk
O1 – Hosts: 82.146.42.123 www.nwolb.com
O1 – Hosts: 82.146.42.123 nwolb.com
O1 – Hosts: 82.146.42.123 hsbc.co.uk
O1 – Hosts: 82.146.42.123 www.hsbc.co.uk
O2 – BHO: (no name) – {016235BE–59D4–4CEB–ADD5–E2378282A1D9} – C:\Program Files\CxtPls\cxtpls.dll
O2 – BHO: myBar BHO – {0494D0D1–F8E0–41ad–92A3–14154ECE70AC} – C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 – BHO: IE Update Class – {5B4AB8E2–6DC5–477A–B637–BF3C1A2E5993} – C:\WINDOWS\isrvs\sysupd.dll
O2 – BHO: (no name) – {8952A998–1E7E–4716–B23D–3DBE03910972} – C:\PROGRA~1\Toolbar\toolbar.dll
O2 – BHO: (no name) – {A0269420–A638–4509–889C–8FC3CC85DA7E} – C:\WINDOWS\drexinit.dll
O2 – BHO: (no name) – {CBF4E7CB–1AA6–4E9A–9F56–08CFE1BFA3A0} – C:\WINDOWS\System32\dnjl.dll
O3 – Toolbar: &SearchBar – {0494D0D9–F8E0–41ad–92A3–14154ECE70AC} – C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 – Toolbar: (no name) – {44BE0690–5429–47f0–85BB–3FFD8020233E} – (no file)
O3 – Toolbar: &Search Toolbar – {339BB23F–A864–48C0–A59F–29EA915965EC} – C:\PROGRA~1\Toolbar\toolbar.dll
O4 – HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe –k
O4 – HKLM\..\Run: [RDLL] RunDll16.exe
O4 – HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 – HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 – HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 – HKLM\..\Run: [Egudjqub] c:\Program Files\Dxjxfi\Oxqmev.exe
O4 – HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe
O4 – HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe –h
O4 – HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{D518EDC6–C430–4F48–995A–1C7A9F077C4F}\SVCHOST.EXE
O4 – HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 – HKLM\..\Run: [zqbov] C:\WINDOWS\zqbov.exe
O4 – HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Staszek\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 – HKLM\..\Run: [q67O36g] efsund3d.exe
O4 – HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 – HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 – HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [bxoERWM7i] dx7dsk.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 – Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: Microsoft AntiSpyware helper – {3EE76E23–D0E9–4947–B9D3–DAFAF481D7A7} – (no file) (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {3EE76E23–D0E9–4947–B9D3–DAFAF481D7A7} – (no file) (HKCU)
O9 – Extra button: BPH Sez@m – {5674E0A0–71D3–11DB–9265–F4F7DE33F84C} – http:\\e–bank.bph.pl (file missing) (HKCU)
O16 – DPF: {11111111–1111–1111–1111–111111111111} – http://17.pl/wejscie.exe
O16 – DPF: {5CBA93A3–E0ED–11D5–A70E–00C12601EADE} – http://nina.of.pl/galeria.exe
O16 – DPF: {89122070–4199–11D4–8BAF–0050045B552C} – http://download.rocketpipe.com/bundles/2565.cab
O16 – DPF: {A67BA5E3–5B79–11D6–A711–00C12601EADE} – http://www.brzoskwinki.fotosex.pl/sex.exe
O18 – Protocol: tpro – {FF76A5DA–6158–4439–99FF–EDC1B3FE100C} – C:\PROGRA~1\Toolbar\toolbar.dll
O18 – Filter: text/html – {FB08826C–79AB–4057–8E12–F964113B8749} – C:\WINDOWS\System32\dnjl.dll
O18 – Filter: text/plain – {FB08826C–79AB–4057–8E12–F964113B8749} – C:\WINDOWS\System32\dnjl.dll
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
Usuń programem KillTrusted
Backdoor.Haxdoor.D:
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
Wiecej w TYM temacie
O23 – Service: System Startup Service (SvcProc) – Unknown owner – C:\WINDOWS\svcproc.exe
O23 – Service: ZESOFT – Unknown owner – C:\WINDOWS\zeta.exe (file missing)
Idziesz do servies.msc i zatrzymujesz usługi: System Startup Service oraz ZESOFT
Teraz Hijacku, Config >> Mics Tools >> Delete an Nt service: Wklepujesz najpierw SvcProc >> potwierdzasz, nastepnie ZESOFT
Nawet nie bede opierdzielał bo mysle ze wiesz, ze syfu jest niemiłosiernie duzo.
Z tej racji chciałbym rowniez nowego loga po wszystkim obejrzec.
Strona 1 / 1