Logfile of HijackThis v1.99.1

Scan saved at 23:45:42, on 2005-02-20

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\winampa.exe

C:\CCProxy\CCProxy.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\DeskAd Service\DeskAdServ.exe

C:\temp\salm.exe

C:\Program Files\AdStatus Service\AdStatServ.exe

C:\Program Files\Windows AdStatus\WinStat.exe

C:\Program Files\DeskAd Service\DeskAdKeep.exe

C:\Program Files\AdStatus Service\AdStatKeep.exe

C:\Program Files\Windows AdStatus\WinStatKeep.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\WINDOWS\System32\systime.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\systime.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\WinVNC\WinVNC.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

D:\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Ja\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

Log nie jest cały. Wklej jego pełną zawartość.

Logfile of HijackThis v1.99.1

Scan saved at 23:56:01, on 2005-02-20

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\winampa.exe

C:\CCProxy\CCProxy.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\DeskAd Service\DeskAdServ.exe

C:\temp\salm.exe

C:\Program Files\AdStatus Service\AdStatServ.exe

C:\Program Files\Windows AdStatus\WinStat.exe

C:\Program Files\DeskAd Service\DeskAdKeep.exe

C:\Program Files\AdStatus Service\AdStatKeep.exe

C:\Program Files\Windows AdStatus\WinStatKeep.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\WINDOWS\System32\systime.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\systime.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\AVPersonal\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\WinVNC\WinVNC.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

D:\Gadu-Gadu\gg.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Ja\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = chttp://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 127.0.0.3 http://www.greg-tut.com

O1 - Hosts: 127.0.0.3 nylonsexy.com

O1 - Hosts: 127.0.0.3 http://www.nylonsexy.com

O1 - Hosts: 127.0.0.3 vparivalka.com

O1 - Hosts: 127.0.0.3 http://www.vparivalka.comtoescrowpay.com

O1 - Hosts: 127.0.0.3 http://www.awmdabest.com

O1 - Hosts: 127.0.0.3 http://www.sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 http://www.allforadult.com

O1 - Hosts: 127.0.0.3 http://www.iframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 http://www.newiframe.biz

O1 - Hosts: 127.0.0.3 newiframe.biz

O1 - Hosts: 127.0.0.3 http://www.vesbiz.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 http://www.pizdato.biz

O1 - Hosts: 127.0.0.3 pizdato.biz

O1 - Hosts: 127.0.0.3 http://www.aaasexypics.com

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 http://www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 http://www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 buldog-stats.com

O1 - Hosts: 127.0.0.3 http://www.buldog-stats.com

O1 - Hosts: 127.0.0.3 fregat.drocherway.com

O1 - Hosts: 127.0.0.3 slutmania.biz

O1 - Hosts: 127.0.0.3 http://www.slutmania.biz

O1 - Hosts: 127.0.0.3 toolbarpartner.com

O1 - Hosts: 127.0.0.3 http://www.toolbarpartner.com

O1 - Hosts: 127.0.0.3 http://www.megapornix.com

O1 - Hosts: 127.0.0.3 megapornix.com

O1 - Hosts: 127.0.0.3 http://www.sp2fucked.biz

O1 - Hosts: 127.0.0.3 sp2fucked.biz

O1 - Hosts: 127.0.0.3 greg-tut.com

O1 - Hosts: http://213.159.117.203/dkprogs/hosts.txt

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)

O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [WinVNC] “C:\Program Files\RealVNC\WinVNC\WinVNC.exe” -servicehelper

O4 - HKLM…\Run: [CCProxy] C:\CCProxy\CCProxy.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM…\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKLM…\Run: [salm] c:\temp\salm.exe

O4 - HKLM…\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

O4 - HKLM…\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

O4 - HKLM…\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min

O4 - HKLM…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [WrCtrl] C:\Program Files\WinRoute Pro\WrCtrl.exe

O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [Gadu-Gadu] “D:\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: komentator - http://sport.onet.pl/komentator.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht! http://www.kazaalite.pl/stats/loudklite.chm::/bridge-c46.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.134.164.128/activex/AxisCamControl.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll

O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Teraz dobrze??

Te hosty to nie ja! Skąd mi się mogło wziąć coś takiego? I jeszcze mi się pojawia komunikat,że mam trojana TR/Drop.Delf.DJ.3

Do usunięcia w trybie awaryjnym:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = chttp://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O1 - Hosts: 127.0.0.3 http://www.greg-tut.com

O1 - Hosts: 127.0.0.3 nylonsexy.com

O1 - Hosts: 127.0.0.3 http://www.nylonsexy.com

O1 - Hosts: 127.0.0.3 vparivalka.com

O1 - Hosts: 127.0.0.3 http://www.vparivalka.comtoescrowpay.com

O1 - Hosts: 127.0.0.3 http://www.awmdabest.com

O1 - Hosts: 127.0.0.3 http://www.sexfiles.nu

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 http://www.allforadult.com

O1 - Hosts: 127.0.0.3 http://www.iframe.biz

O1 - Hosts: 127.0.0.3 iframe.biz

O1 - Hosts: 127.0.0.3 http://www.newiframe.biz

O1 - Hosts: 127.0.0.3 newiframe.biz

O1 - Hosts: 127.0.0.3 http://www.vesbiz.biz

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 http://www.pizdato.biz

O1 - Hosts: 127.0.0.3 pizdato.biz

O1 - Hosts: 127.0.0.3 http://www.aaasexypics.com

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 http://www.virgin-tgp.net

O1 - Hosts: 127.0.0.3 virgin-tgp.net

O1 - Hosts: 127.0.0.3 http://www.awmcash.biz

O1 - Hosts: 127.0.0.3 awmcash.biz

O1 - Hosts: 127.0.0.3 buldog-stats.com

O1 - Hosts: 127.0.0.3 http://www.buldog-stats.com

O1 - Hosts: 127.0.0.3 fregat.drocherway.com

O1 - Hosts: 127.0.0.3 slutmania.biz

O1 - Hosts: 127.0.0.3 http://www.slutmania.biz

O1 - Hosts: 127.0.0.3 toolbarpartner.com

O1 - Hosts: 127.0.0.3 http://www.toolbarpartner.com

O1 - Hosts: 127.0.0.3 http://www.megapornix.com

O1 - Hosts: 127.0.0.3 megapornix.com

O1 - Hosts: 127.0.0.3 http://www.sp2fucked.biz

O1 - Hosts: 127.0.0.3 sp2fucked.biz

O1 - Hosts: 127.0.0.3 greg-tut.com

O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll

O4 - HKLM…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - HKLM…\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe

O4 - HKLM…\Run: [salm] c:\temp\salm.exe

O4 - HKLM…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - HKCU…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht! http://www.kazaalite.pl/stats/loudklite.chm:: /bridge-c46.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll

O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll

Usuwasz to z wylaczonym przywracaniem systemu w Trybie Awaryjnym F8.

• Zainstaluj SP2

  C:\Program Files\DeskAd Service\DeskAdServ.exe

   	C:\temp\salm.exe
  
   	C:\Program Files\AdStatus Service\AdStatServ.exe
  
   	C:\Program Files\Windows AdStatus\WinStat.exe
  
   	C:\Program Files\DeskAd Service\DeskAdKeep.exe
  
   	C:\Program Files\AdStatus Service\AdStatKeep.exe
  
   	C:\Program Files\Windows AdStatus\WinStatKeep.exe
  
   	C:\WINDOWS\System32\systime.exe
  
   	C:\WINDOWS\System32\systime.exe
  
   	R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
  
   	R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
  

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = chttp://213.159.117.134/index.php

   	R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
  
   	R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
  
   	R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
  

  O1 - Hosts: 127.0.0.3 www.greg-tut.com

  O1 - Hosts: 127.0.0.3 nylonsexy.com

  O1 - Hosts: 127.0.0.3 www.nylonsexy.com

  O1 - Hosts: 127.0.0.3 vparivalka.com

  O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com

  O1 - Hosts: 127.0.0.3 www.awmdabest.com

  O1 - Hosts: 127.0.0.3 www.sexfiles.nu

  O1 - Hosts: 127.0.0.3 awmdabest.com

  O1 - Hosts: 127.0.0.3 sexfiles.nu

  O1 - Hosts: 127.0.0.3 allforadult.com

  O1 - Hosts: 127.0.0.3 www.allforadult.com

  O1 - Hosts: 127.0.0.3 www.iframe.biz

  O1 - Hosts: 127.0.0.3 iframe.biz

  O1 - Hosts: 127.0.0.3 www.newiframe.biz

  O1 - Hosts: 127.0.0.3 newiframe.biz

  O1 - Hosts: 127.0.0.3 www.vesbiz.biz

  O1 - Hosts: 127.0.0.3 vesbiz.biz

  O1 - Hosts: 127.0.0.3 www.pizdato.biz

  O1 - Hosts: 127.0.0.3 pizdato.biz

  O1 - Hosts: 127.0.0.3 www.aaasexypics.com

  O1 - Hosts: 127.0.0.3 aaasexypics.com

  O1 - Hosts: 127.0.0.3 www.virgin-tgp.net

  O1 - Hosts: 127.0.0.3 virgin-tgp.net

  O1 - Hosts: 127.0.0.3 www.awmcash.biz

  O1 - Hosts: 127.0.0.3 awmcash.biz

  O1 - Hosts: 127.0.0.3 buldog-stats.com

  O1 - Hosts: 127.0.0.3 www.buldog-stats.com

  O1 - Hosts: 127.0.0.3 fregat.drocherway.com

  O1 - Hosts: 127.0.0.3 slutmania.biz

  O1 - Hosts: 127.0.0.3 www.slutmania.biz

  O1 - Hosts: 127.0.0.3 toolbarpartner.com

  O1 - Hosts: 127.0.0.3 www.toolbarpartner.com

  O1 - Hosts: 127.0.0.3 www.megapornix.com

  O1 - Hosts: 127.0.0.3 megapornix.com

  O1 - Hosts: 127.0.0.3 www.sp2fucked.biz

  O1 - Hosts: 127.0.0.3 sp2fucked.biz

  O1 - Hosts: 127.0.0.3 greg-tut.com

  O1 - Hosts: http://213.159.117.203/dkprogs/hosts.txt

   	O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
  
   	O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll
  
   	O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
  
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
  
   	O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
  
   	O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
  
    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
  

  O4 - HKCU…\Run: [SysTime] C:\WINDOWS\System32\systime.exe

   	O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll
  
   	O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\porynt.dll O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  

• firewall +zmiana przegladarki na http://www.firefox.pl lub http://www.operapl.net