maidan
2 Maj 2006 16:10
#1
Jak w temacie czasami wiesza się, poza tym przy otwieraniu przeglądarki otwierają się dodatkowe strony adult coś tam (dokładnie nie pamiętam)
Proszę o sprawdzenie loga
Z góry dzięki!
Logfile of HijackThis v1.99.1 Scan saved at 17:45:46, on 2006-05-02 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\avast\inst\aswUpdSv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\avast\inst\ashDisp.exe C:\Program Files\avast\inst\ashServ.exe C:\Program Files\Symantec\Ghost\ngserver.exe C:\Program Files\Symantec\Ghost\bin\dbserv.exe C:\Program Files\Symantec\Ghost\bin\rteng6.exe C:\Program Files\avast\inst\ashWebSv.exe C:\Program Files\avast\inst\ashMaiSv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\avast\inst\ashDisp.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O17 - HKLM\System\CCS\Services\Tcpip…{7BF43B40-D087-450F-BE00-34006DAE9111}: NameServer = 85.255.114.44,85.255.112.180 O17 - HKLM\System\CCS\Services\Tcpip…{F1390763-1CBA-4158-B786-7F85E202AAA8}: NameServer = 85.255.114.44,85.255.112.180 O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\avast\inst\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\avast\inst\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\avast\inst\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\avast\inst\ashWebSv.exe" /service (file missing) O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
Bieniol
2 Maj 2006 19:31
#3
W trybie awaryjnym z wyłącząnym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox
Dodatkowo usuń ukraińskie DNSy:
maidan:
O17 - HKLM\System\CCS\Services\Tcpip…{7BF43B40-D087-450F-BE00-34006DAE9111}: NameServer = 85.255.114.44,85.255.112.180 O17 - HKLM\System\CCS\Services\Tcpip…{F1390763-1CBA-4158-B786-7F85E202AAA8}: NameServer = 85.255.114.44,85.255.112.180
Po zabiegach nowy log z Hijacka + log z Silent Runners
maidan
2 Maj 2006 20:44
#4
Logfile of HijackThis v1.99.1 Scan saved at 22:38:48, on 2006-05-02 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\avast\inst\ashDisp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\avast\inst\aswUpdSv.exe C:\Program Files\avast\inst\ashServ.exe C:\Program Files\Symantec\Ghost\ngserver.exe C:\Program Files\Symantec\Ghost\bin\dbserv.exe C:\Program Files\Symantec\Ghost\bin\rteng6.exe C:\Program Files\avast\inst\ashWebSv.exe C:\Program Files\avast\inst\ashMaiSv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\avast\inst\ashDisp.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [dflnl.exe] C:\WINDOWS\System32\dflnl.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\avast\inst\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\avast\inst\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\avast\inst\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\avast\inst\ashWebSv.exe" /service (file missing) O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
mam problem z logiem z Silent Runners, przy probie uruchomienia wyskakuje komunikat “Dostęp do Hosta skryptów systemu Windows jest wyłączony na tym komputerze” nie bardzo wiem jak to włączyć
Bieniol
2 Maj 2006 20:47
#5
W trybie awaryjnym z wyłącząnym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox
Co do Silenta, to użyj narzędzia noscript.exe
maidan
2 Maj 2006 21:10
#6
Logfile of HijackThis v1.99.1 Scan saved at 23:01:05, on 2006-05-02 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\avast\inst\ashDisp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\avast\inst\aswUpdSv.exe C:\Program Files\avast\inst\ashServ.exe C:\Program Files\Symantec\Ghost\ngserver.exe C:\Program Files\Symantec\Ghost\bin\dbserv.exe C:\Program Files\Symantec\Ghost\bin\rteng6.exe C:\Program Files\avast\inst\ashWebSv.exe C:\Program Files\avast\inst\ashMaiSv.exe D:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\avast\inst\ashDisp.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\avast\inst\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\avast\inst\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\avast\inst\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\avast\inst\ashWebSv.exe" /service (file missing) O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
Co do Silenta, to użyj narzędzia noscript.exe i zmień z disable na enable
tak własnie zrobiłem i system nie może otworzyć tego pilku, każe wybrać program z listy.
Sorry ale nie bardzo się znam na tym…może jakaś wskazóweczka
Log z hijacka ok,
Włączanie WSH