Log


(Deus) #1

Hej!

Wrocilem dzis do szkoly i moj tata oznajmil mi, ze komp zaczal mu sie psuc. Wyskoczylo jakies okienko i zaczely sie zwisy explorera... W panice moj tata zawiozl dysk do serwisu, gdzie usuneli niby caly ten syf, ale komp chodzi mega wolno, a do tego explorer ledwo dyszy.

Mozecie mi pwoiedziec skad moge sciagnac IE6 ? (wiem, ze to kicz, ale potrzebuje go niestety)

Log:

Logfile of HijackThis v1.99.1

Scan saved at 14:11:03, on 2005-06-16

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Tablet.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe

C:\WINDOWS\System32\ctfmon.exe

H:\PROGRAMY\Gadu-Gadu\gg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\Wtablet\TabUserW.exe

C:\WINDOWS\System32\svchost.exe

H:\PROGRAMY\spybot\SpybotSD.exe

C:\WINDOWS\system32\sysocmgr.exe

H:\PROGRAMY\MOZILLA\mozilla.exe

C:\Downloads\hijackthis1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {AF2BE58C-6FF4-7D4E-ECB7-DF90E54A2D0D} - media64.dll (file missing)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\hrxrv.dll (file missing)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: Internet Explorer Hot Fix - {C5AE95F4-9045-4748-B0B2-05851480AB6A} - C:\WINDOWS\System32\afzqe.dll (file missing)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\hrxrv.dll (file missing)

O4 - HKLM..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [Desktop Tool] "E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe"

O4 - HKLM..\Run: [boundRec] powerdll.exe

O4 - HKLM..\Run: [KeywordFinder] hyandex.exe

O4 - HKLM..\Run: [mmrqoc] c:\windows\system32\jxchev.exe r

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "H:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU..\Run: [NopeZ] InpriseMon.exe

O4 - HKCU..\Run: [10010] SpyElim.exe

O4 - HKCU..\Run: [mozilla-text] SpyElim.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - H:\PROGRAMY\flashget\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - H:\PROGRAMY\flashget\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{B74E6945-3A2D-4450-9E76-ACC92BD43A13}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip..{B7D3A25A-6A98-484B-9770-19FD5472D788}: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: style2 - C:\WINDOWS\q2691015_disk.dll (file missing)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


mysle, ze moge usunac to:

R3 - URLSearchHook: (no name) - {AF2BE58C-6FF4-7D4E-ECB7-DF90E54A2D0D} - media64.dll (file missing)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\hrxrv.dll (file missing)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: Internet Explorer Hot Fix - {C5AE95F4-9045-4748-B0B2-05851480AB6A} - C:\WINDOWS\System32\afzqe.dll (file missing)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\hrxrv.dll (file missing)

O4 - HKLM..\Run: [boundRec] powerdll.exe

O4 - HKLM..\Run: [KeywordFinder] hyandex.exe

O4 - HKLM..\Run: [mmrqoc] c:\windows\system32\jxchev.exe r

O4 - HKCU..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU..\Run: [NopeZ] InpriseMon.exe

O4 - HKCU..\Run: [10010] SpyElim.exe

O4 - HKCU..\Run: [mozilla-text] SpyElim.exe

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O17 - HKLM\System\CCS\Services\Tcpip..{B74E6945-3A2D-4450-9E76-ACC92BD43A13}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip..{B7D3A25A-6A98-484B-9770-19FD5472D788}: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: style2 - C:\WINDOWS\q2691015_disk.dll (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

ale nie mam pewnosci :stuck_out_tongue:

z gory dzieki :slight_smile:


(Petro20) #2

Oczyść kompa i zainstaluj SP2 :slight_smile:


(Kuz5) #3

No w niektóre trafiłeś ale nie we wszystkie a i czasem nic nie rób z wpisami 017 bo skączy sie to utrata internetu.

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\ svcproc.exe

Start => Uruchom => wpisz services.msc => zatrzymaj proces System Startup Service nastepnie Odpalasz HijackThis Misc Tools => Delete NT service => wpisz SvcProc => Ok i zresetuj komputer.

Pliki na czerwono usun ręcznie z dysku

Jeżeli beda prolemy z usunięciem Naila to usuń go programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:

C:\WINDOWS**** Nail.exe

następnie program będzie pytał o restart (oczywiście zgadzasz sie)

Nie jestem na 100% pewny co do tych wpisów decyzje zosatwiam tobie znasz zostaw nie znasz usuń:


(Gutek) #4

Ja proponuję poczytac i zobaczyć Usuwanie Nail.exe + svcproc.exe a opisane jest TUTAJ :stuck_out_tongue:

oraz jeszcze:


(Deus) #5

dzieki, problemow jako takich nie ma, ale explorer nadal sie wiesza, a dokladniej mowiac to zabiera 99% pamieci. Jezeli uruchomie dodatkowe okno to zabieraja 50% i 49%. Do tego pasek "łącza" jest zablokowany na stale i nie ma opcji odblokowania go (na innym uzytkowniku mozna odblokowac, ale i tak zabiera cala pamiec)

wiecie co to moze byc ?


(boczi) #6

A usunąłeś wpierw wszystko, co Ci podano?


(Musg) #7

skad wiesz skorow logu było tyle dziadostwa?Ununales?

Dajesz log kontrolny

potrzebny scren z menedzera zadan i widok pozostałych procesow


(Deus) #8

log:

Logfile of HijackThis v1.99.1

Scan saved at 18:39:35, on 2005-06-16

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Tablet.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe

C:\WINDOWS\System32\ctfmon.exe

H:\PROGRAMY\Gadu-Gadu\gg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\Wtablet\TabUserW.exe

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

H:\PROGRAMY\MOZILLA\mozilla.exe

G:\programy\fotoszop\Photoshop.exe

C:\Downloads\hijackthis1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [Desktop Tool] "E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "H:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - H:\PROGRAMY\flashget\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - H:\PROGRAMY\flashget\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{B74E6945-3A2D-4450-9E76-ACC92BD43A13}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip..{B7D3A25A-6A98-484B-9770-19FD5472D788}: NameServer = 69.50.184.84,195.225.176.37

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

http://img78.echo.cx/img78/6950/1111gg.jpg menedzer zadan

http://img78.echo.cx/img78/8229/21uu.jpg ppm na pasku exploratora (na innych profilach tego nei ma)


(boczi) #9

To nie jest Eksplorator tylko Internet Explorer. Zapamiętaj do myśleliśmy o procesie explorer.exe a to nie to samo. Explorer to jakby powłoka całego Windowsa.

LOG OK, więc zrób skan programem CWShredder.


(Musg) #10

usuwasz te szkodliwe dnsy(robak) ,reszta w logu jest ok

dodatkowo prosze cie o log z programu:

http://www.silentrunners.org/

generujesz i dajesz log z hijacka i z silent

sposob usuwania znasz :

wylacz przywracanie systemu,a dnsy usuwasz za pomocą fix w hijack this

ps

ile tato zapłacił za czyszczenie dysku :hehhee

[-X [-X nie ok


(Deus) #11

CWS nic nie znajduje... A te DNS'y jak uzune to nie pozbawie sie netu czasem ?


(Deus) #12

silent:

"Silent Runners.vbs", revision 38, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""H:\PROGRAMY\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"Desktop Tool" = ""E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe"" ["Developed by http://www.eDrogene.com"]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32(Default) = "E:\adobe\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {CLSID}\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{D0FAC080-AE1A-11ce-8016-CE90976DC901}" = "Picture Publisher File Viewer"

-> {CLSID}\InProcServer32(Default) = "ppiv20.dll" [null data]

"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\q2691015_disk.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "Skrót internetowy" [from CLSID]

-> {CLSID}\InProcServer32(Default) = "shdocvw.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "System" = "csgkd.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Group Policies [Description] {enabled Group Policy setting}:


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HIJACK WARNING! "NoBandCustomize"=dword:00000001

[disables toolbar status changes in Internet Explorer|View|Toolbars]

{User Configuration|Administrative Templates|Windows Components|

Internet Explorer|Toolbars|Disable customizing browser toolbars}

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Proba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Proba" & "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"TabUserW.exe" -> shortcut to: "C:\WINDOWS\system32\Wtablet\TabUserW.exe" ["Wacom Technology, Corp."]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Badanie"

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "H:\PROGRAMY\flashget\flashget.exe" ["Amaze Soft"]

Miscellaneous IE Hijack Points


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

: ˙ţVersion

: Signature="$CHICAGO$"

: AdvancedINF=2.5,"You need a new version of advpack.dll"

Missing lines (compared with English-language version):

lines

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "NavigationFailure" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "NavigationCanceled" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "OfflineInformation" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "blank" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "PostNotCached" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "MRU Update" = "1" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

TabletService, TabletService, "C:\WINDOWS\System32\Tablet.exe" ["Wacom Technology, Corp."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


This report excludes default entries except where indicated.

To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

hijack:

Logfile of HijackThis v1.99.1

Scan saved at 19:07:31, on 2005-06-16

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Tablet.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe

C:\WINDOWS\System32\ctfmon.exe

H:\PROGRAMY\Gadu-Gadu\gg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\Wtablet\TabUserW.exe

H:\PROGRAMY\MOZILLA\mozilla.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Downloads\hijackthis1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [Desktop Tool] "E:\telefon\Alcatel One Touch 535-735\DesktopTool\DesktopTool.exe"

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [Gadu-Gadu] "H:\PROGRAMY\Gadu-Gadu\gg.exe" /tray

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - H:\PROGRAMY\flashget\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - H:\PROGRAMY\flashget\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRAMY\flashget\flashget.exe

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip..{B74E6945-3A2D-4450-9E76-ACC92BD43A13}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip..{B7D3A25A-6A98-484B-9770-19FD5472D788}: NameServer = 69.50.184.84,195.225.176.37

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


(boczi) #13

Nie zauważyłem tych DNS. Sorry.

Nie stracisz neta.

Masz Trojana Flush B.

Info: http://securityresponse.symantec.com/av ... ush.b.html

Zaraz ktoś sprawdzi Ci SilentRunners.


(Musg) #14

ale wczesnie masz usunac te dnsy a nastepnie dajesz log z silent

ok?


(Deus) #15

zmienily mi sie adresy serwerow w ustawieniach tcp/ip. Zmienilem na takie jk byly ilog wyglada tak:

Czy symantec mowi, jak sie tego pozbyc ?


umieszczaj tego typu rzeczy w znaczniku quote

ułatwi to analizę i sprawia, że post jest czytelniejszy

monczkin


(boczi) #16

Jeszcze skasuj:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B74E6945-3A2D-4450-9E76-ACC92BD43A13}: NameServer = 69.50.184.84,195.225.176.37

(Kuz5) #17

Został jeszcze jeden


(Deus) #18

po usunieciu dns'ow


(Musg) #19

a gdzie log z hijacka ,miał byc jeden i drugi :slight_smile:


(Deus) #20

no, ale w hijacku niewiele sie zmienilo :stuck_out_tongue: Jeden DNS z prawidlowymi IP zostal, bo pamietam, ze zasze tu byl.