patrol69
(Patrol69)
2 Grudzień 2005 15:25
#1
Przed momentem dzwonilem do admina i powiedzial mi ze mam jakies badziewie i dlatego wycieli mi jakis port, powiedzial ze jak go usune to mi przywroca ten port!
W sumie to nie zauwazylem aby cos mi sie dzialo z kompem, wszystko w po9rzadku chodzi ,no moze tylko internet cos powoli chodzi
Monczkin
(Monczkin)
2 Grudzień 2005 15:28
#2
Gutek
(Gutek)
2 Grudzień 2005 15:29
#3
A gdzie log? Daj też z Silent Runners
luki1
(luki)
2 Grudzień 2005 15:43
#4
Przepraszam że się wtrące ale co to takiego ? Jak tego używać ? może jakiś opis po polsku …??
patrol69
(Patrol69)
2 Grudzień 2005 15:44
#5
HiJack
Logfile of HijackThis v1.99.1 Scan saved at 16:43:42, on 2005-12-02 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programki\Panda Antivirus Platinum\APVXDWIN.EXE C:\Programki\Overnet0,53a\Overnet.exe C:\Programki\JTV\JTVRemote.exe C:\WINDOWS\System32\nvsvc32.exe C:\Programki\Panda Antivirus Platinum\pavsrv51.exe C:\Programki\Panda Antivirus Platinum\AVENGINE.EXE C:\Programki\Panda Antivirus Platinum\pavProxy.exe C:\Programki\Ad-aware 6\Ad-watch.exe C:\WINDOWS\System32\wuauclt.exe C:\Programki\totalcmd\TOTALCMD.EXE C:\Program Files\Gadu-Gadu\gg.exe C:\Programki\JTV\JTV.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Internet\do wypakowania\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [sCANINICIO] “C:\Programki\Panda Antivirus Platinum\Inicio.exe” O4 - HKLM…\Run: [APVXDWIN] “C:\Programki\Panda Antivirus Platinum\APVXDWIN.EXE” /s O4 - HKLM…\Run: [Overnet] C:\Programki\Overnet0,53a\Overnet.exe -t O4 - HKLM…\Run: [MediaKey] C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: JTVRemote.lnk = C:\Programki\JTV\JTVRemote.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) - http://www.lemontv.pl/lmctrls.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) - http://www.lemontv.pl/lmctrlp.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Programki\Panda Antivirus Platinum\Firewall\PavFires.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programki\Panda Antivirus Platinum\pavsrv51.exe
Silent
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “SCANINICIO” = ““C:\Programki\Panda Antivirus Platinum\Inicio.exe”” [“Panda Software”] “APVXDWIN” = ““C:\Programki\Panda Antivirus Platinum\APVXDWIN.EXE” /s” [“Panda Software International”] “Overnet” = “C:\Programki\Overnet0,53a\Overnet.exe -t” [empty string] “MediaKey” = “C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE” [“Dritek System Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {CLSID}\InProcServer32(Default) = “C:\Programki\Panda Antivirus Platinum\pavOLE.dll” [“Panda Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{00020000-0000-1011-8004-0000C06B5161}” = “WIBU-SYSTEMS Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}” = “st3” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\q75959.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\Panda Antivirus Platinum\pavOLE.dll” [“Panda Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\Panda Antivirus Platinum\pavOLE.dll” [“Panda Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Internet\tapetka.bmp” Startup items in “PatroL” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\PatroL\Menu Start\Programy\Autostart “JTVRemote” -> shortcut to: “C:\Programki\JTV\JTVRemote.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Panda anti-virus service, PAVSRV, “C:\Programki\Panda Antivirus Platinum\pavsrv51.exe” [“Panda Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 82 seconds, including 18 seconds for message boxes)
i co widac cos groznego ??
Gutek
(Gutek)
2 Grudzień 2005 16:14
#6
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG Użyj Pocket Killbox . Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę C:\WINDOWS\q75959.dl i naciskasz X czerwony . Program poprosi o reset kompa … czyli resetujesz. Przejście wtedy do trybu awaryjnego i uruchom plik FIX.REG .
luki Wystarczy poszukać tyle razy o tym mówiłem Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989
patrol69
(Patrol69)
2 Grudzień 2005 16:29
#7
co jakis czas wyswietla mi sie taki komunikat
screen
przelecialem skanerem on-line i popatrzcie co wykrylo
screen2
Gutek
(Gutek)
2 Grudzień 2005 16:40
#8
Jak masz lokalizację ręcznie skasuj pliki w trybie awaryjnym daj jeszcze jeden log z silenta.
Co do IP skontaktuj sięz adminem - on to naprawi, ktoś się pomylił i wpisał np. twoje dane
Proponuję zainstalować Ewido http://www.searchengines.pl/phpbb203/lo … 16762.html - zrobić update i zeskanować
patrol69
(Patrol69)
2 Grudzień 2005 17:34
#9
czy teraz juz wszystko wyglada w porzadku ??
moge juz powiedziec adminowi ze usunelem wira i ze teraz moze mi juz odblokowac port, ??
czy moze jeszcze gdzies siedziec wir??
silent
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “SCANINICIO” = ““C:\Programki\Panda Antivirus Platinum\Inicio.exe”” [“Panda Software”] “APVXDWIN” = ““C:\Programki\Panda Antivirus Platinum\APVXDWIN.EXE” /s” [“Panda Software International”] “Overnet” = “C:\Programki\Overnet0,53a\Overnet.exe -t” [empty string] “MediaKey” = “C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE” [“Dritek System Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {CLSID}\InProcServer32(Default) = “C:\Programki\Panda Antivirus Platinum\pavOLE.dll” [“Panda Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{00020000-0000-1011-8004-0000C06B5161}” = “WIBU-SYSTEMS Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}” = “st3” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\q75959.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\Panda Antivirus Platinum\pavOLE.dll” [“Panda Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\Panda Antivirus Platinum\pavOLE.dll” [“Panda Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Programki\win rar\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Internet\tapetka.bmp” Startup items in “PatroL” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\PatroL\Menu Start\Programy\Autostart “JTVRemote” -> shortcut to: “C:\Programki\JTV\JTVRemote.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Panda anti-virus service, PAVSRV, “C:\Programki\Panda Antivirus Platinum\pavsrv51.exe” [“Panda Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 70 seconds, including 17 seconds for message boxes)
Gutek
(Gutek)
2 Grudzień 2005 18:34
#10
Ok zób takiego fixa:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG Przejście wtedy do trybu awaryjnego i uruchom plik FIX.REG. Skasuj plik Pocket Killbox jeszcze raz q75959.dll