el_pawi
(Sarimsakri)
12 Maj 2006 12:06
#1
Komputer sie strasznie muli i strona startowa jest zmieniona na secure32.html . Sprawdzeniłem HijackThis v1.99.1 i nie moge dojsc co jest nie tak.
Moge Prosic o pomoc.
Logfile of HijackThis v1.99.1 Scan saved at 09:16:31, on 2006-05-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\PowerS.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\drwhtt.exe C:\WINDOWS\system32\0mcamcap.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\eMule\emule.exe C:\Program Files\BitLord\BitLord.exe c:\tool2.exe C:\WINDOWS\explorer.exe c:\Program Files\paytime.exe C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\admin\USTAWI~1\Temp\rsysinit.exe c:\Program Files\paytime.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\admin\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe” O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WinVNC] “C:\Program Files\TightVNC\WinVNC.exe” -servicehelper O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [sysTray] c:\Program Files\paytime.exe O4 - HKLM…\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe O4 - HKLM…\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe O4 - HKCU…\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe” O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{B2E2FD48-C78F-4CF7-A02E-3DCF9E4E6CA3}: NameServer = 217.28.150.195 O20 - AppInit_DLLs: C:\WINDOWS\system32\syst2.dll O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_15.dll O21 - SSODL: XqkAvN - {3CF0091D-965A-A3B7-78F7-B3CA680E0760} - C:\WINDOWS\system32\pxq.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
kuz5
(Kuz5)
12 Maj 2006 12:35
#2
Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE
Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.
Daruj sobie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe” O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll O4 - HKLM…\Run: [sysTray] c:\Program Files\paytime.exe O4 - HKLM…\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe O4 - HKLM…\Run: [ZPoint] C:\WINDOWS\system32\winmuse.exe O4 - HKLM…\RunServices: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe O4 - HKCU…\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe” O20 - AppInit_DLLs: C:\WINDOWS\system32\syst2.dll O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_15.dll O21 - SSODL: XqkAvN - {3CF0091D-965A-A3B7-78F7-B3CA680E0760} - C:\WINDOWS\system32\pxq.dll
Pliki i foldery na czerwono usuń ręcznie z dysku a wpisy W HijackThis (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
Usuń jeszcze te pliki:
Pobierz program Ewido zrób update i przeskanuj
Wklej loga SilentRunners