Otwierają sie inne strony nich powinny ;-(

socjoloszka · 24 Październik 2007 18:22

Witam wszystkich,

chciałam prosić aby ktoś spojrzał na loga z kompa mojego szwagra i powiedział co jest nie tak . Problem polega na tym, że jak klika na jakis link to otwierają sie inne strony, zazwyczaj XXX, dopiero za trzecim razem otwiera sie własciwa strona.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:24:53, on 2007-10-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\bgsvcgen.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\wdfmgr.exe

C:\WINNT\System32\alg.exe

C:\WINNT\system32\wbem\wmiprvse.exe

C:\WINNT\Explorer.EXE

C:\WINNT\RTHDCPL.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.236.110.194:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 212.150.54.250 dv-networks.com

O1 - Hosts: 212.150.54.250 dv-networks.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1B5548AE-D4DC-45DE-A8EB-CACD4BE10DDB}: NameServer = 85.255.116.59,85.255.112.218

O17 - HKLM\System\CCS\Services\Tcpip\..\{1D1D0762-CC25-4F9A-A4B6-AD12707FC69F}: NameServer = 85.255.116.59,85.255.112.218

O17 - HKLM\System\CCS\Services\Tcpip\..\{1D4E6C7F-C60F-4B85-B3A6-8A12AD9D61F1}: NameServer = 85.255.116.59,85.255.112.218

O17 - HKLM\System\CCS\Services\Tcpip\..\{B737622D-D0AA-4D90-B841-7B60572092B6}: NameServer = 85.255.116.59,85.255.112.218

O17 - HKLM\System\CCS\Services\Tcpip\..\{C7D7EC10-7342-4EC2-A5A4-E87126014578}: NameServer = 85.255.116.59,85.255.112.218

O17 - HKLM\System\CCS\Services\Tcpip\..\{FD937F46-A7EF-451E-9A6F-381742106433}: NameServer = 85.255.116.59,85.255.112.218

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.218

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.218

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.218

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe


--

End of file - 7413 bytes

jessica · 24 Październik 2007 18:37

Masz ukraińską infekcję czyli Rootkit “Windows Security Center”.

Użyj -->FixWareout

Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.

–>Jak przywrócić prawidłowe DNS.

Potem:

O1 - Hosts: 212.150.54.250 dv-networks.com O1 - Hosts: 212.150.54.250 dv-networks.com O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O17 - HKLM\System\CCS\Services\Tcpip…{1B5548AE-D4DC-45DE-A8EB-CACD4BE10DDB}: NameServer = 85.255.116.59,85.255.112.218 O17 - HKLM\System\CCS\Services\Tcpip…{1D1D0762-CC25-4F9A-A4B6-AD12707FC69F}: NameServer = 85.255.116.59,85.255.112.218 O17 - HKLM\System\CCS\Services\Tcpip…{1D4E6C7F-C60F-4B85-B3A6-8A12AD9D61F1}: NameServer = 85.255.116.59,85.255.112.218 O17 - HKLM\System\CCS\Services\Tcpip…{B737622D-D0AA-4D90-B841-7B60572092B6}: NameServer = 85.255.116.59,85.255.112.218 O17 - HKLM\System\CCS\Services\Tcpip…{C7D7EC10-7342-4EC2-A5A4-E87126014578}: NameServer = 85.255.116.59,85.255.112.218 O17 - HKLM\System\CCS\Services\Tcpip…{FD937F46-A7EF-451E-9A6F-381742106433}: NameServer = 85.255.116.59,85.255.112.218 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.218 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.218 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.59 85.255.112.218

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Daj raport z C:\Fixwareout.txt.

Możesz dać jeszcze log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów).

jessi

socjoloszka · 24 Październik 2007 21:32

Pomogło!! w imieniu szwagra :mrgreen: dzieki jessi