Prosze o spradzeenie loga


(Cielik) #1

Witam,

Prosze o ponowne sprawdzenie loga. Jakis czas temu mialem proble http://forum.dobreprogramy.pl/viewtopic ... highlight= i niestety pojawil sie ponownie. Pojawil sie po wybraniu Firefoxa jako domyslnej przegladarki. Problem to wyskakujace niechciane strony.

Oto log:

Logfile of HijackThis v1.99.1

Scan saved at 15:11:20, on 05-11-29

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE

C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE

C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\WINVNC.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SAFENET SENTINEL\SENTINEL PROTECTION SERVER\WIN9X\SPNSRV9X.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\GADU-GADU\GG.EXE

C:\PROGRAM FILES\COREL\GRAPHICS9\PROGRAMS\CORELDRW.EXE

C:\PROGRAM FILES\THE BAT!\THEBAT.EXE

C:\TOTALCMD\TOTALCMD.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [SentinelProtectionServer] C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\Win9x\spnsrv9x.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE

O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [WinVNC] "C:\WINDOWS\SYSTEM\WINVNC.EXE" -service

O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Command WorkStation.lnk = C:\Program Files\Fiery\CStation\cstation.exe

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.100.25

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5


(Gutek) #2

Ten log nic nie pokazuje - daj log z Silenta - linka miałeś wcześniej :wink:


(Cielik) #3

Witam Cie,

Gdy skanuje kompa Ad-Aware na ADSy to mi wyskakuje kilka opcji do usuniecia, ale jak usune, to wywala mi sie explorer i nic nie da sie zrobic. Dobrze ze zroobilem sobie kopie rejestru :wink: Jak sie zeskanuje to napisze co tam jest.

Ponizej log.

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows 98

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"internat.exe" = "internat.exe" [MS]

"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]

"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]

"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"Zasobnik systemowy" = "SysTray.Exe" [MS]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"vptray" = "C:\PROGRA~1\SYMANT~1\VPTRAY.EXE" ["Symantec Corporation"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]

"SentinelProtectionServer" = "C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\Win9x\spnsrv9x.exe" ["SafeNet, Inc."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}

"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

"ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

"ccSetMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

"defwatch" = "C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE" ["Symantec Corporation"]

"rtvscn95" = "C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE" ["Symantec Corporation"]

"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]

"WinVNC" = ""C:\WINDOWS\SYSTEM\WINVNC.EXE" -service" ["AT&T Research Labs Cambridge"]

"RNBOStart" = "C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE" [null data]

"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]

"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Startup" & "All Users...Startup" folders:

-----------------------------------------------------------


C:\WINDOWS\Menu Start\Programy\Autostart

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Command WorkStation" -> shortcut to: "C:\Program Files\Fiery\CStation\cstation.exe" ["Electronics for Imaging, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:

C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3

C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5

C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 6



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)

The Internet Explorer version cannot be found!


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

The contents of IERESET.INF cannot be reliably checked!


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"


Missing lines (compared with English-language version):

[Strings]: 2 lines



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

SEH Print Monitor\Driver = "sehmon.dll" [null data]

Canon LPR Port\Driver = "clprmon.dll" ["CANON INC."]

SYSFMON\Driver = "SYSFMON.DLL" ["Conceptual Systems."]

RDGCOMMON Language Monitor\Driver = "RDCOMMON.DLL" ["Roland DG Corporation"]

BJ Language Monitor WW i950\Driver = "CJPLM4D.DLL" ["CANON INC."]

CP220 Port Monitor\Driver = "USBMON.DLL" [MS]

CNYCP Language Monitor\Driver = "CNYCPLM.DLL" ["CANON INC."]

PostScript Language Monitor\Driver = "PSMON.DLL" [MS]

FUJIFILM PICTRO SCSI Port\Driver = "PGPM.DLL" ["FUJI PHOTO FILM CO.,LTD."]

FUJIFILM PG4000II Language Monitor\Driver = "PG4LM.DLL" ["FUJI PHOTO FILM CO.,LTD."]

PDF Port\Driver = "C:\WINDOWS\SYSTEM\pdfports.dll" ["Adobe Systems Incorporated."]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 12 seconds, including 6 seconds for message boxes)

Złączono Posta : 29.11.2005 (Wto) 16:35A oto log z Ad-Aware:

MRU List Object Recognized!

    Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list

    Description : list of recent files opened using wordpad



 MRU List Object Recognized!

    Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru

    Description : list of recently used search terms for locating files using the microsoft windows operating system



 MRU List Object Recognized!

    Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru

    Description : mru list for items opened in start | run



 MRU List Object Recognized!

    Location: : .DEFAULT\software\winrar\dialogedithistory\extrpath

    Description : winrar "extract-to" history




Performing conditional scans...

»»»»

»»»»»

»»»»»»

»»»»»»»

»»»»»»»

»»»»»»»

»»


 CoolWebSearch Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\downloadmanager


 CoolWebSearch Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 10

    Category : Malware

    Comment : 

    Rootkey : HKEY_CURRENT_USER

    Object : software\microsoft\internet explorer\main

    Value : Enable Browser Extensions


 CoolWebSearch Object Recognized!

    Type : RegData

    Data : about:blank

    TAC Rating : 10

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\internet explorer\main

    Value : Start Page

    Data : about:blank


 CoolWebSearch Object Recognized!

    Type : File

    Data : hosts

    TAC Rating : 10

    Category : Malware

    Comment : 

    Object : C:\WINDOWS\




Conditional scan result:

»»»»

»»»»»

»»»»»»

»»»»»»»

»»»»»»»

»»»»»»»

»»

New critical objects: 4

Objects found so far: 19


16:34:49 Scan Complete


Summary Of This Scan

»»»&

raquo;»»»

»»»»»

»»»»»»

»»»»»»»

»»»»»»»»

»»»»»

Total scanning time:00:01:48.260

Objects scanned:39595

Objects identified:7

Objects ignored:0

New critical objects:7

(Gutek) #4

A mozesz dac screeny tych stron co wyskakuja albo adresy?

Ja używam na reklamy Launch Ad Muncher - blokuje każdą


(Cielik) #5

Wlasnie zainstalowalem. Wylacze go, poczekam na stronki i podam linki

Złączono Posta : 29.11.2005 (Wto) 18:04

Jak na zlosc nie chcialo nic wyskakiwac, ale juz sie pojawilo:

1.

http://www212.paypopup.com/networks/bco ... _prepopped

2.

http://www.searc-h.com/normal/yyy102.html

3.

http://www.super-stock.com/normal/yyy102.html

4.

http://www.shop-savings.com/normal/yyy102.html

To sa takie stronki. Jeszcze bede tu przez jakies 15-20 min. Jak cos wymyslisz to daj znac, potem bede z domu nadawal i nie bede mial mozliwosci dac loga. Ewentualnie rano moge wrzucic loga. Jak na razie odpale

Pozdro


(Gutek) #6

Więc używaj tego programu nie wyskoczą, ale użyj jeszcze http://www.searchengines.pl/phpbb203/in ... opic=26221

Usuwanie VX2.BetterInternet i daj log nr 1 z narzędzia L2Mfix - chcę coś sprawdzić