Proszę o sprawdzenie Loga

Dla specjalistów Bezpieczeństwo
#1

prosze osprawdzenie loga- dodam że jest to starszy komp z prockiem166 i Win 98 -z gory dzięki

Logfile of HijackThis v1.99.1

Scan saved at 18:52:25, on 05-03-29

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

D:\NORTON ANTYWIRUS 2003\ADVTOOLS\NPROTECT.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\NRB1HMTWFKBTHD.EXE

C:\WINDOWS\SYSTEM\XWCN2GS2ESH7DVB.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

E:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\VXTV87~1.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Antywirus 2003\NavShExt.dll

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM…\Run: [systemTray] SysTray.Exe

O4 - HKLM…\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O4 - HKLM…\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”

O4 - HKLM…\Run: [Advanced Tools Check] D:\NORTON~1\ADVTOOLS\ADVCHK.EXE

O4 - HKLM…\Run: [NPROTECT] D:\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM…\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O4 - HKLM…\Run: [Control handler] C:\WINDOWS\SYSTEM\NRB1HMTWFKBTHD.EXE

O4 - HKLM…\RunServices: [ccEvtMgr] “C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”

O4 - HKLM…\RunServices: [NPROTECT] D:\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM…\RunServices: [scriptBlocking] “C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe” -reg

O4 - HKCU…\Run: [romahere3] C:\WINDOWS\SYSTEM\XWCN2GS2ESH7DVB.EXE

O8 - Extra context menu item: Download using FlashGet - E:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Download All by FlashGet - E:\PROGRAM FILES\FLASHGET\jc_all.htm

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h … xdm066YYPL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O15 - Trusted IP range: 213.159.117.202

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ … 1/chat.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe … loader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu … .0.0.8.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = simon

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.204.159.1,194.204.152.34

O18 - Filter: text/html - {21738C00-9FC3-11D9-AAA6-0060EECF8AD4} - C:\WINDOWS\SYSTEM\DPMB.DLL

O18 - Filter: text/plain - {21738C00-9FC3-11D9-AAA6-0060EECF8AD4} - C:\WINDOWS\SYSTEM\DPMB.DLL

#2

Wszystkie czynności wykonuj w trybie awaryjnym (naciskasz F8 w czasie włączania komputera, gdy ukazują się informacje o karcie graficznej, etc.):

To usuwasz ręcznie

C:\WINDOWS\SYSTEM\NRB1HMTWFKBTHD.EXE

   	C:\WINDOWS\SYSTEM\XWCN2GS2ESH7DVB.EXE

To usuwasz z hijacka

Wpisy:

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.slotchbar.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O15 - Trusted IP range: 213.159.117.202

Usuwasz narzędziem Kill Trusted 0.6 http://www.searchengines.pl/phpbb203/in … opic=26221

Potem na nowo log.

#3

KillTrusted 0.7 nowszy od dawna jest na naszym forum :stuck_out_tongue:

#4

Logfile of HijackThis v1.99.1

Scan saved at 19:35:35, on 05-03-29

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

D:\NORTON ANTYWIRUS 2003\ADVTOOLS\NPROTECT.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

E:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton Antywirus 2003\NavShExt.dll

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM…\Run: [systemTray] SysTray.Exe

O4 - HKLM…\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O4 - HKLM…\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”

O4 - HKLM…\Run: [Advanced Tools Check] D:\NORTON~1\ADVTOOLS\ADVCHK.EXE

O4 - HKLM…\Run: [NPROTECT] D:\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE

O4 - HKLM…\RunServices: [ccEvtMgr] “C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”

O4 - HKLM…\RunServices: [NPROTECT] D:\NORTON~1\ADVTOOLS\NPROTECT.EXE

O4 - HKLM…\RunServices: [scriptBlocking] “C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe” -reg

O8 - Extra context menu item: Download using FlashGet - E:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Download All by FlashGet - E:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O15 - Trusted IP range: 213.159.117.202

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ … 1/chat.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe … loader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu … .0.0.8.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = simon

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.204.159.1,194.204.152.34

robilem jak mowiłestylko r4ecznie nie dalo usunać się tego C/windows/system/xwcn2gs2…

#5

R3 z “_” kreskąską" usuniesz Registrar Lite.

Jeszcze raz użyj KillTrusted 0.7

Te zaznaczone wpisy hijackiem usuniesz w trybie awaryjnym.

Pocket Killbox Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz

ścieżkę C:\windows\system\xwcn2gs2…

Program poprosi o reset kompa … czyli resetujesz. Ale całą nazwę pliku nie … :stuck_out_tongue:

#6

Wydzielono z innego tematu :smiley: