Proszę o sprawdzenie loga

cholek00 · 22 Styczeń 2006 14:20

Witam

Mój problem polega na tym że załapałem wirusa czy tam szpiega, ten program Spy Sheriff mi się zainstalował przez linka z krakiem i otwierają mi się cały czas stronki z reklamami. Proszę o pomos!! Za bardzo nie wiem o co chodzi w tym wszystkim więc proszę o dokładne wytłumaczenie. Z góry dziękuję.

Oto mój log

Logfile of HijackThis v1.99.1 Scan saved at 15:05:32, on 06-01-22 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE E:\AVAST\ASHSERV.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CREATIVE\NEWS\NEWSUPD.EXE C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE C:\WINDOWS\SYSTEM\PAYTIME.EXE C:\WINDOWS\WINSYSBAN.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE E:\AVAST\ASHWEBSV.EXE E:\AVAST\ASHMAISV.EXE E:\MOZILLA\MOZILLA.EXE C:\WINSTALL.EXE C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE C:\PROGRAM FILES\COMMON FILES\QMOO\QMOOM.EXE C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE C:\PROGRAM FILES\WANADOO\COMCOMP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\WANADOO\WATCH.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE E:\ACDSEE\ACD\ACDSEE\ACDSEE.EXE E:\GG\GADU-GADU\GG.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE E:\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 127.0.0.5 makethemcry.com O1 - Hosts: 127.0.0.5 loudcash.com O1 - Hosts: 127.0.0.5 iframestat.com O1 - Hosts: 127.0.0.5 toolbarpartner.com O1 - Hosts: 127.0.0.5 hqcash.com O1 - Hosts: 127.0.0.5 verybigcash.com O1 - Hosts: 127.0.0.5 makethemcry.com O1 - Hosts: 127.0.0.5 moviepartnership.com O1 - Hosts: 127.0.0.5 callmachine.com O1 - Hosts: 127.0.0.5 regcash.com O1 - Hosts: 127.0.0.5 toolbarpartner.com O1 - Hosts: 127.0.0.5 klikrevenue.com O1 - Hosts: 127.0.0.5 p2dll.com O1 - Hosts: 127.0.0.5 t73.com O1 - Hosts: 127.0.0.5 http://www.makethemcry.com O1 - Hosts: 127.0.0.5 http://www.loudcash.com O1 - Hosts: 127.0.0.5 http://www.iframestat.com O1 - Hosts: 127.0.0.5 http://www.toolbarpartner.com O1 - Hosts: 127.0.0.5 http://www.hqcash.com O1 - Hosts: 127.0.0.5 http://www.verybigcash.com O1 - Hosts: 127.0.0.5 http://www.makethemcry.com O1 - Hosts: 127.0.0.5 http://www.moviepartnership.com O1 - Hosts: 127.0.0.5 http://www.callmachine.com O1 - Hosts: 127.0.0.5 http://www.regcash.com O1 - Hosts: 127.0.0.5 http://www.toolbarpartner.com O1 - Hosts: 127.0.0.5 http://www.klikrevenue.com O1 - Hosts: 127.0.0.5 http://www.p2dll.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM…\Run: [internat.exe] internat.exe O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM…\Run: [systemTray] SysTray.ExE O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM…\Run: [Zasobnik systemowy] SysTray.Exe O4 - HKLM…\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q O4 - HKLM…\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe O4 - HKLM…\Run: [LexStart] lexstart.exe O4 - HKLM…\Run: [WinampAgent] “E:\WINAMP\WINAMPa.exe” O4 - HKLM…\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe O4 - HKLM…\Run: [winsysupd] C:\WINDOWS\WINSYSUPD.exe O4 - HKLM…\Run: [winsysban] C:\WINDOWS\WINSYSBAN.exe O4 - HKLM…\Run: [avast! Web Scanner] E:\AVAST\ASHWEBSV.EXE O4 - HKLM…\Run: [ashMaiSv] E:\AVAST\ashmaisv.exe O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM…\RunServices: [schedulingAgent] mstask.exe O4 - HKLM…\RunServices: [avast!] E:\Avast\ashServ.exe O4 - HKCU…\Run: [Mozilla Quick Launch] “e:\Mozilla\Mozilla.exe” -turbo O4 - HKCU…\Run: [Gadu-Gadu] “E:\GG\GADU-GADU\GG.EXE” /tray O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [QMOO] C:\PROGRAM FILES\COMMON FILES\QMOO\QMOOM.EXE O4 - HKCU…\Run: [shell] “C:\WINDOWS\SYSTEM\ibm00003.exe” O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru … ebscan.cab

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5

kacz2n · 22 Styczeń 2006 14:28

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O1 - Hosts: 127.0.0.5 makethemcry.com O1 - Hosts: 127.0.0.5 loudcash.com O1 - Hosts: 127.0.0.5 iframestat.com O1 - Hosts: 127.0.0.5 toolbarpartner.com O1 - Hosts: 127.0.0.5 hqcash.com O1 - Hosts: 127.0.0.5 verybigcash.com O1 - Hosts: 127.0.0.5 makethemcry.com O1 - Hosts: 127.0.0.5 moviepartnership.com O1 - Hosts: 127.0.0.5 callmachine.com O1 - Hosts: 127.0.0.5 regcash.com O1 - Hosts: 127.0.0.5 toolbarpartner.com O1 - Hosts: 127.0.0.5 klikrevenue.com O1 - Hosts: 127.0.0.5 p2dll.com O1 - Hosts: 127.0.0.5 t73.com O1 - Hosts: 127.0.0.5 http://www.makethemcry.com O1 - Hosts: 127.0.0.5 http://www.loudcash.com O1 - Hosts: 127.0.0.5 http://www.iframestat.com O1 - Hosts: 127.0.0.5 http://www.toolbarpartner.com O1 - Hosts: 127.0.0.5 http://www.hqcash.com O1 - Hosts: 127.0.0.5 http://www.verybigcash.com O1 - Hosts: 127.0.0.5 http://www.makethemcry.com O1 - Hosts: 127.0.0.5 http://www.moviepartnership.com O1 - Hosts: 127.0.0.5 http://www.callmachine.com O1 - Hosts: 127.0.0.5 http://www.regcash.com O1 - Hosts: 127.0.0.5 http://www.toolbarpartner.com O1 - Hosts: 127.0.0.5 http://www.klikrevenue.com O1 - Hosts: 127.0.0.5 http://www.p2dll.com O4 - HKLM…\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe O4 - HKLM…\Run: [winsysupd] C:\WINDOWS\WINSYSUPD.exe O4 - HKLM…\Run: [winsysban] C:\WINDOWS\WINSYSBAN.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [QMOO] C:\PROGRAM FILES\COMMON FILES\QMOO\QMOOM.EXE O4 - HKCU…\Run: [shell] “C:\WINDOWS\SYSTEM\ibm00003.exe” O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Wyłączyć przywracanie systemu w XP (opis tutaj)
Restart komputera do trybu awaryjnego (opis w powyższym linku)
Zaznaczyć wpisy w Hijacku które zaznaczyłem i kliknąć Fix checked
Skasować z dysku pliki i foldery wyróżnione na czerwono
Przeskanować skanerami online oraz antyspyware’ami
Wkleić nowy log do sprawdzenia

usuwanie fałszywej tapety SpySheriff zobacz

TU

A poza tym trzeba było się nuie szwędać po stronach z crackami.

cholek00 · 23 Styczeń 2006 19:16

prosze o ponowne sprawdzenie loga

Logfile of HijackThis v1.99.1

Scan saved at 20:17:16, on 06-01-23

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

E:\AVAST\ASHSERV.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\PROGRAM FILES\CREATIVE\NEWS\NEWSUPD.EXE

C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE

C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE

E:\AVAST\ASHWEBSV.EXE

E:\AVAST\ASHMAISV.EXE

E:\MOZILLA\MOZILLA.EXE

E:\GG\GADU-GADU\GG.EXE

C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE

C:\WINDOWS\SYSTEM\LEXPPS.EXE

C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE

C:\PROGRAM FILES\WANADOO\COMCOMP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WANADOO\WATCH.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

E:\HIJACKTHIS.EXE


O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.ExE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [autoclk] autoclk.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe

O4 - HKLM\..\Run: [LexStart] lexstart.exe

O4 - HKLM\..\Run: [WinampAgent] "E:\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [avast! Web Scanner] E:\AVAST\ASHWEBSV.EXE

O4 - HKLM\..\Run: [ashMaiSv] E:\AVAST\ashmaisv.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [avast!] E:\Avast\ashServ.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "e:\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\GG\GADU-GADU\GG.EXE" /tray

O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

Gutek · 23 Styczeń 2006 19:40

Juz Ok

cholek00 · 24 Styczeń 2006 15:24

nie do końca bo nadal wyskakują mi okna z reklamami!!

Gutek · 24 Styczeń 2006 15:49

No to pobierz FindIt9xme.zip

Rozpakuj i uruchom Find.bat. Pozwól mu pracować dopóki program nie stworzy loga output.txt. i mi go pokaz

cholek00 · 24 Styczeń 2006 19:40

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you’re doing.

------- System Files in System Directory -------

Wolumin w stacji dysk˘w C: SYSTEM

Numer seryjny woluminu: 2C24-1EFD

Katalog C:\WINDOWS\SYSTEM

MJCN30 DLL 226 592 06.01.19 19:53 MJCN30.DLL

MNCRLREV DLL 226 592 06.01.19 19:53 mncrlrev.dll

GSI32 DLL 226 592 06.01.19 19:53 GSI32.DLL

GKU32 DLL 226 592 06.01.19 19:53 GKU32.DLL

MTACM DLL 226 592 06.01.19 19:53 MTACM.DLL

DREML DLL 226 592 06.01.19 19:53 DREML.DLL

MDCUIA32 DLL 226 592 06.01.19 19:53 MDCUIA32.DLL

7 plik(˘w) 1 586 144 bajt˘w

0 katalog(˘w) 3 161,96 MB wolnych

------- Hidden Files in System Directory -------

Wolumin w stacji dysk˘w C: SYSTEM

Numer seryjny woluminu: 2C24-1EFD

Katalog C:\WINDOWS\SYSTEM

LXBZMA GID 40 603 06.01.16 19:40 lxbzma.GID

FOLDER HTT 12 879 06.01.14 0:06 folder.htt

DESKTOP INI 266 06.01.14 0:06 desktop.ini

3 plik(˘w) 53 748 bajt˘w

0 katalog(˘w) 3 161,96 MB wolnych

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

“{6B25D1A3-95EC-F3C8-183D-596ACF474826}”=""

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“internat.exe”=“internat.exe”

“ScanRegistry”=“C:\WINDOWS\scanregw.exe /autorun”

“TaskMonitor”=“C:\WINDOWS\taskmon.exe”

“SystemTray”=“SysTray.ExE”

“LoadPowerProfile”=“Rundll32.exe powrprof.dll,LoadCurrentPwrScheme”

“Zasobnik systemowy”=“SysTray.Exe”

“NewsUpd”=“C:\Program Files\Creative\News\NewsUpd.EXE /q”

“Disc Detector”=“C:\Program Files\Creative\ShareDLL\CtNotify.exe”

“autoclk”=“autoclk.exe”

“WOOWATCH”=“C:\PROGRA~1\WANADOO\Watch.exe”

“WOOTASKBARICON”=“C:\PROGRA~1\WANADOO\TaskbarIcon.exe”

“LexStart”=“lexstart.exe”

“WinampAgent”="“E:\WINAMP\WINAMPa.exe”"

“avast! Web Scanner”=“E:\AVAST\ASHWEBSV.EXE”

“ashMaiSv”=“E:\AVAST\ashmaisv.exe”

“BearShare”="“E:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE” /pause"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

“Installed”=“1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

“NoChange”=“1”

“Installed”=“1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

“Installed”=“1”

Gutek · 24 Styczeń 2006 20:11

Odcinasz net na O!