Krzaq
(Danrock)
19 Luty 2006 14:53
#1
Prosze o sprawdzenie loga, poniewaz otwieraja mi sie naokrlaglo strony chcodz nieprzegladam w sieci ani nic nierobie, komputer dziala niestabilnie a zaden z programow ktorych uzywam niemoze usunac niektorych trojanow.
Logfile of HijackThis v1.99.1 Scan saved at 14:53:34, on 19/02/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Gadu-Gadu\gg.exe C:\WINNT\system32\drwtsn32.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\sstqn.dll O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINNT\system32\qopon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file) O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM…\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKLM…\Run: [winsysban] C:\windows\winsysban9.exe O4 - HKLM…\Run: [Error Safe] C:\Program Files\Error Safe\ers.exe /min O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM…\Run: [winsysupd] C:\windows\winsysupd9.exe O4 - HKLM…\Run: [ipNetwork] C:\Program Files\Network\ipnetwork.exe O4 - HKLM…\RunServices: [winsystems25] spread.exe O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Error Safe] C:\Program Files\Error Safe\ers.exe /min O4 - HKCU…\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU…\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU…\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [PopUpStopperFreeEdition] “C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe” O4 - Global Startup: Digimax Viewer 2.1.lnk = C:\Documents and Settings\Administrator\My Documents\STImgBrowser.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8731046353 O17 - HKLM\System\CCS\Services\Tcpip…{1EDB83F6-E9B8-4943-B9AB-28F6276EA4FD}: NameServer = 80.225.254.178 80.225.254.186 O17 - HKLM\System\CS1\Services\Tcpip…{1EDB83F6-E9B8-4943-B9AB-28F6276EA4FD}: NameServer = 80.225.254.178 80.225.254.186 O20 - Winlogon Notify: CLSID - C:\WINNT\ O20 - Winlogon Notify: ljjjg - ljjjg.dll (file missing) O20 - Winlogon Notify: NetCache - C:\WINNT\system32\fp4003hme.dll O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O20 - Winlogon Notify: opnmj - C:\WINNT\system32\opnmj.dll (file missing) O20 - Winlogon Notify: qopon - C:\WINNT\system32\qopon.dll O20 - Winlogon Notify: rqomn - rqomn.dll (file missing) O20 - Winlogon Notify: ssqro - ssqro.dll (file missing) O20 - Winlogon Notify: sstqn - C:\WINNT\SYSTEM32\sstqn.dll O20 - Winlogon Notify: wvwts - wvwts.dll (file missing) O20 - Winlogon Notify: xxwuu - C:\WINNT\system32\xxwuu.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe (file missing) O23 - Service: wxpdll32 - Unknown owner - C:\WINNT\wxpdll32.exe (file missing)
Z gory dzieki !
W życiu nie widziałem tyle syfu :o
Wszystkie czynności wykonujesz w trybie awaryjnym z wyłączonym przywracaniem systemu, pogrubione pliki/folder usuń ręcznie:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\sstqn.dll O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINNT\system32\qopon.dll O4 - HKLM…\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe (Odinstaluj w dodaj/usuń “MediaGateway” ) O4 - HKLM…\Run: [winsysban] C:\windows\winsysban9.exe O4 - HKLM…\RunServices: [winsystems25] spread.exe (plik znajduje się w c:\WINNT\system32 ) O4 - HKCU…\Run: [Error Safe] C:\Program Files\Error Safe\ers.exe /min O4 - HKCU…\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU…\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU…\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe O4 - HKCU…\Run: [PopUpStopperFreeEdition] “C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe” O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: CLSID - C:\WINNT\ O20 - Winlogon Notify: ljjjg - ljjjg.dll (file missing) O20 - Winlogon Notify: NetCache - C:\WINNT\system32\fp4003hme.dll O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O20 - Winlogon Notify: opnmj - C:\WINNT\system32\opnmj.dll (file missing) O20 - Winlogon Notify: qopon - C:\WINNT\system32\qopon.dll O20 - Winlogon Notify: rqomn - rqomn.dll (file missing) O20 - Winlogon Notify: ssqro - ssqro.dll (file missing) O20 - Winlogon Notify: sstqn - C:\WINNT\SYSTEM32\sstqn.dll O20 - Winlogon Notify: wvwts - wvwts.dll (file missing) O20 - Winlogon Notify: xxwuu - C:\WINNT\system32\xxwuu.dll (file missing) Ściągnij killboxa http://viruscenter.pl/downloads.php?cat … load_id=34 , odpal, zaznacz delete on Reboot i powklejaj te ścieżki : C:\WINNT\system32\qopon.dll C:\WINNT\system32\rqomn.dll C:\WINNT\system32\ssqro.dll C:\WINNT\system32\sstqn.dll C:\WINNT\system32\wvwts.dll C:\WINNT\system32\opnmj.dll C:\WINNT\system32\ljjjg.dll C:\WINNT\system32\nwprovau.dll C:\WINNT\system32\xxwuu.dll Klikasz X, wymagany reset kompa.
Start>>>uruchom>>>services.msc>>>zatrzymaj i wyłącz usługi: windows virus scanner (windows antivirus) , wxpdll32 O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe (file missing) O23 - Service: wxpdll32 - Unknown owner - C:\WINNT\wxpdll32.exe (file missing)
Przeskanuj tym:
Panda
Kaspersky
CWShredder
Spybot S&D 1.4
Ad-Aware SE 1.6
Pest Patrol
Wywal wszystko co znajdą.
Dajesz nowy log HijackThis + l2mfix
Krzaq
(Danrock)
19 Luty 2006 17:35
#3
tak oto wyglada log po zrobieniu tego wszystkei o czym mi mowiles :
Logfile of HijackThis v1.99.1 Scan saved at 17:38:08, on 19/02/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Network\ipnetwork.exe C:\WINNT\system32\internat.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\sstqn.dll O2 - BHO: MFCOptimizeClass Object - {C25FA7CE-23EA-4271-A66D-06C4D5C22F78} - C:\WINNT\system32\qopon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file) O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM…\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM…\Run: [winsysupd] C:\windows\winsysupd9.exe O4 - HKLM…\Run: [ipNetwork] C:\Program Files\Network\ipnetwork.exe O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Error Safe] C:\Program Files\Error Safe\ers.exe /min O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Digimax Viewer 2.1.lnk = C:\Documents and Settings\Administrator\My Documents\STImgBrowser.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8731046353 O17 - HKLM\System\CCS\Services\Tcpip…{1EDB83F6-E9B8-4943-B9AB-28F6276EA4FD}: NameServer = 80.225.254.178 80.225.254.186 O17 - HKLM\System\CS1\Services\Tcpip…{1EDB83F6-E9B8-4943-B9AB-28F6276EA4FD}: NameServer = 80.225.254.178 80.225.254.186 O20 - Winlogon Notify: qopon - C:\WINNT\system32\qopon.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\o0480ahued480.dll O20 - Winlogon Notify: sstqn - C:\WINNT\SYSTEM32\sstqn.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe (file missing) O23 - Service: wxpdll32 - Unknown owner - C:\WINNT\wxpdll32.exe (file missing)
Gutek
(Gutek)
19 Luty 2006 19:09
#4
Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz windows virus scanner i wxpdll32
Wyłączyć Przywracanie systemu w XP.
Zastartować do trybu awaryjnego bez internetu.
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku pliki i folder, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log
Pobierz: http://securityresponse.symantec.com/av … xVundo.exe i zastosuj
Ściągnij url=[http://www.downloads.subratam.org/l2mfix.exe] i daj log nr 1 z narzędzia L2Mfix