Mike2005
(Alf393)
10 Listopad 2005 18:41
#1
Witam mam ostanio podejrzenia, ze dzieje się coś z moim kompem…ehh nawet jestem pewien ze cos jest nietak. Więc mam wielka prośbe przejrzyjcie te logi i mi pomóżcie.
Logfile of HijackThis v1.99.1 Scan saved at 19:07:51, on 2005-11-09 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\system32\rundll32.exe D:\Program Files\D-Tools\daemon.exe E:\Program Files\VIAudioi\SBADeck\ADeck.exe E:\windows\system32\mdms.exe E:\WINDOWS\System32\rtf32.exe E:\WINDOWS\System32\paytime.exe E:\WINDOWS\System32\ctfmon.exe E:\Program Files\Messenger\msmsgs.exe E:\WINDOWS\System32\sysvcs.exe D:\Program Files\Gadu-Gadu\gg.exe E:\Documents and Settings\XP\Pulpit\hijackthis\HijackThis.exe E:\WINDOWS\explorer.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe E:\WINDOWS\System32\11C.tmp O1 - Hosts: 127.0.0.5 n-glx.s-redirect.com O1 - Hosts: 127.0.0.5 x.full-tgp.net O1 - Hosts: 127.0.0.5 counter.sexmaniack.com O1 - Hosts: 127.0.0.5 autoescrowpay.com O1 - Hosts: 127.0.0.5 http://www.autoescrowpay.com O1 - Hosts: 127.0.0.5 http://www.awmdabest.com O1 - Hosts: 127.0.0.5 http://www.sexfiles.nu O1 - Hosts: 127.0.0.5 awmdabest.com O1 - Hosts: 127.0.0.5 sexfiles.nu O1 - Hosts: 127.0.0.5 allforadult.com O1 - Hosts: 127.0.0.5 http://www.allforadult.com O1 - Hosts: 127.0.0.5 http://www.iframe.biz O1 - Hosts: 127.0.0.5 iframe.biz O1 - Hosts: 127.0.0.5 http://www.newiframe.biz O1 - Hosts: 127.0.0.5 newiframe.biz O1 - Hosts: 127.0.0.5 http://www.vesbiz.biz O1 - Hosts: 127.0.0.5 vesbiz.biz O1 - Hosts: 127.0.0.5 http://www.pizdato.biz O1 - Hosts: 127.0.0.5 pizdato.biz O1 - Hosts: 127.0.0.5 http://www.awmcash.biz O1 - Hosts: 127.0.0.5 awmcash.biz O1 - Hosts: 127.0.0.5 buldog-stats.com O1 - Hosts: 127.0.0.5 http://www.buldog-stats.com O1 - Hosts: 127.0.0.5 fregat.drocherway.com O1 - Hosts: 127.0.0.5 slutmania.biz O1 - Hosts: 127.0.0.5 http://www.slutmania.biz O1 - Hosts: 127.0.0.5 toolbarpartner.com O1 - Hosts: 127.0.0.5 http://www.toolbarpartner.com O1 - Hosts: 127.0.0.5 http://www.megapornix.com O1 - Hosts: 127.0.0.5 megapornix.com O1 - Hosts: 127.0.0.5 http://www.sp2fucked.biz O1 - Hosts: 127.0.0.5 sp2fucked.biz O1 - Hosts: 127.0.0.5 greg-tut.com O1 - Hosts: 127.0.0.5 http://www.greg-tut.com O1 - Hosts: 127.0.0.5 nylonsexy.com O1 - Hosts: 127.0.0.5 http://www.nylonsexy.com O1 - Hosts: 127.0.0.5 vparivalka.com O1 - Hosts: 127.0.0.5 http://www.vparivalka.com O1 - Hosts: 127.0.0.5 iframeprofit.com O1 - Hosts: 127.0.0.5 http://www.iframeprofit.com O1 - Hosts: 127.0.0.5 topsearch10.com O1 - Hosts: 127.0.0.5 http://www.topsearch10.com O1 - Hosts: 127.0.0.5 statscash.biz O1 - Hosts: 127.0.0.5 http://www.statscash.biz O1 - Hosts: 127.0.0.5 vxiframe.biz O1 - Hosts: 127.0.0.5 http://www.vxiframe.biz O1 - Hosts: 127.0.0.5 crazy-toolbar.com O1 - Hosts: 127.0.0.5 http://www.crazy-toolbar.com O1 - Hosts: 127.0.0.5 topcash.biz O1 - Hosts: 127.0.0.5 http://www.topcash.biz O1 - Hosts: 127.0.0.5 loadcash.biz O1 - Hosts: 127.0.0.5 http://www.loadcash.biz O1 - Hosts: 127.0.0.5 txiframe.biz O1 - Hosts: 127.0.0.5 http://www.txiframe.biz O1 - Hosts: 127.0.0.5 procounter.biz O1 - Hosts: 127.0.0.5 http://www.procounter.biz O1 - Hosts: 127.0.0.5 advadmin.biz O1 - Hosts: 127.0.0.5 http://www.advadmin.biz O1 - Hosts: 127.0.0.5 trafficbest.net O1 - Hosts: 127.0.0.5 http://www.trafficbest.net O1 - Hosts: 127.0.0.5 besthvac.com O1 - Hosts: 127.0.0.5 http://www.besthvac.com O1 - Hosts: 127.0.0.5 traff4.com O1 - Hosts: 127.0.0.5 http://www.traff4.com O1 - Hosts: 127.0.0.5 ambush-script.com O1 - Hosts: 127.0.0.5 http://www.ambush-script.com O1 - Hosts: 127.0.0.5 beehappyy.biz O1 - Hosts: 127.0.0.5 http://www.beehappyy.biz O1 - Hosts: 127.0.0.5 tracktraff.cc O1 - Hosts: 127.0.0.5 http://www.tracktraff.cc O1 - Hosts: 127.0.0.5 allcount.net O1 - Hosts: 127.0.0.5 http://www.allcount.net O1 - Hosts: 127.0.0.5 onedayoffer.biz O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [AudioDeck] E:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [sysMemory manager] e:\windows\system32\mdms.exe O4 - HKLM…\Run: [rtf32.exe] rtf32.exe O4 - HKLM…\Run: [PayTime] E:\WINDOWS\System32\paytime.exe O4 - HKCU…\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “E:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [shell] “E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [PayTime] E:\WINDOWS\System32\paytime.exe O4 - HKCU…\Run: [aupd] E:\WINDOWS\System32\sysvcs.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O20 - Winlogon Notify: Hints - E:\WINDOWS\system32\m0jula191d.dll O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - E:\WINDOWS\System32\bddbclfc.dll O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - E:\WINDOWS\System32\ennomnlo.dll
boczi
(boczi)
10 Listopad 2005 19:34
#2
Najpierw użyj WWDC.
Wszystkie czynności wykonujesz w trybie awaryjnym [F8] w czasie bootowania komputera z wyłączonym przywracaniem systemu. Gdybyś nie wiedział, jak to zrobić, zobacz TU .
Pogrubione kasujesz z dysku oraz wszystkie wpisy z Hijacka.
Jeśli będą problemy z usuwaniem, używasz narzędzia KillBox,
http://www.downloads.subratam.org/KillBox.zip
Info:
Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę (przykład):
C:\WINDOWS\System32\xxx.exe
następnie program będzie pytał o restart (oczywiście zgadzasz się).
Po czynnościach nowy log.
Opróżnij katalogi TEMP, Prefetch z katalogu systemowego WINDOWS.
Proszę także o log z silentrunners.
http://www.searchengines.pl/phpbb203/in … opic=15989
Mike2005
(Alf393)
10 Listopad 2005 22:08
#3
o to logi po wykonaniu poleceń
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SysMemory manager” = “e:\windows\system32\mdms.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {CLSID}\InProcServer32(Default) = “E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “st” -> {CLSID}\InProcServer32(Default) = “E:\windows\system32\winacpi.dll” [null data] “{68D4660C-BB9E-4E72-9ACE-88F29C2777AB}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\crodm.dll” [null data] “{9AEE9BB9-03F8-4179-B616-26F383C7EBDF}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\tpcfgwmi.dll” [null data] “{E13F0C4C-B1C0-482D-826B-4E54A2BD00FD}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\ifrdbg32.dll” [null data] “{5E8CD9F3-997E-49A0-A155-C3ED7693A281}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\rPsapi32.dll” [null data] “{9B6ED254-A2F1-4B7D-A11B-2FA4A42A502B}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\sllsrv32.dll” [null data] “{01000FFA-A3CD-4B39-A71A-B231F0F46557}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\lqasrv.dll” [null data] “{9BC6D662-D3EB-40E4-92C9-1CE1DDFADCCC}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “E:\WINDOWS\system32\danaddr.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! Applets\DLLName = “E:\WINDOWS\system32\hrlq0535e.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ sysacpildap(Default) = “{5E2121EE-0300-11D4-8D3B-444553540000}” -> {CLSID}\InProcServer32(Default) = “E:\windows\system32\winacpi.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “E:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “E:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 35 seconds, including 4 seconds for message boxes)
Logfile of HijackThis v1.99.1 Scan saved at 23:02:18, on 2005-11-09 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\system32\rundll32.exe E:\windows\system32\mdms.exe E:\WINDOWS\explorer.exe E:\Documents and Settings\XP\Pulpit\hijackthis\HijackThis.exe O4 - HKLM…\Run: [sysMemory manager] e:\windows\system32\mdms.exe O20 - Winlogon Notify: Applets - E:\WINDOWS\system32\hrlq0535e.dll
boczi
(boczi)
10 Listopad 2005 22:14
#4
Wykasuj E:\WINDOWS\system32\ hrlq0535e.dll programem KillBox, E:\windows\system32\mdms.exe Usuwanie Repsamo czytasz TU . Ale nie wydaje mi się, by był to cały log z Hijackthis.
Mike2005
(Alf393)
11 Listopad 2005 12:54
#5
A jak teraz? Wszystko w porządku?
Logfile of HijackThis v1.99.1 Scan saved at 13:51:42, on 2005-11-10 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe D:\Michal\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE” /s O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
Mike2005
(Alf393)
12 Listopad 2005 08:46
#7
ok Wielki dzięki dla bocziego i kuza:)