Ratujcie

Dla specjalistów Bezpieczeństwo
#1

Logfile of HijackThis v1.99.1

Scan saved at 12:38:47, on 2005-03-09

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Neostrada TP\taskbaricon.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\isrvs\desktop.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS\System32\systime.exe

C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

C:\WINDOWS\System32\vmss\vmss.exe

C:\Program Files\AdTools Service\AdTools.exe

C:\Program Files\AdTools Service\AdToolsKeep.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\PROGRA~1\ezula\mmod.exe

C:\WINDOWS\System32\systime.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\temp\salm.exe

C:\Documents and Settings\Adam.ADAM-5XUUHSE4ZV\Moje dokumenty\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe

O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe

O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM…\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033

O4 - HKLM…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - HKLM…\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

O4 - HKLM…\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

O4 - HKLM…\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe

O4 - HKLM…\Run: [salm] c:\temp\salm.exe

O4 - HKLM…\Run: [qxetsncj] C:\WINNT\qxetsncj.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

O4 - HKCU…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O15 - Trusted IP range: 67.19.178.84

O15 - Trusted IP range: 67.19.178.84 (HKLM)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht! http://acc2.gateone.ath.cx/script/loud.chm::/Bridge-c139.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{5557AF0C-D56D-497F-A3E7-8C815ACB0323}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip…{5557AF0C-D56D-497F-A3E7-8C815ACB0323}: NameServer = 194.204.152.34 217.98.63.164

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\m0640ajqedoe0.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#2

:roll: wg mnie do usunięcia:

C:\WINDOWS\System32\systime.exe

C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

C:\WINDOWS\System32\vmss\vmss.exe

C:\PROGRA~1\ezula\mmod.exe

C:\WINDOWS\System32\systime.exe

c:\temp\salm.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM…\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O4 - HKLM…\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

O4 - HKLM…\Run: [salm] c:\temp\salm.exe

O4 - HKCU…\Run: [sysTime] C:\WINDOWS\System32\systime.exe

O15 - Trusted IP range: 67.19.178.84 (HKLM)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxx.mht! http://acc2.gateone.ath.cx/script/loud.chm::confused: Bridge-c139.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

potem gruntowny skan tymi aplikacjami:

http://forum.dobreprogramy.pl/viewtopic.php?t=8175

i ponownie zapodaj loga.

#3

wejdz w tryb awaryjny i wylacz przywracanie systemu dodatkowo wywal

O4 - HKLM…\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

O4 - HKLM…\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe

O4 - HKCU…\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

scan antywirami i dajesz raz jeszcze log

#4

I Jeszcze:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\m0640ajqedoe0.dll

#5

WGRAJ SP2!!

#6

poczekaj niech najpierw da log i jak bedzie mial czysto to dopiero niech wgra

#7

Usuń jeszcze to:

O4 - HKLM…\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

Start=>Uruchom=>Wpisz polecenie msconfig=>Zakładka Uruchamianie i odchacz:

winamp

NeroCheck