grzesiu8
(Grzesiu8)
4 Styczeń 2006 18:16
#1
Logfile of HijackThis v1.99.1 Scan saved at 19:11:31, on 2006-01-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp C:\DOCUME~1\Kuba\USTAWI~1\Temp\6.tmp.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Tlen.pl\tlen.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Kuba\Pulpit\putty.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\MP3 Voyeur\Voyeur.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\hijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Class - {4410D8C5-0277-7086-4641-DD5178D4D6ED} - C:\WINDOWS\iere32.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Class - {8F7588D6-7A8B-1766-6205-203FDF6F7347} - C:\WINDOWS\system32\ntuo32.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM…\Run: [KAZAA] “C:\Program Files\Kazaa Lite Rewolucja\kpp.exe” “C:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp” /SYSTRAY O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [atlbi.exe] C:\WINDOWS\atlbi.exe O4 - HKLM…\Run: [6.tmp] C:\DOCUME~1\Kuba\USTAWI~1\Temp\6.tmp.exe O4 - HKLM…\Run: [7.tmp] C:\DOCUME~1\Kuba\USTAWI~1\Temp\7.tmp.exe O4 - HKLM…\Run: [netvp.exe] C:\WINDOWS\netvp.exe O4 - HKLM…\Run: [6.tmp.exe] C:\DOCUME~1\Kuba\USTAWI~1\Temp\6.tmp.exe O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU…\Run: [pro] C:\winstall.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://arcaonline.arcabit.com O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/180so … ge-c46.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Witam!
Oto log… w czym problem? No mam jakis dziwny pasek na gorze ekranu “Warning! Your computer is infected! Press here for help!”
Wiem ze to sciema! bo nawet jest czerwony krzyzyk do wylaczenia ale i tak by sie weszlo na jakas strone… Skad to mam? Ktos na gg dostal wiadomosc od jakiejs Karolinki z linkiem… oczywiscie ten ktos kliknal no i sie sciagnal SYF!
Sprawdalem antyvirusem (mks -> choc teraz to jakas inna firma chyba… dziwna bynajmniej) i nic nie znalazlo! Avant Browser cos znalazl ale nadal mi te okienko wyskakuje!
Wiec prosze o pomoc! Jak sie tego pzbyc?
Pozdrawiam
kacz2n
(Kacz2n)
4 Styczeń 2006 19:17
#2
Start do trybu awaryjnego po uprzednim wyłączeniu przywracania systemu.
W hijacku fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\clvpu.dll/sp.html#88449%resultposition.net R3 - Default URLSearchHook is missing O2 - BHO: Class - {4410D8C5-0277-7086-4641-DD5178D4D6ED} - C:\WINDOWS\iere32.dll (file missing) O2 - BHO: Class - {8F7588D6-7A8B-1766-6205-203FDF6F7347} - C:\WINDOWS\system32\ntuo32.dll O4 - HKLM…\Run: [KAZAA] “C:\Program Files\Kazaa Lite Rewolucja\kpp.exe” “C:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp” /SYSTRAY O4 - HKLM…\Run: [atlbi.exe] C:\WINDOWS\atlbi.exe O4 - HKLM…\Run: [6.tmp] C:\DOCUME~1\Kuba\USTAWI~1\Temp\6.tmp.exe O4 - HKLM…\Run: [7.tmp] C:\DOCUME~1\Kuba\USTAWI~1\Temp\7.tmp.exe O4 - HKLM…\Run: [netvp.exe] C:\WINDOWS\netvp.exe O4 - HKLM…\Run: [6.tmp.exe] C:\DOCUME~1\Kuba\USTAWI~1\Temp\6.tmp.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU…\Run: [pro] C:\winstall.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/180so … ge-c46.cab
W trybie awaryjnym opróżnij Temp . Katalogi i pliki zaznaczone na czerwono usuń. O na prawie fałszywej tapety SpySheriff TU
Po wszystkim nowy log.
grzesiu8
(Grzesiu8)
10 Styczeń 2006 16:20
#3
Logfile of HijackThis v1.99.1 Scan saved at 17:21:32, on 2006-01-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\sdkgx.exe C:\Program Files\Tlen.pl\tlen.exe C:\WINDOWS\system32\javasi.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Kuba\Pulpit\putty.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Gadu-Gadu\gg.exe C:\hijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Class - {A0FBF6A7-DE21-3235-7B76-A7427D953750} - C:\WINDOWS\system32\sdkqr32.dll O2 - BHO: Class - {C713F792-9B34-C3C7-0713-07FE90101606} - C:\WINDOWS\mfcet.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [netgc.exe] C:\WINDOWS\system32\netgc.exe O4 - HKLM…\Run: [sdkgx.exe] C:\WINDOWS\system32\sdkgx.exe O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU…\Run: [pro] C:\winstall.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://arcaonline.arcabit.com O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasi.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
No zrobilem tak jak pisaliscie choc z tym R1 - HKC… mialem problem… bo go nie bylo moze to przez to ze kilka dni pozniej to zrobilem?
wiec jak wyglada teraz ten log?
SER
(SER)
10 Styczeń 2006 16:31
#4
grzesiu8:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\djlrs.dll/sp.html#88449%resultposition.net
1.Wyłącz Przywracanie Systemu
2.Uruchom komputer w trybie awaryjnym (F5 lub F8 )
3.Usuń podane wpisy w Hijack’u
4.Usuń z dysku podane na czerwono pliki i foldery (ustaw na pokazywanie ukrytych plików i folderów)
5.Pokaż nowy log
Poczekaj na Gutka - może jeszcze on coś znajdzie
detektyw
(Qbek50)
10 Styczeń 2006 16:43
#5
SER zgubiles miedzy innymi to
Gutek
(Gutek)
10 Styczeń 2006 20:54
#6