moshic
(Brassil)
23 Październik 2005 17:48
#1
hej
juz mnie glowa boli bo nie moge sobie z tym poradzic.
mialem jakies spyware i spysheriffa, udalo mi sie tego spysheriffa usunac ta metoda w trybie awaryjnym i tapetka juz wrocila. teraz jednak mam strasznie wkurzajacy problem bo wyskakuja mi co chwila jakies stronki, reklamy itp. nie wiem kompletnie co robic. zainstalowalem Opera i jest to samo. stronki wyskakuja nawet jak mam wylaczona przegladarke IE czy Opera.
bardzo prosze pomozcie, bo nie chcialbym tobic formata.
wrzucam tu log z hijack. chyba o to chodzi?
Logfile of HijackThis v1.99.1
Scan saved at 19:36:52, on 2005-10-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.0.0.4 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.4 x.full-tgp.net
O1 - Hosts: 127.0.0.4 counter.sexmaniack.com
O1 - Hosts: 127.0.0.4 autoescrowpay.com
O1 - Hosts: 127.0.0.4 www.autoescrowpay.com
O1 - Hosts: 127.0.0.4 www.awmdabest.com
O1 - Hosts: 127.0.0.4 www.sexfiles.nu
O1 - Hosts: 127.0.0.4 awmdabest.com
O1 - Hosts: 127.0.0.4 sexfiles.nu
O1 - Hosts: 127.0.0.4 allforadult.com
O1 - Hosts: 127.0.0.4 www.allforadult.com
O1 - Hosts: 127.0.0.4 www.iframe.biz
O1 - Hosts: 127.0.0.4 iframe.biz
O1 - Hosts: 127.0.0.4 www.newiframe.biz
O1 - Hosts: 127.0.0.4 newiframe.biz
O1 - Hosts: 127.0.0.4 www.vesbiz.biz
O1 - Hosts: 127.0.0.4 vesbiz.biz
O1 - Hosts: 127.0.0.4 www.pizdato.biz
O1 - Hosts: 127.0.0.4 pizdato.biz
O1 - Hosts: 127.0.0.4 www.aaasexypics.com
O1 - Hosts: 127.0.0.4 aaasexypics.com
O1 - Hosts: 127.0.0.4 www.virgin-tgp.net
O1 - Hosts: 127.0.0.4 virgin-tgp.net
O1 - Hosts: 127.0.0.4 www.awmcash.biz
O1 - Hosts: 127.0.0.4 awmcash.biz
O1 - Hosts: 127.0.0.4 buldog-stats.com
O1 - Hosts: 127.0.0.4 www.buldog-stats.com
O1 - Hosts: 127.0.0.4 fregat.drocherway.com
O1 - Hosts: 127.0.0.4 slutmania.biz
O1 - Hosts: 127.0.0.4 www.slutmania.biz
O1 - Hosts: 127.0.0.4 toolbarpartner.com
O1 - Hosts: 127.0.0.4 www.toolbarpartner.com
O1 - Hosts: 127.0.0.4 www.megapornix.com
O1 - Hosts: 127.0.0.4 megapornix.com
O1 - Hosts: 127.0.0.4 www.sp2fucked.biz
O1 - Hosts: 127.0.0.4 sp2fucked.biz
O1 - Hosts: 127.0.0.4 greg-tut.com
O1 - Hosts: 127.0.0.4 www.greg-tut.com
O1 - Hosts: 127.0.0.4 nylonsexy.com
O1 - Hosts: 127.0.0.4 www.nylonsexy.com
O1 - Hosts: 127.0.0.4 vparivalka.com
O1 - Hosts: 127.0.0.4 www.vparivalka.com
O1 - Hosts: 127.0.0.4 iframeprofit.com
O1 - Hosts: 127.0.0.4 www.iframeprofit.com
O1 - Hosts: 127.0.0.4 topsearch10.com
O1 - Hosts: 127.0.0.4 www.topsearch10.com
O1 - Hosts: 127.0.0.4 statscash.biz
O1 - Hosts: 127.0.0.4 www.statscash.biz
O1 - Hosts: 127.0.0.4 vxiframe.biz
O1 - Hosts: 127.0.0.4 www.vxiframe.biz
O1 - Hosts: 127.0.0.4 crazy-toolbar.com
O1 - Hosts: 127.0.0.4 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.4 topcash.biz
O1 - Hosts: 127.0.0.4 www.topcash.biz
O1 - Hosts: 127.0.0.4 loadcash.biz
O1 - Hosts: 127.0.0.4 www.loadcash.biz
O1 - Hosts: 127.0.0.4 txiframe.biz
O1 - Hosts: 127.0.0.4 www.txiframe.biz
O1 - Hosts: 127.0.0.4 procounter.biz
O1 - Hosts: 127.0.0.4 www.procounter.biz
O1 - Hosts: 127.0.0.4 advadmin.biz
O1 - Hosts: 127.0.0.4 www.advadmin.biz
O1 - Hosts: 127.0.0.4 trafficbest.net
O1 - Hosts: 127.0.0.4 www.trafficbest.net
O1 - Hosts: 127.0.0.4 besthvac.com
O1 - Hosts: 127.0.0.4 www.besthvac.com
O1 - Hosts: 127.0.0.4 traff4.com
O1 - Hosts: 127.0.0.4 www.traff4.com
O1 - Hosts: 127.0.0.4 ambush-script.com
O1 - Hosts: 127.0.0.4 www.ambush-script.com
O1 - Hosts: 127.0.0.4 beehappyy.biz
O1 - Hosts: 127.0.0.4 www.beehappyy.biz
O1 - Hosts: 127.0.0.4 tracktraff.cc
O1 - Hosts: 127.0.0.4 www.tracktraff.cc
O1 - Hosts: 127.0.0.4 allcount.net
O1 - Hosts: 127.0.0.4 www.allcount.net
O1 - Hosts: 127.0.0.4 onedayoffer.biz
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
O4 - HKLM\..\Run: [Pqswug] C:\Program Files\Xljw\Nnewg.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [updatedrweb_nt] C:\WINDOWS\System32\updatedrweb_nt.exe
O4 - HKLM\..\RunServices: [updatedrweb_nt] C:\WINDOWS\System32\updatedrweb_nt.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [updatedrweb_nt] C:\WINDOWS\System32\updatedrweb_nt.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Startup: Gadu-Gadu.lnk = C:\Program Files\Gadu-Gadu\gg.exe
O4 - Global Startup: VoipBuster.lnk = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8D43A56-5C06-406C-884B-17B870405119}: NameServer = 10.0.0.1
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\lvjo0913e.dll (file missing)
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvl0093me.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\System32\conmljhn.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Ym9vemVk\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
nie wiem czy to ma jakies znaczenie ale najczesciej otwiera sie taka stronka http://www.searc-h.com/normal/yyy53.html
Gutek
(Gutek)
23 Październik 2005 18:01
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.
Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte. Dodatkowo O15 może będzie stawiać opór więc ściągnij KillTrusted 0.7
Skasować z dysku pliki i foldery, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log
Poczytaj Wersje Backdoor.Haxdoor - AG , Usuwanie sylder-a , dokłądnie o tapeta SpySheriff oraz narzędzia: FxIstbar.exe. to naprawiacz do ISTbar i CWS.Systime Removal 3.5
moshic
(Brassil)
23 Październik 2005 19:02
#3
dzieki wielkie, narazie nic nie wyskakuje
nowy log
Logfile of HijackThis v1.99.1
Scan saved at 21:00:46, on 2005-10-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Opera\Opera.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Startup: Gadu-Gadu.lnk = C:\Program Files\Gadu-Gadu\gg.exe
O4 - Global Startup: VoipBuster.lnk = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8D43A56-5C06-406C-884B-17B870405119}: NameServer = 10.0.0.1
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\m0rmla911d.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Ym9vemVk\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
Złączono Posta : 23.10.2005 (Nie) 21:07
eeh i za wczesnie zaczalem sie cieszyc. juz wyskoczylo jakies badziewie http://64.192.130.141/cgi-bin/RedirectV2?ID=640766&con=true
dodam. ze nie zrobilem scanowania online bo cos nie dawalo rady…
Gutek
(Gutek)
23 Październik 2005 19:16
#4
Startujesz do awaryjnego potem Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Command Service
pliki zaznaczone na czerwono usuwasz, poczytaj Usuwanie VX2.BetterInternet
Dobrze że nie usunołeś Kwyshell :oops:
moshic
(Brassil)
23 Październik 2005 19:26
#5
a dlaczego mialbym usunac??
i czy te dwa zaznaczone na czerwono mam fix’nac w hijack??
Gutek
(Gutek)
23 Październik 2005 19:46
#6
Ok instrukcja:
Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku pliki i foldery, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log
Popczytaj i zastosuj siedo instrukcji Usuwanie VX2.BetterInternet
moshic
(Brassil)
24 Październik 2005 12:07
#7
nowy log. co jeszcze jest nie tak? bo dalej wyskakuje to badziewie?
Logfile of HijackThis v1.99.1 Scan saved at 14:30:02, on 2005-10-24 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Opera\Opera.exe C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: Gadu-Gadu.lnk = C:\Program Files\Gadu-Gadu\gg.exe O4 - Global Startup: VoipBuster.lnk = C:\Program Files\VoipBuster.com \VoipBuster\VoipBuster.exe O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm O8 - Extra context menu item: Add to &Teleport - C:\PROGRA~1\TELEPO~1\teleport.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Link to &MidpX - C:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O17 - HKLM\System\CCS\Services\Tcpip…{C8D43A56-5C06-406C-884B-17B870405119}: NameServer = 10.0.0.1 O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
Gutek
(Gutek)
24 Październik 2005 13:41
#8
Na dwa fronty grasz Widźę że taki sam LOG na SE - wykonałeś instrukcję na VX2 ? Jak nie idzie? Daj LOG z Silent Runners
moshic
(Brassil)
24 Październik 2005 13:55
#9
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SunJavaUpdateSched” = “C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe” [null data] “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe” [“HP”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll” [“RealNetworks, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{F802F260-519B-11D1-BB5D-0060974C6013}” = “ICQ Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ICQ\ICQShExt.dll” [“ICQ”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “st” -> {CLSID}\InProcServer32(Default) = “C:\windows\system32\winacpi.dll” [file not found] “{9EE81367-90F2-4142-B3F2-3A0FF0ABCD1A}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\ddkquota.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido\security suite\shellhook.dll” ["TODO: "] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! wzcnotif\DLLName = “wzcdlg.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido\security suite\context.dll” [“ewido networks”] sysacpildap(Default) = “{5E2121EE-0300-11D4-8D3B-444553540000}” -> {CLSID}\InProcServer32(Default) = “C:\windows\system32\winacpi.dll” [file not found] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido\security suite\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\boozed\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “boozed” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\boozed\Menu Start\Programy\Autostart “Gadu-Gadu” -> shortcut to: “C:\Program Files\Gadu-Gadu\gg.exe” [“sms-express.com ”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “VoipBuster” -> shortcut to: “C:\Program Files\VoipBuster.com \VoipBuster\VoipBuster.exe -nosplash -minimized” [“VoipBuster”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}” = “Kwyshell MidpX” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}” = “Kwyshell MidpX” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{EBE9E2B5-B526-48BC-AD46-687263EDCB0E}” = “Kwyshell MidpX” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll” [“Kwyshell G.Corp”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {6224F700-CBA3-4071-B251-47CB894244CD}\ “ButtonText” = “ICQ Pro” “MenuText” = “ICQ” “Exec” = “C:\PROGRA~1\ICQ\ICQ.exe” [“ICQ Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“Amaze Soft”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, “C:\Program Files\ewido\security suite\ewidoctrl.exe” [“ewido networks”] ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido\security suite\ewidoguard.exe” [“ewido networks”] iPodService, iPodService, “C:\Program Files\iPod\bin\iPodService.exe” [“Apple Computer, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt05\Driver = “hpzlnt05.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 196 seconds, including 13 seconds for message boxes)
teraz mi wywala cos z tym ad-a-w-a-r-e.com czy coa takiego wiec to bedzie to VX2 tylko w tym programie l2mfix cos mi nie idzie
Gutek
(Gutek)
24 Październik 2005 14:33
#10