adamar
(Madara)
17 Czerwiec 2006 12:56
#1
Komputer wolno chodzi i przekierowana została strona startowa. Korzystając z innych postów próbowałem usunąć pliki i wpisy ale problem powraca. Widocznie nie wszystko zostało zidentyfikowane. Proszę więc uprzejmie o sprawdzenie loga. Oto log:
Logfile of HijackThis v1.99.1 Scan saved at 14:37:14, on 2006-06-17 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\System32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe C:\Program Files\DVD\a\InCD\InCDsrv.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Internet Explorer\iexplore.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\Explorer.EXE D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\DVD\a\InCD\InCD.exe D:\PROGRA~1\NEOSTR~1\CnxMon.exe D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\WINDOWS\System32\per.exe C:\Program Files\lpdrih.exe D:\WINDOWS\System32\0mcamcap.exe D:\WINDOWS\System32\svchost.exe D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe D:\WINDOWS\System32\rpcc.exe D:\WINDOWS\System32\ctfmon.exe D:\Program Files\Internet Explorer\iexplore.exe C:\tqmulas.exe3072.exe D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe D:\Program Files\UltimateZip\uzqkst.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe D:\WINDOWS\system32\pctspk.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\wuauclt.exe D:\WINDOWS\System32\wuauclt.exe C:\Hijak\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL R3 - URLSearchHook: (no name) - {7B21A581-2581-7473-BD49-EC7D286646B1} - SysEntry.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - D:\WINDOWS\system32\winbrume.dll O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - D:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\DVD\a\InCD\InCD.exe O4 - HKLM…\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM…\Run: [ZPoint] D:\WINDOWS\System32\winmuse.exe O4 - HKLM…\Run: [ControlPanel] D:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile O4 - HKLM…\Run: [dmcfx.exe] D:\WINDOWS\System32\dmcfx.exe O4 - HKLM…\Run: [corrida] avpmondll.exe O4 - HKLM…\Run: [media64] br0ken.exe O4 - HKLM…\Run: [win32hp] D:\WINDOWS\System32\win32hlp.exe O4 - HKLM…\Run: [sysTray] C:\Program Files\lpdrih.exe O4 - HKLM…\Run: [0mcamcap] D:\WINDOWS\System32\0mcamcap.exe O4 - HKLM…\Run: [Outpost Firewall] D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM…\Run: [rpcc] rpcc.exe O4 - HKLM…\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r O4 - HKLM…\RunServices: [0mcamcap] D:\WINDOWS\System32\0mcamcap.exe O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [NBJ] “D:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [termcaps] D:\WINDOWS\System32\termcaps.exe O4 - HKCU…\Run: [unSpyPC] “D:\Program Files\UnSpyPC\UnSpyPC.exe” O4 - HKCU…\Run: [shaitan1678] BoundRec.exe O4 - HKCU…\Run: [sYSTRAV] zantu.exe O4 - HKCU…\Run: [WinMedia] C:\tqmulas.exe3072.exe O4 - HKCU…\Run: [0mcamcap] D:\WINDOWS\System32\0mcamcap.exe O4 - HKCU…\Run: [shell] “D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - Startup: UltimateZip Quick Start.lnk = D:\Program Files\UltimateZip\uzqkst.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: Easy-WebPrint – Dodaj do listy drukowania - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint – Drukuj - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint – Drukuj z dużą szybkością - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint – Podgląd - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_24.cab O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_26.cab O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbles&Diamonds&Runes) - http://67.15.101.3/g_bin/pl/marbles_2_0_0_26.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip…{2B0BF83E-474F-41A2-9916-B74344A143B4}: NameServer = 85.255.114.75,85.255.112.71 O17 - HKLM\System\CCS\Services\Tcpip…{99100D75-8971-43F4-ABD3-C228954581AD}: NameServer = 85.255.114.75,85.255.112.71 O17 - HKLM\System\CS1\Services\Tcpip…{2B0BF83E-474F-41A2-9916-B74344A143B4}: NameServer = 85.255.114.75,85.255.112.71 O17 - HKLM\System\CS2\Services\Tcpip…{2B0BF83E-474F-41A2-9916-B74344A143B4}: NameServer = 85.255.114.75,85.255.112.71 O20 - Winlogon Notify: artm_newreg - D:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll O20 - Winlogon Notify: polymorphreg - D:\Documents and Settings\All Users\Dokumenty\Settings\polymorph.dll O20 - Winlogon Notify: zopenssl - D:\WINDOWS\SYSTEM32\zopenssl.dll O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file) O21 - SSODL: SysTray.Exinv - {2363ECFC-4E5D-2f3b-B384-D67432FC72F6} - D:\WINDOWS\System32\ofkabplj.dll O23 - Service: Application Layer Gateway System (ALGS) - Unknown owner - D:\WINDOWS\system32\algsys.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\DVD\a\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - D:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
Bieniol
(Bbieniol)
17 Czerwiec 2006 13:07
#2
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Application Layer Gateway System
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku (w razie problemów z usuwaniem plików użyj narzędzia KillBox ):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - URLSearchHook: (no name) - {7B21A581-2581-7473-BD49-EC7D286646B1} - SysEntry.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - D:\WINDOWS\system32\winbrume.dll O4 - HKLM…\Run: [ZPoint] D:\WINDOWS\System32\winmuse.exe O4 - HKLM…\Run: [ControlPanel] D:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile O4 - HKLM…\Run: [dmcfx.exe] D:\WINDOWS\System32\dmcfx.exe O4 - HKLM…\Run: [corrida] avpmondll.exe O4 - HKLM…\Run: [media64] br0ken.exe O4 - HKLM…\Run: [win32hp] D:\WINDOWS\System32\win32hlp.exe O4 - HKLM…\Run: [sysTray] C:\Program Files\lpdrih.exe O4 - HKLM…\Run: [0mcamcap] D:\WINDOWS\System32\0mcamcap.exe O4 - HKLM…\Run: [rpcc] rpcc.exe O4 - HKLM…\RunServices: [0mcamcap] D:\WINDOWS\System32\0mcamcap.exe O4 - HKCU…\Run: [termcaps] D:\WINDOWS\System32\termcaps.exe O4 - HKCU…\Run: [unSpyPC] “D:\Program Files\UnSpyPC\UnSpyPC.exe” O4 - HKCU…\Run: [shaitan1678] BoundRec.exe O4 - HKCU…\Run: [sYSTRAV] zantu.exe O4 - HKCU…\Run: [WinMedia] C:\tqmulas.exe3072.exe O4 - HKCU…\Run: [0mcamcap] D:\WINDOWS\System32\0mcamcap.exe O4 - HKCU…\Run: [shell] “D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm O20 - Winlogon Notify: artm_newreg - D:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll O20 - Winlogon Notify: polymorphreg - D:\Documents and Settings\All Users\Dokumenty\Settings\polymorph.dll O20 - Winlogon Notify: zopenssl - D:\WINDOWS\SYSTEM32\zopenssl.dll O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file) O21 - SSODL: SysTray.Exinv - {2363ECFC-4E5D-2f3b-B384-D67432FC72F6} - D:\WINDOWS\System32\ofkabplj.dll O23 - Service: Application Layer Gateway System (ALGS) - Unknown owner - D:\WINDOWS\system32\algsys.exe (file missing)
Dodatkowo usuń ukraińskie DNSy:
O17 - HKLM\System\CCS\Services\Tcpip…{2B0BF83E-474F-41A2-9916-B74344A143B4}: NameServer = 85.255.114.75,85.255.112.71 O17 - HKLM\System\CCS\Services\Tcpip…{99100D75-8971-43F4-ABD3-C228954581AD}: NameServer = 85.255.114.75,85.255.112.71 O17 - HKLM\System\CS1\Services\Tcpip…{2B0BF83E-474F-41A2-9916-B74344A143B4}: NameServer = 85.255.114.75,85.255.112.71 O17 - HKLM\System\CS2\Services\Tcpip…{2B0BF83E-474F-41A2-9916-B74344A143B4}: NameServer = 85.255.114.75,85.255.112.71
Usuń również resztki po Yahoo!:
Skan EWIDO po update
Po zabiegach nowy log z Hijacka + log z Silent Runners