Zastępowanie stron - logi

michall75 · 16 Wrzesień 2007 18:36

Proszę o sprawdzenie loga ponieważ np. strona sciaga.pl i wikipedia są zastępowane innymi stronami wogle mi się nie wyświetlają tylko przekierowuje mnie do stron erotycznych

Logfile of HijackThis v1.99.1

Scan saved at 20:31:31, on 2007-09-16

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\BX\Moje dokumenty\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kodak.com/go/easysharecodes1045/?loc=20x&manif=101x&data=12029x&sku=175&os=WinXPPro

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Startup: Start Firewall.lnk = C:\WINDOWS\system32\net.exe

O4 - Global Startup: Raconfig.lnk = C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115

O17 - HKLM\System\CCS\Services\Tcpip\..\{94D1E385-8818-46A2-97BE-5B1FDA1A5A97}: NameServer = 85.255.116.100,85.255.112.115

O17 - HKLM\System\CCS\Services\Tcpip\..\{9C1AEF9B-803D-4453-A485-88B8EC11DA4E}: NameServer = 85.255.116.100,85.255.112.115

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

O17 - HKLM\System\CS1\Services\Tcpip\..\{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

O17 - HKLM\System\CS2\Services\Tcpip\..\{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

LostWorld · 16 Wrzesień 2007 18:54

Na początek :

Użyj Fixwareuot

Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.

michall75:

O17 - HKLM\System\CCS\Services\Tcpip…{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115 O17 - HKLM\System\CCS\Services\Tcpip…{94D1E385-8818-46A2-97BE-5B1FDA1A5A97}: NameServer = 85.255.116.100,85.255.112.115 O17 - HKLM\System\CCS\Services\Tcpip…{9C1AEF9B-803D-4453-A485-88B8EC11DA4E}: NameServer = 85.255.116.100,85.255.112.115 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115 O17 - HKLM\System\CS1\Services\Tcpip…{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115 O17 - HKLM\System\CS2\Services\Tcpip…{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

Po wykonaniu operacji programem , kasujesz wpisy w HJT.

Daj nowe logi + wklej log z narzędzia Deckard’s System Scanner

Jutro sprawdzę , dzisiaj nie dam rady.

michall75 · 20 Wrzesień 2007 19:00

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\BX\Moje dokumenty\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kodak.com/go/easysharecodes1045/?loc=20x&manif=101x&data=12029x&sku=175&os=WinXPPro

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Startup: Start Firewall.lnk = C:\WINDOWS\system32\net.exe

O4 - Global Startup: Raconfig.lnk = C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Niestety strony nadal są zastępowane Złączono Posta : 20.09.2007 (Czw) 21:01

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\BX\Moje dokumenty\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kodak.com/go/easysharecodes1045/?loc=20x&manif=101x&data=12029x&sku=175&os=WinXPPro

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Startup: Start Firewall.lnk = C:\WINDOWS\system32\net.exe

O4 - Global Startup: Raconfig.lnk = C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Niestety strony nadal są zastępowane Złączono Posta _: 20.09.2007 (Czw) 21:06_Logi z Deckard’s System Scanner

-- HijackThis (run as BX.exe) --------------------------------------------------


Unable to find log (file not found); running clone.

-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of HijackThis v1.99.1

Scan saved at 2007-09-20 21:04:23

Platform: Windows XP Dodatek Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.5730.11)


Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\ESET\nod32krn.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\ESET\nod32kui.exe

C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\BX\Pulpit\dss.exe

C:\Documents and Settings\BX\Moje dokumenty\BX.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kodak.com/go/easysharecodes1045/?loc=20x&manif=101x&data=12029x&sku=175&os=WinXPPro

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKEY_LOCAL_MACHINE\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - Startup: Start Firewall.lnk = C:\WINDOWS\system32\net.exe

O4 - Global Startup: Raconfig.lnk = C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - (file missing)

O9 - Extra 'Tools' menuitem: (no name) - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - (file missing)

O10 - Unknown file in Winsock LSP: C:\Program Files\Bonjour\mdnsNSP.dll

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} () - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL

O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll

O23 - Service: Bonjour Service - Apple Computer, Inc. - "C:\Program Files\Bonjour\mDNSResponder.exe"

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - "C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"

O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - "C:\Program Files\Eset\nod32krn.exe"



-- HijackThis Fixed Entries (C:\DOCUME~1\BX\MOJEDO~1\backups\) -----------------


backup-20070917-154056-226 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

backup-20070917-154056-275 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

backup-20070917-154056-285 O17 - HKLM\System\CCS\Services\Tcpip\..\{94D1E385-8818-46A2-97BE-5B1FDA1A5A97}: NameServer = 85.255.116.100,85.255.112.115

backup-20070917-154056-364 O17 - HKLM\System\CS1\Services\Tcpip\..\{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115

backup-20070917-154056-460 O17 - HKLM\System\CCS\Services\Tcpip\..\{9C1AEF9B-803D-4453-A485-88B8EC11DA4E}: NameServer = 85.255.116.100,85.255.112.115

backup-20070917-154056-696 O17 - HKLM\System\CCS\Services\Tcpip\..\{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115

backup-20070917-154056-888 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115

backup-20070917-154056-895 O17 - HKLM\System\CS2\Services\Tcpip\..\{465CEACB-472D-48B3-97DA-787A9B60570D}: NameServer = 85.255.116.100,85.255.112.115


-- File Associations -----------------------------------------------------------


[COLOR=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/COLOR]

[COLOR=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*[/COLOR]



-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------


R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys 

R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys 

R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys 

R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys 

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys

R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys 

R3 RT2400 (RT2400 Wireless Driver) - c:\windows\system32\drivers\rt2400.sys 


S3 SASENUM - c:\program files\superantispyware\sasenum.sys 



-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------


S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" 

S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" 



-- Device Manager: Disabled ----------------------------------------------------


No disabled devices found.



-- Scheduled Tasks -------------------------------------------------------------


2007-07-09 22:26:57 384 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job



-- Files created between 2007-08-20 and 2007-09-20 -----------------------------


2007-09-19 17:08:10 0 d-------- C:\Program Files\English Translator 3

2007-09-16 12:39:14 0 d-------- C:\Program Files\VideoLAN

2007-09-10 17:11:09 0 d-------- C:\Program Files\SUPERAntiSpyware

2007-09-10 16:19:30 0 d-------- C:\Program Files\BearShare

2007-09-09 15:22:53 0 d-------- C:\Program Files\Deutsch Translator 2

2007-08-26 15:19:07 0 d-------- C:\Program Files\MP3Gain

2007-08-21 22:59:11 0 d-------- C:\Program Files\Nero

2007-08-21 22:13:23 0 d-------- C:\Program Files\SpectroN

2007-08-20 21:10:03 92216 --a------ C:\WINDOWS\system32\bass.dll 



-- Find3M Report ---------------------------------------------------------------


2007-09-16 12:39:55 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\vlc

2007-09-13 17:56:27 2115 --a------ C:\WINDOWS\mozver.dat

2007-09-10 17:11:09 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\SUPERAntiSpyware.com

2007-09-10 17:10:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-03 19:46:52 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\foobar2000

2007-09-03 17:17:30 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\Adobe

2007-08-31 21:13:08 0 d-------- C:\Program Files\NAPI-PROJEKT

2007-08-21 23:31:36 0 d-------- C:\Program Files\Common Files\Ahead

2007-08-21 22:39:03 0 d-------- C:\Program Files\Ahead

2007-08-20 21:11:10 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\TERMINAL Studio

2007-08-19 21:53:49 0 d-------- C:\Program Files\BitComet

2007-08-17 00:20:30 0 d-------- C:\Program Files\Gadu-Gadu

2007-08-16 17:25:07 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\Gadu-Gadu

2007-08-16 16:45:42 286720 -----n--- C:\WINDOWS\Setup1.exe 

2007-08-16 16:45:22 73216 --a------ C:\WINDOWS\ST6UNST.EXE 

2007-08-15 19:50:55 0 d-------- C:\Program Files\EA GAMES

2007-08-12 21:45:08 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\Lavasoft

2007-08-12 21:44:21 0 d-------- C:\Program Files\Lavasoft

2007-08-12 14:09:29 0 d-------- C:\Program Files\Ultra Video Joiner

2007-08-10 14:10:58 0 d-------- C:\Program Files\Sunbelt Software

2007-08-10 13:36:05 298104 --a------ C:\WINDOWS\system32\imon.dll 

2007-08-10 12:51:57 0 d-------- C:\Program Files\Common Files\Kaspersky Lab

2007-08-10 10:21:11 0 d-------- C:\Program Files\Common Files

2007-08-03 19:13:02 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-07-31 16:20:05 0 d-------- C:\Program Files\MoorHunt

2007-07-22 17:40:31 7376 --a------ C:\WINDOWS\unins000.dat

2007-07-21 23:03:48 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\Media Player Classic

2007-07-21 11:49:50 0 d-------- C:\Program Files\Real Alternative

2007-07-21 11:49:39 0 d-------- C:\Program Files\Media Player Classic

2007-07-21 11:49:36 0 d-------- C:\Documents and Settings\BX\Dane aplikacji\Real

2007-07-12 13:16:20 234 --a------ C:\WINDOWS\system32\vorbisenc.dll

2007-07-12 13:16:20 234 --a------ C:\WINDOWS\system32\vorbis.dll

2007-07-12 13:16:20 234 --a------ C:\WINDOWS\system32\OggDS.dll

2007-07-12 13:16:20 234 --a------ C:\WINDOWS\system32\ogg.dll

2007-07-12 13:16:19 234 --a------ C:\WINDOWS\system32\WMV9VCM.dll

2007-07-12 13:16:17 234 --a------ C:\WINDOWS\system32\mplvpx.dll

2007-07-12 13:16:17 234 --a------ C:\WINDOWS\system32\cpuinf32.dll

2007-07-12 13:16:16 234 --a------ C:\WINDOWS\system32\DivX.dll

2007-06-30 23:14:53 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 



-- Registry Dump ---------------------------------------------------------------


*Note* empty entries & legit default entries are not shown



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-10 13:36]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-08-17 00:20]


C:\Documents and Settings\BX\Menu Start\Programy\Autostart\

Start Firewall.lnk - C:\WINDOWS\system32\net.exe [2004-08-04 00:44:26]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\

Raconfig.lnk - C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe [2007-05-01 20:35:25]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLowDiskSpaceChecks"=1 (0x1)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"System"="kdvta.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk]

backup=C:\WINDOWS\pss\Action Manager 32.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Oprogramowanie Kodak EasyShare.lnk]

backup=C:\WINDOWS\pss\Oprogramowanie Kodak EasyShare.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]

"C:\Program Files\BearFlix\bearflix.exe" /pause


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]

"C:\Program Files\Gadu-Gadu\gg.exe" /tray


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"TapiSrv"=3 (0x3)

"RSVP"=3 (0x3)

"NtmsSvc"=3 (0x3)

"lanmanserver"=2 (0x2)

"helpsvc"=2 (0x2)

"ERSvc"=2 (0x2)

"TermService"=3 (0x3)

"stisvc"=2 (0x2)

"SharedAccess"=2 (0x2)

"PolicyAgent"=2 (0x2)

"Netlogon"=3 (0x3)

"lanmanworkstation"=2 (0x2)

"Eventlog"=2 (0x2)

"SysmonLog"=3 (0x3)

"WebClient"=2 (0x2)

"wscsvc"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"upnphost"=3 (0x3)

"SCardSvr"=3 (0x3)

"RDSessMgr"=3 (0x3)

"ose"=3 (0x3)

"Bonjour Service"=2 (0x2)

"W32Time"=2 (0x2)

"WmdmPmSN"=3 (0x3)

"RemoteRegistry"=2 (0x2)

"mnmsrvc"=3 (0x3)

"clr_optimization_v2.0.50727_32"=3 (0x3)

"aspnet_state"=3 (0x3)

"Browser"=2 (0x2)

"MSDTC"=3 (0x3)

"WudfSvc"=3 (0x3)

"SwPrv"=3 (0x3)

"MDM"=2 (0x2)

"OODefrag"=2 (0x2)

"UxTuneUp"=2 (0x2)

"aawservice"=2 (0x2)

"NMIndexingService"=3 (0x3)


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp





-- End of Deckard's System Scanner: finished at 2007-09-20 21:06:47 ------------

jessica · 20 Wrzesień 2007 19:52

To jest klucz i plik tego ukraińskiego Rootkita.

Nie jestem pewna, czy Fixwareout dobrze zadziałał, tym bardziej, że nie pokazałeś z niego raportu.

Albo więc jeszcze raz użyj FixWareout, albo przynajmniej pokaż raport z C:\Fixwareout.txt.

jessi

michall75 · 21 Wrzesień 2007 14:11

~~~~~ Prerun check

HKLM\SOFTWARE\~\Winlogon\ "System"="kdvta.exe"


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{94D1E385-8818-46A2-97BE-5B1FDA1A5A97}

"DhcpNameServer"="85.255.116.100,85.255.112.115" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9C1AEF9B-803D-4453-A485-88B8EC11DA4E}

"DhcpNameServer"="85.255.116.100,85.255.112.115" 

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.



System was rebooted successfully. 


~~~~~ Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "system"="" 

....

....

~~~~~ Misc files. 

....

~~~~~ Checking for older varients.

....

~~~~~ Other

C:\WINDOWS\Temp\kdvta.ren 71242 2004-08-04 


~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

....

Hosts file was reset, If you use a custom hosts file please replace it...

~~~~~End report~~~~~

jessica · 21 Wrzesień 2007 14:18

Widzę, że FixWareout swoje zadanie wykonał, więc nie wiem, co jeszcze nie “gra” ?

A może się polepszyło?

Jeśli się nie polepszyło, to użyj -->SDFix

Uwaga: Da się go uruchomić tylko w Trybie Awaryjnym.

Pokaż Report.txt znajdujący się w folderze SDFix.

I daj nowy log z DSS.

jessi