Tak jak w temacie. Komp z tym systemem operacyjnym kompletnie muli. Poza tym IE zamiast otwierać strony www jakie wpisuje się w adresie, przeskakuje samoczynnie na inne, typu: kasyna on-line etc, etc.
Wklejam loga z HJT
Logfile of HijackThis v1.99.1 Scan saved at 09:25:30, on 07-09-08 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\IRMON.EXE C:\WINDOWS\SYSTEM\HPZTSB05.EXE C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE C:\WINDOWS\IRXFER.EXE C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\WINDOWS\PULPIT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTWARE\QUICKF~1\PLUGINS\IEHELP.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM…\Run: [irMon] IrMon.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [˙_zskWEMNOQJ] C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\JQONMEW.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [˙_zskWEMNOQJ] C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\JQONMEW.exe O4 - HKCU…\Run: [˙_zskWEMNOQJ] C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\J`QONMEW.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location=‘http://*********.com/freegalleries.htm’;} O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.03\MediaManager\grab.html O8 - Extra context menu item: Add to AMV Converter… - C:\Program Files\MP3 Player Utilities 4.03\AMVConverter\grab.html O8 - Extra context menu item: &Search - ?p=ZJFOX000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleAc … refid=1112 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.110,85.255.112.175 O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\SYSTEM\TEXTWAREILLUMINATORBASEPROTOCOL.DLL
=============================
Sugeruję usuwać adresy do stron porno.
Monczkin
adam9870
8 Wrzesień 2007 10:32
#2
Ściągnij program KillBox Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\JQONMEW.exe
Kliknij czerwonego iksa i restart.
O4 - HKLM…\Run: [˙_zskWEMNOQJ] C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\JQONMEW.exe O4 - HKLM\..\RunServices: [˙_zskWEMNOQJ] C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\JQONMEW.exe O4 - HKCU…\Run: [˙_zskWEMNOQJ] C:\WINDOWS\SYSTEM_zskwrkni04NDMLUA\J`QONMEW.exe O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location=’[…]’;} O8 - Extra context menu item: &Search - ?p=ZJFOX000 O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleAc … refid=1112 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.110,85.255.112.175
Usuń powyżej przedstawione wpisy korzystając z HijackThis.
Po wykonaniu wklej nowy log z HijackThis plus log z SilentRunners
OK. Zrobiłem tak jak sugerowałeś. Teraz logi.
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 13:25:49, on 07-09-08 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\IRMON.EXE C:\WINDOWS\SYSTEM\HPZTSB05.EXE C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\IRXFER.EXE C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\WINDOWS\PULPIT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTWARE\QUICKF~1\PLUGINS\IEHELP.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM…\Run: [irMon] IrMon.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [LoadQM] loadqm.exe O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE O4 - HKLM…\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE O4 - HKLM…\RunServices: [schedulingAgent] mstask.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.03\MediaManager\grab.html O8 - Extra context menu item: Add to AMV Converter… - C:\Program Files\MP3 Player Utilities 4.03\AMVConverter\grab.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\SYSTEM\TEXTWAREILLUMINATORBASEPROTOCOL.DLL
Silent Runners (żadnych komunikatów o błędach na starcie aplikacji nie było):
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows 98 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “IrMon” = “IrMon.exe” [MS] “HPDJ Taskbar Utility” = “C:\WINDOWS\SYSTEM\hpztsb05.exe” [“HP”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “LoadQM” = “loadqm.exe” [MS] “AVG7_CC” = “C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP” [“GRISOFT, s.r.o.”] “AVG7_EMC” = “C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE” [“GRISOFT, s.r.o.”] “AVG7_AMSVR” = “C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE” [“GRISOFT, s.r.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ {++} “SchedulingAgent” = “mstask.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {C08DF07A-3E49-4E25-9AB0-D3882835F153}(Default) = (no title provided) -> {HKLM…CLSID} = “QUICKfind BHO Object” \InProcServer32(Default) = “C:\PROGRA~1\TEXTWARE\QUICKF~1\PLUGINS\IEHELP.DLL” [null data] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {HKLM…CLSID} = “Eksplorator pulpitów” \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\NVSHELL.DLL” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\NVSHELL.DLL” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\PROGRAM FILES\WINRAR\rarext.dll” [null data] “{2E9D3540-211C-11d0-A5F2-00A0248C37BE}” = “Nero Shell Extension Property Sheet” -> {HKLM…CLSID} = “Nero Shell Extension Property Sheet” \InProcServer32(Default) = “C:\Program Files\Ahead\nero\neroshx.dll” [“Ahead Software AG”] “{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device” -> {HKLM…CLSID} = “Siemens Device” \InProcServer32(Default) = “C:\PROGRAM FILES\MOBILE PHONE MANAGER\DES\DESSHELLEXT98.DLL” [null data] “{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device ContextMenuHandler” -> {HKLM…CLSID} = “Siemens Device ContextMenuHandler” \InProcServer32(Default) = “C:\PROGRAM FILES\MOBILE PHONE MANAGER\DES\DESSHELLEXT98.DLL” [null data] “{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens SX1 PropertySheetHandler” -> {HKLM…CLSID} = “Siemens Device PropertySheetHandler” \InProcServer32(Default) = “C:\PROGRAM FILES\MOBILE PHONE MANAGER\DES\DESSHELLEXT98.DLL” [null data] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”]
Bieniol
8 Wrzesień 2007 12:44
#4
Log z Hijacka już czysty. Co do Silenta, to poczekaj cierpliwie na komunikat o skończeniu tworzenia loga i wklej całość na forum, ponieważ to co tutaj jest, to jedynie część całości.