Sprawdzenie loga z Hijack This

[Gość: Bezradna]

Logfile of HijackThis v1.99.1
Scan saved at 07:18:14, on 05-04-11
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SOINTGR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TEMP\OM- LICZNIK 1.0.EXE
C:\PROGRAM FILES\REAL\REALJBOX.EXE
C:\PROGRAM FILES\SERVICEPACKFILES\MEMREALOAD.EXE
C:\PROGRAM FILES\D4\D4.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE
C:\PROGRAM FILES\ATNOTES\ATNOTES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: CrsHO Class - {5843A29E-1246-11D4-BA8C-0050DA707ACD} -
C:\WINDOWS\SYSTEM\CRS32.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
C:\WINDOWS\SYSTEM\MSBE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-
3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
O4 - HKLM\..\Run: [OM- Licznik 1.0] C:\WINDOWS\TEMP\OM- LICZNIK 1.0.EXE
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\SYSTEM\Indexindicator.exe /check
O4 - HKLM\..\Run: [MEMreaload] C:\Program
Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\SYSTEM\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program
Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
O4 - HKLM\..\Run: [LocalProxy] C:\Program Files\LocalProxy\proxy4free.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4
\ASHWEBSV.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
Network\bin\bargains.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4
\ashServ.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP
ARCHITECT\DATRAY.EXE" -S
O4 - Startup: ATnotes.lnk = C:\Program Files\ATnotes\ATnotes.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pcg: C:\PROGRA~1\INTERN~1\Plugins\nppcgplg.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c11.cab

[m.gregor]

1.) Odinstaluj z panelu sterowania -> dodaj/usun programy wszystkie search
acceleratory i inne cuda
2.) Zaznacz i wykasuj:
> O2 - BHO: CrsHO Class - {5843A29E-1246-11D4-BA8C-0050DA707ACD} -
> C:\WINDOWS\SYSTEM\CRS32.DLL
> O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
> C:\WINDOWS\SYSTEM\MSBE.DLL
> O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-
> 3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
> O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
> O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
> O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
> O4 - HKLM\..\Run: [OM- Licznik 1.0] C:\WINDOWS\TEMP\OM- LICZNIK 1.0.EXE
> O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\SYSTEM\Indexindicator.exe /check
> O4 - HKLM\..\Run: [MEMreaload] C:\Program
> Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
> O4 - HKLM\..\Run: [Suite] C:\WINDOWS\SYSTEM\SuiteOffices.exe /cleandb
> O4 - HKLM\..\Run: [Reload] C:\Program
> Files\ServicePackFiles\reload.exe /reloadenterpice
> O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
> O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
> O4 - HKLM\..\Run: [LocalProxy] C:\Program Files\LocalProxy\proxy4free.exe
> O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
> O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
> Network\bin\bargains.exe
> O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
> O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP
> ARCHITECT\DATRAY.EXE" -S
> O4 - Startup: ATnotes.lnk = C:\Program Files\ATnotes\ATnotes.exe
> O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
> static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c11.cab

A potem zrob i wklej nowego loga.

Nowy log

[Gość: Bezradna]

Logfile of HijackThis v1.99.1
Scan saved at 19:17:18, on 05-04-11
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4
\ashServ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pcg: C:\PROGRA~1\INTERN~1\Plugins\nppcgplg.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab

Do m.gregora

[Gość: Bezradna]

Oczywiście nie będę udawać, że wiem o co chodzi ;-) niepokoi mnie trochę, że
kazałeś mi usunąć ATNotes i Licznik OM he he...

[m.gregor]

Jesli wiesz co to za wpisy i jestes na 100% pewna tych programow mozesz je
przywrocic. W tym celu uruchamiasz HijackThis, wybierasz 'View the list of
backups' a potem zaznaczasz te dwie linijki i wybierasz Restore.

A potem postepujesz tak jak podalem na stronie i kasujesz nastepujaca linie:
> O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
To trojan Lazar. Jesli problem bedzie sie powtarzal (po restarcie i ponownym
skanowaniu ta linia sie pojawi) przeskanuj system skanerem on-line. Np. Pandy.

OK

[Gość: Bezradna]

Nie wiem, co to znaczy, czy jestem pewna ich na 100%. ATnotes wzięłam z płytki
dołączonej do Komputer Świata, OM licznik ściągnęłam z netu. No ale potrzebne
mi są trochę.
Zrobiłam wszystko jak kazałeś, wczoraj przeskanowałam on line i wynalazło mi
dwa trojany i poleciło skasować pliki. Komputer posłusznie się zamknął. Dziś
rano sprawdziłam jeszcze, czy się nie pojawił ten trojan i przeskanowałam on
line. Wszystko wydaje się w porządku.
Dziękuję bardzo za pomoc! To niesamowita sprawa, że zawsze można na Was liczyć,
towarzyszu ;-)

[Gość: Adrien Brody Fan]

NIE wiem, NIE umiem, NIE robię, NIE chce mi się... Cóż.... Mogę wrescie to gadu-
gadu??!!

Sprawdzenie loga z Hijack This - pomóżcie

[Gość: MAGDA]

zainstalowało mi sie jakies cholerstwo z xxx praktycznie uniemozliwia
korzystanie z sieci, uruchamia mnostwo roznych stroniczek
oto moj log
Logfile of HijackThis v1.99.1
Scan saved at 20:49:34, on 2005-04-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\logon.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\TV\moretv353pl\MoreTV.exe
C:\TV\wilma21\Wilma.exe
C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Watch.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\System32\winsys32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\magda\Ustawienia lokalne\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.jimbutt.com/stuffs/
O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -
FastScan
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O17 - HKLM\System\CCS\Services\Tcpip\..\{872DE33C-3A18-4A44-A0C5-CCC9E8D3BF96}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

probowalam usunac r0 ale nie moge
co robiC?
dzieki magda

[Gość: Kolobos]

Odinstaluj New.Net oraz Spyware Vanisher, uzyj tez tego:
www.cexx.org/LSPFix.exe
W hijackthis usun to:

> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> www.jimbutt.com/stuffs/
> O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
> O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
> \NEWDOT~1.DLL,NewDotNetStartup -s
> O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
> O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
> O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -
> FastScan

I Fix Checked.

A co do jimbutt to tutaj jest opis jak usunac:
www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&#entry58793

[m.gregor]

1.) Na poczatku zrob loga tak jak opisano tutaj:
republika.pl/mgregor
2.) Zdeinstaluj New.net, SpywareVanisher, (Start -> Panel sterowania ->
Dodaj/usun programy)
3.) A potem wykasuj nastepujace linie:
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> www.jimbutt.com/stuffs/
> O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
> O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
> O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
> \NEWDOT~1.DLL,NewDotNetStartup -s
> O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
> O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -
> FastScan
> O10 - Hijacked Internet access by New.Net
> O10 - Hijacked Internet access by New.Net
> O10 - Hijacked Internet access by New.Net
> O10 - Hijacked Internet access by New.Net
4.) Jak juz wywalisz to:
- aktualizacje z windows update
- przestan korzystac z IE - zainstauj bezpieczna przegladarke: FireFox'a,
Mozille, Opere
- zainstaluj np. Kerio albo Sygate zamiast Zone Alarm
- zainstaluj program antywirusowy (np. darmowego Avast'a)
- przestan korzystac z neostradowego Wanadoo (odinstaluj je) i stworz polaczenie
tak jak opisano to tutaj:
forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=15680440
- robisz i wklejasz loga po zrobieniu tego wszystkiego

Linki i instrukcje:
forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=19472430 +POSTY
NASTEPNE GDZIE SA ERRATY DO LINKOW I LINKI DO NOWSZYCH WERSJI (NP. DO JAVA SUN).

[Gość: Kolobos]

jimbutt'a sie tak latwo nie da usunac, w C:\Windows\system\ tworzy on plik
systr.dll oraz drugi o losowej nazwie ale tej samej dacie utworzenia co ulatwia
usuniecie w DllCompare.exe powinno go byc widac, trzeb oba pliki wywalic i
bedzie ok :-)
Zreszta jeden ze sposobow usuniecia jest w linku, ktory podalem w innym poscie.

[Gość: magda]

mgregor - postąpiła zgodnie z twoimi instr.
nie usunęlo jimbutta i tych o10 - byl komunikat ze ich nie moze
oto log po fix checked
Logfile of HijackThis v1.99.1
Scan saved at 21:42:04, on 2005-04-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\TV\moretv353pl\MoreTV.exe
C:\TV\wilma21\Wilma.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.jimbutt.com/stuffs/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

nie jest lepiej niestety
magda

[m.gregor]

Co do strony startowej: zastosuj sie do rad Kolobosa. Facet wie co pisze. Odwala
tu kawal dobrej roboty :-)
A co do Wanadoo: to nie odistalowalas go i nadal sie przez niego laczysz?
A co do New.net: odinstalowalas go w Panel sterowania -> Dodaj/usun programy?

[Gość: magda]

new net - nie mam tego w programach
jak wchodze w dodaj/ usun to tego nie ma
myslalam ze nie laczyc sie przez wanadoo w przyszlości ale skoro to urgent to
zaraz zmieniam

[m.gregor]

Odinstalowujesz aplikacje neostrady (wanadoo) i tworzysz polaczenie w sposob
opisany na stronie jaka Ci podalem i na przyszlosc laczysz sie przez to
utworzone polaczenie.

[Gość: magda]

> jimbutt'a sie tak latwo nie da usunac, w C:\Windows\system\ tworzy on plik
> systr.dll oraz drugi o losowej nazwie ale tej samej dacie utworzenia co
ulatwia
>
> usuniecie w DllCompare.exe powinno go byc widac, trzeb oba pliki wywalic i
> bedzie ok :-)
> Zreszta jeden ze sposobow usuniecia jest w linku, ktory podalem w innym
poscie.
>
A podasz linka, bo moja wyszukiwarka milczy:-((
sprawa paląca naprawde

[m.gregor]

Przecie podał:
forum.gazeta.pl/forum/72,2.html?f=430&w=22586454&a=22661433

[Gość: magda]

przepraszam, pewnie myslicie ze ciezko mysle ale te gowienka ciagle mi sie
wlączaj ze po 2-3min musze wychodzic z neta i dlatego
skonfigurowalam polaczenie, wyrzucilam new neta - jednak był:-)))
sciagnelam ten programik zeby wywalic jimbutta, ale pokazaly sie tylko takie
pliki
mswsock.dll
winrnr.dll
rsvpsp.dll
wiec nie wiem czy cos z tego usunac
podaje nowego loga - jimbutt nadal siedzi

Logfile of HijackThis v1.99.1
Scan saved at 22:23:06, on 2005-04-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.jimbutt.com/stuffs/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{872DE33C-3A18-4A44-A0C5-CCC9E8D3BF96}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Gość: magda]

czekam niecierpliwie na wskazówki
tymczasem sciągam juz antywirusa i opere, niestety link do kerio nie dziala
magda

[m.gregor]

Bo jak 99% czytajacych nie czyta tego co napisalem DUZYMI LITERAMI: ZOBACZ DO
POSTOW NASTEPNYCH GDZIE SA ERRATY DO LINKOW I LINKI DO NOWSZYCH WERSJI!

I zdeinstaluj wreszcie to cholerne WANADOO...

[m.gregor]

W linku podanym przez kolobos'a jest dokladnie, krok po kroku podane jak usunac
jimbutt'a:
www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&#entry58793

[Gość: Kolobos]

Musisz usunac ten plik:
C:\WINDOWS\System32\systr.dll

Otworz notatnik i wklej go nie go:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-
00AAFF6D2EA4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTas
kScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

Zapisz jako fix.reg i kliknij dwa razy, nastepnie w Start->Uruchom
wpisz: regsvr32 /u systr.dll
nastepnie wpisz w uruchom:
Start->Uruchom->cmd i wpisz:
del C:\WINDOWS\System32\systr.dll

Nastepnie w hijack usun wpis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.jimbutt.com/stuffs/

Po skasowaniu, uruchom ponownie komputer i sprawdz czy jimbutt zniknal czy tez
dalej jest :-)

[Gość: Kolobos]

Oba wpisy maja byc jednej linijce o te:
[-HKEY_LOCAL_... bo sie zlamaly w poscie zreszta masz to podane na stronie:
www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&#entry58793

DZIĘKI CHŁOPAKI!!!!!!!!!!

[Gość: MAGDA]

chyba mi się udało:-)))))
zresetowałam i nic na razie nie wyskakuje
wklejam loga
nie wiem czy cos jeszcze usunac
wanadoo wywalilam
ogfile of HijackThis v1.99.1
Scan saved at 23:49:37, on 2005-04-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ias.exe
C:\WINDOWS\ibz.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

jeszcze tylko jedno:-))
nadal pojawia mi sie komunikat ze twoj system został zawirusowany, osobite
porty 8080 i 3128 i zeby uzyc free spyvirus czy cuś takiego
mam nadzieje ze jak uruchomie avasta to zniknie

magda

[Gość: Kolobos]

Raczej nie skoro dalej masz okienko, ktore wyswietla ten trojan.
Tutaj nawet widac to okienko:
www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&#entry58793
Wiec jak dalej je masz to znaczy, ze dalej masz tego trojana czy co to tam jest.
Wklej log z:
www.silentrunners.org/Silent%20Runners.vbs

[Gość: magda]

no tak, a mowili nie chwal dnia i tak dalej...
krótko po napisaniu posta avast wykryl trojana
czesc usunal ale pewnie nie wszystko chociaz nic sie nie otwiera
ale w logu widze ibz.exe i ias. exe - tego chyba nie powinno być?
magda

"Silent Runners.vbs", revision 34, www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"Ias" = "C:\WINDOWS\ias.exe" [null data]
"Ibz" = "C:\WINDOWS\ibz.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
[null data]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32
\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

[Gość: Kolobos]

To chyba nie caly log z silentrunners? Bo cos krotki strasznie.


A co do tego:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"Ias" = "C:\WINDOWS\ias.exe" [null data]
"Ibz" = "C:\WINDOWS\ibz.exe" [null data]

To jakis keylogger, zrob tak:

Start->Uruchom->regedit przejdz do:

cd.. bo mi sie nacisnelo ;-)

[Gość: Kolobos]

przejdz do:
HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

i tam usun te dwa wpisy:

"Ias" = "C:\WINDOWS\ias.exe" [null data]
"Ibz" = "C:\WINDOWS\ibz.exe" [null data]

Nastepnie w hijackthis wybierz Open Misc Tools i delte file on reboot i wklej
sciezke do:

C:\WINDOWS\ias.exe a nastepnie do C:\WINDOWS\ibz.exe i po resecie juz ich nie
powinno byc.

Doklej tez reszte log'a z silentrunners.

log po usunieciu ias.exe i ibz.exe

[Gość: magda]

"Silent Runners.vbs", revision 34, www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
[null data]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32
\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll"
["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll"
["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2
\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
[null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop
Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [file
not found]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\magda\Ustawienia lokalne\Dane
aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "magda" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe /W" [empty string]
"hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft
Office\Office\OSA9.EXE -b -l" [MS]
"ZoneAlarm Pro" -> shortcut to: "C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe -nopopup" ["Zone Labs Inc."]


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 1100 series#1090148201" ->
launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -
I "#Hewlett-Packard#hp psc 1100 series#1090148201"" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!
\Companion\Installs\cpn\ycomp5_3_16_0.dll" [file not found]

"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}"
-> {CLSID}\(Default) = "My &Search Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\MyWay\myBar\1.bin\MYBAR.DLL" [file not found]

"{014DA6C9-189F-421A-88CD-07CFE51CFF10}"
-> {CLSID}\(Default) = "iMesh Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\MySearch\bar\1.bin\S4BAR.DLL" [file not found]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{014DA6CE-189F-421A-88CD-07CFE51CFF10}\
(Default) = "iMesh Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\
(Default) = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\
(Default) = "My Web Search Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\
(Default) = "&Dyskusja"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service" ["ALWIL Software"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
["NVIDIA Corpor

[Gość: Kolobos]

Doklej reszte co sie nie zmiescil caly.

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [file
not found] <- tego pliku juz nie ma (chyba), a wiec nie powinno juz wyskakiwac
to okienko z numerami 8080 itp i juz chyba nie wyskakuje mam racje?

Na koniec wklej tez log z hijackthis.

[Gość: magda]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service" ["ALWIL Software"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -
service" ["Zone Labs Inc."]
VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -
service" ["RealVNC Ltd."]
masz racje nie wyskakuje juz ten blad z 8080:-)))
wklejam ostatnia czesc

zaraz wrzuce z hijacka
mgd
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service" ["ALWIL Software"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -
service" ["Zone Labs Inc."]
VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -
service" ["RealVNC Ltd."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

log z hijacka

[Gość: magda]

Logfile of HijackThis v1.99.1
Scan saved at 18:09:40, on 2005-04-13
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\TV\moretv353pl\MoreTV.exe
C:\TV\wilma21\Wilma.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{872DE33C-3A18-4A44-A0C5-CCC9E8D3BF96}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Gość: Kolobos]

Uruchom menadzer zadan (kliknij prawym przyciskiem na pasku start i wybierz
menadzera) odszukaj proces -> winsys32.exe i zakoncz go, nastepnie w
Start->Uruchom->cmd wpisz:

del C:\WINDOWS\System32\winsys32.exe

i w hijackthis skasuj ten wpis:
O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe

Upewnij sie ze po resecie nie ma go juz w hijackthis.

Zainstaluj tez:
www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D
www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster
I w obu zaznacz ochrone przegladarki (nie wiem czy juz tego nie pisalem ;-))

Na koniec przeskanuj system tymi skanerami:
housecall.trendmicro.com/housecall/start_corp.asp
www.windowsecurity.com/trojanscan/
www.pandasoftware.com/activescan/
I to juz wszystko :-)

[Gość: magda]

nie ma w procesach tego pliku, tylko taki
nvsvc32
ale tego nie kasować?
skasowałam winsys32 w hijacku
zabieram sie za instalowanie programikow z linków - spro tego;-))

Jeszcze raz WIELKIE DZIĘKI!!!!!
magda