bardzo prosze o sprawdzenia loga

IP: *.hsd1.il.comcast.net 17.04.05, 21:41
    • Gość: Kolobos Re: bardzo prosze o sprawdzenia loga IP: *.warszawa.sdi.tpnet.pl 17.04.05, 22:12
      Odinstaluj:
      ErrorGuard, LogitechDesktopMessenger, Spyware Begone

      Uzyj:
      cwshredder.net/bin/CWShredder.exe <- CWS Shredder
      www.derbilk.de/SpSeHjfix110.zip
      W hijackthis zaznacz te wpisy:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      res://C:\WINDOWS\system32\royyw.dll/sp.html#12345
      R3 - Default URLSearchHook is missing
      O2 - BHO: (no name) - {2CA0B67D-538E-0F30-8CD3-19E8BA8A6ED7} -
      C:\WINDOWS\d3ql32.dll
      O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
      Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
      O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
      O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
      O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"

      Nie wiem co to jest:
      O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1
      \MW1HEL~1.EXE /partner MW1
      Jak wiesz to zostaw jak nie to zaznacz.

      O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Mariusz\LOCALS~1\Temp\27.exe\27.exe"
      O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
      O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
      O4 - HKLM\..\Run: [BPCv2] C:\Program Files\bpc_search\BPCv2.exe
      O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
      O4 - HKLM\..\Run: [3F8O3sR] qasanage.exe
      O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe
      O4 - HKLM\..\RunOnce: [BPCv2_re] c:\Program Files\Common
      Files\Java\bpc2_re_inst.exe
      O4 - HKCU\..\Run: [IorERidth] pncime.exe
      O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
      O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
      O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program
      Files\Internet Explorer\luirhrcu.exe
      O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
      O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
      imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
      O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) -
      www.errorguard.com/installation/Install.cab

      I Fix Checked, nastepnie zainstaluj to:
      www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D
      www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster
      W obu wlacz ochrone przegladarki.

      Przeskanuj tez tym:
      housecall.trendmicro.com/housecall/start_corp.asp
      www.windowsecurity.com/trojanscan/
      www.pandasoftware.com/activescan/pol/activescan_principal.htm
      Jak juz to wszystko zrobisz to reset i wklej nowy log, tym razem caly ;-)
      • Gość: szymek Re:bardzo dziekuje IP: *.hsd1.il.comcast.net 18.04.05, 02:23
        staralem sie zrobic tak jak mi napisales ale poniewaz jestem "zielony" to nie
        jestem pewien co z tego wyszlo,a to moj nowy log,mam nadzieje ze caly

        Logfile of HijackThis v1.99.1
        Scan saved at 7:08:28 PM, on 4/17/2005
        Platform: Windows XP (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 (6.00.2600.0000)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\system32\d3oj32.exe
        C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
        C:\Program Files\NavNT\defwatch.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
        C:\Program Files\NavNT\rtvscan.exe
        C:\WINDOWS\system32\pctspk.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\System32\MsgSys.EXE
        C:\Program Files\NavNT\vptray.exe
        C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
        C:\Program Files\QuickTime\qttask.exe
        C:\WINDOWS\System32\LVCOMSX.EXE
        C:\Program Files\Logitech\Video\LogiTray.exe
        C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
        C:\WINDOWS\addyy32.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\WINDOWS\System32\wuauclt.exe
        C:\Program Files\Gadu-Gadu\gg.exe
        C:\Program Files\Skype\Phone\Skype.exe
        C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe
        C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
        C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
        C:\Program Files\Logitech\Video\FxSvr2.exe
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        C:\Documents and Settings\Mariusz\Desktop\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        res://C:\WINDOWS\vlgkv.dll/sp.html#12345
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
        Settings,ProxyServer = sas.r5.attbi.com:8000
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
        Settings,ProxyOverride = *r5.attbi.com;localhost
        R3 - Default URLSearchHook is missing
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
        O2 - BHO: (no name) - {8B82102E-F491-66D2-F758-5BB004FEE44C} -
        C:\WINDOWS\winft.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
        C:\WINDOWS\System32\msdxm.ocx
        O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
        O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5
        \DirectCD\DirectCD.exe
        O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
        O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
        atboottime
        O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
        O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program
        Files\Logitech\Video\ISStart.exe
        O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program
        Files\Logitech\Video\LogiTray.exe
        O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001
        \en-us\msnappau.exe"
        O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
        O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
        O4 - HKCU\..\Run: [Skype] "C:\Program
        Files\Skype\Phone\Skype.exe" /nosplash /minimized
        O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program
        Files\Logitech\Video\ManifestEngine.exe" boot
        O4 - HKCU\..\Run: [Eyeball Chat] "C:\Program Files\Eyeball\Eyeball
        Chat\EyeballChat.exe" -min
        O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0
        \Distillr\AcroTray.exe
        O4 - Global Startup: ImageFox.lnk = ?
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
        Office\Office10\OSA.EXE
        O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1
        \MICROS~2\Office10\EXCEL.EXE/3000
        O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
        C:\WINDOWS\web\related.htm
        O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
        00aa003c157a} - C:\WINDOWS\web\related.htm
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
        C:\WINDOWS\System32\Shdocvw.dll
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media
        Upload) - www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
        O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
        O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner -
        C:\WINDOWS\system32\d3oj32.exe
        O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
        C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
        O23 - Service: DefWatch - Symantec Corporation - C:\Program
        Files\NavNT\defwatch.exe
        O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
        Corporation - C:\Program Files\NavNT\rtvscan.exe
        O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32
        \pctspk.exe

        • Gość: vilkatla Re:bardzo dziekuje IP: *.uni.lodz.pl 18.04.05, 03:28
          hm... wiekszosc szkodliwego 04 zniknela, ale syf nadal jest.

          [quote]> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
          > about:blank
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R3 - Default URLSearchHook is missing
          [/quote]

          [quote]O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe[/quote]
          bycmoze za odradzanie sie syfu odpowiada ten plik. i jego trzeba koniecznie ubic.
          poza tym:

          [quote]O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE[/quote]
          co to takiego??? jesli sam tego nie instalowales to wywal.

          [quote]> O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
          > C:\WINDOWS\System32\Shdocvw.dll[/quote]
          podobnie. znasz - zostaje, nie znasz - wywalic.

          [quote] O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Un
          > known owner -
          > C:\WINDOWS\system32\d3oj32.exe[/quote]
          trojan cws

          robisz tak
          restart kompa do trybu awaryjnego (przytrzymujesz klawisz F8 przy ladowaniu kompa i wybierasz tryb awaryjny)
          hijack this -> scan -> zaznaczasz podane wyzej pozycje -> fix checked.
          nastepnie usuwasz recznie z dysku pliki:
          C:\WINDOWS\addyy32.exe
          C:\WINDOWS\System32\LVCOMSX.EXE
          C:\WINDOWS\System32\Shdocvw.dll (opcjonalnie - jesli znasz to zostawiasz)
          C:\WINDOWS\system32\d3oj32.exe

          restart i konfirmacyjny log

          pozdrawiam
          • Gość: blondynka Re:bardzo dziekuje IP: *.neoplus.adsl.tpnet.pl 18.04.05, 12:16
            chyba możesz zrobić jak mi doradzał kolobus tzn. nie szukać ścieżek dostępu
            tylko skopiować i od razu wkleić.
        • Gość: Kolobos Re:bardzo dziekuje IP: *.warszawa.sdi.tpnet.pl 18.04.05, 13:25
          W hijackthis naciskasz na Open Misc Tools i tam wybierasz Delete File on reboot
          i wklejasz tam sciezki do tych plikow:
          C:\WINDOWS\vlgkv.dll naciskasz OK, nie resetujesz i dodajesz nastepny:
          C:\WINDOWS\winft.dll i tak samo jak poprzednio
          C:\WINDOWS\addyy32.exe
          C:\WINDOWS\system32\d3oj32.exe

          pozniej w hijackthis zaznaczasz te wpisy:
          > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
          > about:blank
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          > res://C:\WINDOWS\vlgkv.dll/sp.html#12345
          > R3 - Default URLSearchHook is missing
          > O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe
          > O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Un
          > known owner - C:\WINDOWS\system32\d3oj32.exe

          Naciskasz Fix Checked, resetujesz jeszcze raz i wklejasz nowy log.
Pełna wersja