Gość: Kolobos Re: bardzo prosze o sprawdzenia loga IP: *.warszawa.sdi.tpnet.pl 17.04.05, 22:12 Odinstaluj: ErrorGuard, LogitechDesktopMessenger, Spyware Begone Uzyj: cwshredder.net/bin/CWShredder.exe <- CWS Shredder www.derbilk.de/SpSeHjfix110.zip W hijackthis zaznacz te wpisy: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\royyw.dll/sp.html#12345 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {2CA0B67D-538E-0F30-8CD3-19E8BA8A6ED7} - C:\WINDOWS\d3ql32.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing) O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe" Nie wiem co to jest: O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1 \MW1HEL~1.EXE /partner MW1 Jak wiesz to zostaw jak nie to zaznacz. O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Mariusz\LOCALS~1\Temp\27.exe\27.exe" O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe" O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe O4 - HKLM\..\Run: [BPCv2] C:\Program Files\bpc_search\BPCv2.exe O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe" O4 - HKLM\..\Run: [3F8O3sR] qasanage.exe O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe O4 - HKLM\..\RunOnce: [BPCv2_re] c:\Program Files\Common Files\Java\bpc2_re_inst.exe O4 - HKCU\..\Run: [IorERidth] pncime.exe O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\luirhrcu.exe O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - www.errorguard.com/installation/Install.cab I Fix Checked, nastepnie zainstaluj to: www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster W obu wlacz ochrone przegladarki. Przeskanuj tez tym: housecall.trendmicro.com/housecall/start_corp.asp www.windowsecurity.com/trojanscan/ www.pandasoftware.com/activescan/pol/activescan_principal.htm Jak juz to wszystko zrobisz to reset i wklej nowy log, tym razem caly ;-) Odpowiedz Link Zgłoś
Gość: szymek Re:bardzo dziekuje IP: *.hsd1.il.comcast.net 18.04.05, 02:23 staralem sie zrobic tak jak mi napisales ale poniewaz jestem "zielony" to nie jestem pewien co z tego wyszlo,a to moj nowy log,mam nadzieje ze caly Logfile of HijackThis v1.99.1 Scan saved at 7:08:28 PM, on 4/17/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\d3oj32.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsgSys.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\WINDOWS\addyy32.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\ACD Systems\ImageFox\ImageFox.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Mariusz\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlgkv.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r5.attbi.com;localhost R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {8B82102E-F491-66D2-F758-5BB004FEE44C} - C:\WINDOWS\winft.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5 \DirectCD\DirectCD.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\Overnet.exe -t O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" - atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001 \en-us\msnappau.exe" O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Eyeball Chat] "C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe" -min O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0 \Distillr\AcroTray.exe O4 - Global Startup: ImageFox.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1 \MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b- 00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - www.vzwpix.com/activex/VerizonWirelessUploadControl.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3oj32.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32 \pctspk.exe Odpowiedz Link Zgłoś
Gość: vilkatla Re:bardzo dziekuje IP: *.uni.lodz.pl 18.04.05, 03:28 hm... wiekszosc szkodliwego 04 zniknela, ale syf nadal jest. [quote]> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = > about:blank > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R3 - Default URLSearchHook is missing [/quote] [quote]O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe[/quote] bycmoze za odradzanie sie syfu odpowiada ten plik. i jego trzeba koniecznie ubic. poza tym: [quote]O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE[/quote] co to takiego??? jesli sam tego nie instalowales to wywal. [quote]> O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - > C:\WINDOWS\System32\Shdocvw.dll[/quote] podobnie. znasz - zostaje, nie znasz - wywalic. [quote] O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Un > known owner - > C:\WINDOWS\system32\d3oj32.exe[/quote] trojan cws robisz tak restart kompa do trybu awaryjnego (przytrzymujesz klawisz F8 przy ladowaniu kompa i wybierasz tryb awaryjny) hijack this -> scan -> zaznaczasz podane wyzej pozycje -> fix checked. nastepnie usuwasz recznie z dysku pliki: C:\WINDOWS\addyy32.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\WINDOWS\System32\Shdocvw.dll (opcjonalnie - jesli znasz to zostawiasz) C:\WINDOWS\system32\d3oj32.exe restart i konfirmacyjny log pozdrawiam Odpowiedz Link Zgłoś
Gość: blondynka Re:bardzo dziekuje IP: *.neoplus.adsl.tpnet.pl 18.04.05, 12:16 chyba możesz zrobić jak mi doradzał kolobus tzn. nie szukać ścieżek dostępu tylko skopiować i od razu wkleić. Odpowiedz Link Zgłoś
Gość: Kolobos Re:bardzo dziekuje IP: *.warszawa.sdi.tpnet.pl 18.04.05, 13:25 W hijackthis naciskasz na Open Misc Tools i tam wybierasz Delete File on reboot i wklejasz tam sciezki do tych plikow: C:\WINDOWS\vlgkv.dll naciskasz OK, nie resetujesz i dodajesz nastepny: C:\WINDOWS\winft.dll i tak samo jak poprzednio C:\WINDOWS\addyy32.exe C:\WINDOWS\system32\d3oj32.exe pozniej w hijackthis zaznaczasz te wpisy: > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = > about:blank > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = > res://C:\WINDOWS\vlgkv.dll/sp.html#12345 > R3 - Default URLSearchHook is missing > O4 - HKLM\..\Run: [addyy32.exe] C:\WINDOWS\addyy32.exe > O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Un > known owner - C:\WINDOWS\system32\d3oj32.exe Naciskasz Fix Checked, resetujesz jeszcze raz i wklejasz nowy log. Odpowiedz Link Zgłoś