advertisement

[Gość: kasik]

Od jakiegos czasu wyskakują mi jakieś reklamki w ramce. U góry jest logo
windowsa i potem napis advertisement ,a w ramce jakieś reklamy.Nie widzi tego
ani Norton ani skyboot ani ad-aware.Czy może ktoś pomóc kompletnemu laikowi
co z tym intruzem zrobić?

[Gość: T-800]

Posłaniec?
poradnik.pclab.pl/news7069.html

[Gość: kasik]

Bardzo dziękuje mam nadzieje,że to pomoże.Big Kiss !!!

[Gość: kasik]

Niestety to ciągle wraca.........

[Gość: Kolobos]

Wklej log z hijackthis.

Uzyj tez tego:
www.firewallleaktester.com/tools/wwdc.exe

[Gość: kasia]

Spróbowałam tego zamykacza a potem zrobiłam loga,uff dla mnie to czarna magia :-
(
,ale licze na pomoc.
Logfile of HijackThis v1.99.1
Scan saved at 20:46:48, on 2005-09-13
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NEOSTR~1\CnxMon.exe
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Nokia\NCLTools\NCLConf.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\Mpapi3s.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
C:\PROGRA~1\NEOSTR~1\ComComp.exe
C:\PROGRA~1\NEOSTR~1\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1
\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [OSS] c:\winnt\system32\rk.exe -boot
O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06
\bin\jusched.exe
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common
Files\Nokia\NCLTools\NCLConf.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe -h
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Uruchamianie pakietu Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) -
www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2587D33-DA36-415B-9B36-2ACEC01083BA}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

[Gość: Kolobos]

Odinstaluj aplikacje od neostrady:
forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=15680440
Usun w hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [OSS] c:\winnt\system32\rk.exe -boot <- usun plik rk.exe z
dysku.

Usun z autostartu (Start->Programy->Autostart)
Uruchamianie pakietu Office
Microsoft Find Fast

[Gość: kasia]

Ok dzieki wielkie za błyskawiczną pomoc.Zaraz sie za to zabiore.

[Gość: kasik]

Ten rk.exe nie chce dać sie usunąć wyświetla plik źródłowy może być używany.

[neder]

rób to wszystko w awaryjnym.

[Gość: kasik]

Uff spoko,dzięki za doping zrobiłam wszystko jak trzeba,teraz tylko zostało mi
odistalowanie neostrady.

[Gość: kasik]

Dziwne.Niby wszystko gra kiedy jestem w adminie nic nie wyskakuje,ale po
zalogowaniu jako inny uzytkownik /z ograniczonym dostępem / te cholerne okienka
wyskakują znowu.Tyle,że teraz są puste-zniknęła zawartość.

[Gość: Kolobos]

Zaloguj sie jako uzytkownik i zrob log tym:
www.silentrunners.org/Silent%20Runners.vbs

[Gość: kasia]

Niestety ,ale Norton przy próbie uruchomienia tego pliku bardzo sie buntuje i
nakazuje przerwanie jego uruchamiania.Ryzyko wysokie.Ponadto wyskoczyła mi dzis
ramka z jakimś g zamiast reklamy ostrzegajaca przed wirusami ,ze komputer
zaainfekowany itp itd nacisnij YES.Zamknęłam to badziewie nic nie klikając,laik
jestem to fakt ale nie blondynka.

[Gość: kasia]

Te ramki najczęściej podsyła mi ad.yieldmanager.com /ten warning to właśnie od
nich/albo budsinc i jeszcze ilove.pl

[Gość: kasia]

Ok wygląda na to ,że to były jakis dialery ,które ustanowiły trzy nowe
połączenia /to by się zgadzało bo to g z 3 adresów przychodziło/.Połączenia
skasowałam i jak do tej pory jest spokój.Mam nadzieje na dłuuugo.Dzieki za
pomoc i cierpliwość.

[Gość: kasia]

moja radość nie trwała długo po 23.00 wszystko wróciło.Chyba wyladuje w
wariatkowie.

[Gość: Kolobos]

A ja dalej chce log z silent i nic mnie nie obchodzi, ze norton Ci zabrania.

[Gość: kasia]

Sorki za niesubordynacje oto log z silenta

"Silent Runners.vbs", revision 40.1, www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized"
["Skype Technologies S.A."]
"Fkilfggh" = (value not set)
"Doas" = "C:\Program Files\icrb\oere.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SiS Tray" = "C:\WINNT\System32\sistray.EXE" ["Silicon Integrated Systems
Corporation"]
"SiS Windows KeyHook" = "C:\WINNT\System32\keyhook.exe" ["Silicon Integrated
Systems Corporation"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
["Apple Computer, Inc."]
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]
"MKS_MENU" = "C:\Program Files\MKS\Bin\mks_menu.exe" [file not found]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
[null data]
"Nokia Connection Monitor" = ""C:\Program Files\Common
Files\Nokia\NCLTools\NCLConf.exe"" ["Nokia Mobile Phones Ltd."]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DialerKiller" = "C:\Program Files\Dialer Killer\DialKill.exe -h" [empty string]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""
["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from
CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0
CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper"
[from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll"
["Hilgraeve, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon
Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office\olkfstub.dll" [MS]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne
Player\rpshell.dll" ["RealNetworks, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec
Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll"
["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec
Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec
Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Tapeta programu Internet
Explorer.bmp"


Startup items in "Ewa" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe /W" [empty string]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program
Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\msjava.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-l

[Gość: Kolobos]

Uruchom regedit.exe przejdz do:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
i usun tam:
"Fkilfggh" = (value not set)
"Doas" = "C:\Program Files\icrb\oere.exe" [null data]

Nic wiecej nie widze.