sprawdz loga, prosze...

[Gość: julis]

Logfile of HijackThis v1.99.1
Scan saved at 20:37:12, on 2005-10-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\u-storage tool2.9\ustorage.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
D:\WR\WinRAR.exe
C:\DOCUME~1\Julia\USTAWI~1\Temp\Rar$EX00.608\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hot-searches.com/search.php?v=6&aff=8532979
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hot-searches.com/index.php?v=6&aff=8532979
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 127.0.0.5 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.5 x.full-tgp.net
O1 - Hosts: 127.0.0.5 counter.sexmaniack.com
O1 - Hosts: 127.0.0.5 autoescrowpay.com
O1 - Hosts: 127.0.0.5 www.autoescrowpay.com
O1 - Hosts: 127.0.0.5 www.awmdabest.com
O1 - Hosts: 127.0.0.5 www.sexfiles.nu
O1 - Hosts: 127.0.0.5 awmdabest.com
O1 - Hosts: 127.0.0.5 sexfiles.nu
O1 - Hosts: 127.0.0.5 allforadult.com
O1 - Hosts: 127.0.0.5 www.allforadult.com
O1 - Hosts: 127.0.0.5 www.iframe.biz
O1 - Hosts: 127.0.0.5 iframe.biz
O1 - Hosts: 127.0.0.5 www.newiframe.biz
O1 - Hosts: 127.0.0.5 newiframe.biz
O1 - Hosts: 127.0.0.5 www.vesbiz.biz
O1 - Hosts: 127.0.0.5 vesbiz.biz
O1 - Hosts: 127.0.0.5 www.pi..to.biz
O1 - Hosts: 127.0.0.5 pi..to.biz
O1 - Hosts: 127.0.0.5 www.awmcash.biz
O1 - Hosts: 127.0.0.5 awmcash.biz
O1 - Hosts: 127.0.0.5 buldog-stats.com
O1 - Hosts: 127.0.0.5 www.buldog-stats.com
O1 - Hosts: 127.0.0.5 fregat.drocherway.com
O1 - Hosts: 127.0.0.5 slutmania.biz
O1 - Hosts: 127.0.0.5 www.slutmania.biz
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.megapornix.com
O1 - Hosts: 127.0.0.5 megapornix.com
O1 - Hosts: 127.0.0.5 www.sp2fucked.biz
O1 - Hosts: 127.0.0.5 sp2fucked.biz
O1 - Hosts: 127.0.0.5 greg-tut.com
O1 - Hosts: 127.0.0.5 www.greg-tut.com
O1 - Hosts: 127.0.0.5 nylonsexy.com
O1 - Hosts: 127.0.0.5 www.nylonsexy.com
O1 - Hosts: 127.0.0.5 vparivalka.com
O1 - Hosts: 127.0.0.5 www.vparivalka.com
O1 - Hosts: 127.0.0.5 iframeprofit.com
O1 - Hosts: 127.0.0.5 www.iframeprofit.com
O1 - Hosts: 127.0.0.5 topsearch10.com
O1 - Hosts: 127.0.0.5 www.topsearch10.com
O1 - Hosts: 127.0.0.5 statscash.biz
O1 - Hosts: 127.0.0.5 www.statscash.biz
O1 - Hosts: 127.0.0.5 vxiframe.biz
O1 - Hosts: 127.0.0.5 www.vxiframe.biz
O1 - Hosts: 127.0.0.5 crazy-toolbar.com
O1 - Hosts: 127.0.0.5 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.5 topcash.biz
O1 - Hosts: 127.0.0.5 www.topcash.biz
O1 - Hosts: 127.0.0.5 loadcash.biz
O1 - Hosts: 127.0.0.5 www.loadcash.biz
O1 - Hosts: 127.0.0.5 txiframe.biz
O1 - Hosts: 127.0.0.5 www.txiframe.biz
O1 - Hosts: 127.0.0.5 procounter.biz
O1 - Hosts: 127.0.0.5 www.procounter.biz
O1 - Hosts: 127.0.0.5 advadmin.biz
O1 - Hosts: 127.0.0.5 www.advadmin.biz
O1 - Hosts: 127.0.0.5 trafficbest.net
O1 - Hosts: 127.0.0.5 www.trafficbest.net
O1 - Hosts: 127.0.0.5 besthvac.com
O1 - Hosts: 127.0.0.5 www.besthvac.com
O1 - Hosts: 127.0.0.5 traff4.com
O1 - Hosts: 127.0.0.5 www.traff4.com
O1 - Hosts: 127.0.0.5 ambush-script.com
O1 - Hosts: 127.0.0.5 www.ambush-script.com
O1 - Hosts: 127.0.0.5 beehappyy.biz
O1 - Hosts: 127.0.0.5 www.beehappyy.biz
O1 - Hosts: 127.0.0.5 tracktraff.cc
O1 - Hosts: 127.0.0.5 www.tracktraff.cc
O1 - Hosts: 127.0.0.5 allcount.net
O1 - Hosts: 127.0.0.5 www.allcount.net
O1 - Hosts: 127.0.0.5 onedayoffer.biz
O1 - Hosts: 127.0.0.5 www.onedayoffer.biz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_90.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\System32\appwiz.dll
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [crlregistrationf] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\registration.exe /title="crlregistration" /date=062305
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AQQ] E:\AQQ\AQQ.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=google.pl
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - www5.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\fheekdca.dll
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4

[Gość: Kolobos]

Nie chce mi sie pisac tego samego wiec zrob to co napisalem tutaj:
forum.gazeta.pl/forum/72,2.html?f=430&w=31231834&a=31232825
Do tego uzyj:
www.searchengines.pl/phpbb203/index.php?act=Attach&type=post&id=459


Zakoncz procesy:

C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe

W hijackthis usun:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hot-
searches.com/search.php?v=6&aff=8532979
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hot-
searches.com/index.php?v=6&aff=8532979
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
c:\secure32.html
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} -
C:\Program Files\SurfSideKick 2\SskBho.dll
Wszystkie O1 ale jak uzyjesz killtrusted to juz ich nie bedzie.
O1 - Hosts: 127.0.0.5 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.5 x.full-tgp.net
O1 - Hosts: 127.0.0.5 couter.sexmaniack.com
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program
Files\NewDotNet\newdotnet6_90.dll <- usun katalog NewDotNet
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} -
C:\WINDOWS\System32\appwiz.dll <- usun plik
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe <-
usun katalog Surf...
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net <- sciagnij lspfix.exe z google i
usun nim newdotnet ale nic wiecej nie ruszaj w tym programie!
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} -
C:\WINDOWS\System32\xplugin.dll <- usun plik
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356- 4f5b-B534-E67294FE75E9} -
C:\WINDOWS\System32\fheekdca.dll <- usun plik
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4 <- ten tez.

Po wszystkim wklej nowy log.

[Gość: julis]

dziekuje!!!! oto nowy log:

Logfile of HijackThis v1.99.1
Scan saved at 21:35:55, on 2005-10-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\program files\u-storage tool2.9\ustorage.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
D:\WR\WinRAR.exe
C:\DOCUME~1\Julia\USTAWI~1\Temp\Rar$EX01.184\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [crlregistrationf] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\registration.exe /title="crlregistration" /date=062305
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [AQQ] E:\AQQ\AQQ.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O14 - IERESET.INF: START_PAGE_URL=google.pl
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - www5.incredimail.com/contents/setup/downloader/imloader.cab
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\mlqendom.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Gość: Kolobos]

Usun:

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} -
C:\Program Files\SurfSideKick 2\SskBho.dll
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe <- i ten plik
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,ClientStartup -s <- i ten katalog tez usun.
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe <-
usun katalog, juz o tym pisalem.
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} -
C:\WINDOWS\System32\mlqendom.dll <- usun plik

Po usunieciu wklej nowy log.