http://195.95.218.172/index.php namolnie jako str. startowa

[Bananowa]

Witam

Mam pewien nieprzyjemny problem, mianowicie, straszliwie namolnie ustawia mi się jako strona startowa http://195.95.218.172/index.php. Bardzo to denerwujące, bo nic nie mogę z tym zrobić. Na początku przeskanowałam system HiJack This i usunęłam RO i R1, z szkodliwą witryną.

Nie pomogło. Za każdym razem wszystko się odnawiało.

Więc weszłam w edytor rejestru i usunęłam niechciane wspisy. No i kurde nic! Kasuję je powiedzmy w hey_local_machine, wchodzę gdzie indziej, a potem znowu w machine i patrzę: odnawiają się!

To znaczy, że jest jakiś wpis, który je odnawia, tak?

Nie mam żadnego wirusa, przynajmniej nie zauważyłam przy skanowaniu systemu, ani nigdzie indziej.

Co robić?:( Proszę o pomoc i dzięki z góry.

[Shady]

A skanowałeś jakimś anty-spamem ? Np. Ad-Aware lub SpyBot Search and Destroy ?

[jeff]

Na początku przeskanowałam system HiJack This i usunęłam RO i R1, z szkodliwą witryną.

Nie pomogło. Za każdym razem wszystko się odnawiało.

bo na 99% coś jeszcze w logu siedzi. Wiec jak możesz to wrzuć nam go tutaj

[@Marcin]

W tym temacie masz opisane co i jak zrobić:
http://www.searchengines.pl/phpbb203/index.php?showtopic=14185&st=0

[stary*]

A skanowałeś jakimś anty-spamem ? Np. Ad-Aware lub SpyBot Search and Destroy ?

antyspywarem:D.....poza tym jak już mowil 600v wrzuć log HijackThisa....a jak nie to w awaryjnym bez przywracania systemu fixnij te wpisy...
pOzDRO

[MUTOPOMPKA]

http://tiny.pl/qkjq

Tu jest opisany identyczny przypadek... Więc proszę o zastosowanie się do porad wymienionych tam...

[Bananowa]

O proszę

Logfile of HijackThis v1.99.1
Scan saved at 19:09:42, on 2005-09-29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\eDonkey2000\eDonkey2000.exe
C:\Program Files\USB Disk Tool\USNDISKT.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\mdms.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Roman\USTAWI~1\Temp\Rar$EX00.516\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: C:\WINDOWS\lbbho.dll - {1B6B652D-4B1F-42A3-942E-19EDBA420510} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll (file missing)
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [USB Disk Tool] C:\Program Files\USB Disk Tool\USNDISKT.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRA~1\GADU-G~1\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c403.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.flexview.de/InstallationsAssistent.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD576261-564F-4287-83DC-5068F567101A}: NameServer = 194.204.152.34 217.98.63.164
O20 - Winlogon Notify: style2 - C:\WINDOWS\q5582421.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Internet Logging (WksPatch) - Unknown owner - C:\WINDOWS\System32\drivers\svchost.exe (file missing)

PS. A przeskanowałam ad-awarem i też nic.

[Shady]

antyspywarem

Skorka, wyleciało mi to z głowy

[Red]

zacznijmy od sciagniecia tego programu:
http://www.firewallleaktester.com/tools/wwdc.exe
pozamykaj wszystkie porty>>>enable wszystko
nastepnie przechodzimy do loga
O23 - Service: Internet Logging (WksPatch) - Unknown owner - C:\WINDOWS\System32\drivers\svchost.exe (file missing)
musisz wylaczyc >> Internet Logging (WksPatch)

zrobisz to tak:
Start >>> Uruchom >>>wpisz komende>> services.msc >>> zatrzymaj i wyłącz>>> Internet Logging(prawoklik na wpis--wlasciwosci--typ uruchamiania--wylaczony, potem:
Otwierasz HijackThis--- Misc Tools--- Delete NT Service--- wklepujesz >>(WksPatch)>>> zatwierdzasz. Nastepnie w hijacku usuwasz wpis 023

przechodzimy do dalszego usuwania:
z loga za pomocą fix usuwasz:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: C:\WINDOWS\lbbho.dll - {1B6B652D-4B1F-42A3-942E-19EDBA420510} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll (file missing)
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c403.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.flexview.de/InstallationsAssistent.ocx
O20 - Winlogon Notify: style2 - C:\WINDOWS\q5582421.dll

wszystko co jest pogrubione musisz usunac recznie z systemu
dodatkowo przeskanuj kompa programem:
http://www.idg.pl/ftp/pc_3671/CWShredder%201.58.html
oraz prosze o log z programu:
http://www.silentrunners.org

ps
pamietaj o wylaczeniu przywracania systemu podczas usuwania

[Bananowa]

Oto log z Silent Runnersa:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Gadu-Gadu" = ""C:\PROGRA~1\GADU-G~1\gg.exe" /tray" ["sms-express.com"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Shell" = ""C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [null data]
"eDonkey2000" = "C:\Program Files\eDonkey2000\eDonkey2000.exe -t" [empty string]
"ashMaiSv" = "C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" [file not found]
"USB Disk Tool" = "C:\Program Files\USB Disk Tool\USNDISKT.EXE" [" "]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"NWEReboot" = (empty string)
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{1B6B652D-4B1F-42A3-942E-19EDBA420510}\(Default) = "C:\WINDOWS\lbbho.dll"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\lbbho.dll" [null data]
{78364D99-A640-4ddf-B91A-67EFF8373045}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\appwiz.dll" [file not found]
{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "st"
-> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577-05B7-4963-911E-4A8588160DFA}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q11609218.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q11609218.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]
sysacpildap\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Startup items in "Roman" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Roman\Menu Start\Programy\Autostart
"iMesh" -> shortcut to: "C:\Program Files\iMesh\Client\iMeshClient.exe -s" [file not found]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Panda anti-virus service, PAVSRV, "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe" ["Panda Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 79 seconds, including 18 seconds for message boxes)

A pliki z loga Hijack This mam kasować w trybie awaryjnym, czy w normalnym?

W CWShredder wykryło mi i zrobiło removed CWS.Msconfig.

[jeff]

A pliki z loga Hijack This mam kasować w trybie awaryjnym, czy w normalnym?

pliki zanzaczone przez Reda na czarno kasujesz ręcznie a pozostałe wpisy w Hijacku - wszystko robisz w awaryjnym. Jeżeli chodzi o loga z Silenta to zaczekaj na Reda

[Bananowa]

Dzięki :] Poczekam cierpliwie :]

[Red]

eżeli chodzi o loga z Silenta to zaczekaj na Reda

i prosze cie o wygenerowanie loga z Silent po usunieciu tego co podalem wczesniej >log z hijacka

W CWShredder wykryło mi i zrobiło removed CWS.Msconfig.

bardzo dobrze

A pliki z loga Hijack This mam kasować w trybie awaryjnym, czy w normalnym?

awaryjnym i tak jak powiedział 600v pogrubione lecą recznie z systemu
po zabawie z hijackiem dajesz log z silent runners

[Bananowa]

No dobra, pousuwałam wszystko, a mdms też w awaryjnym. Tu mam log z Silent Runnersa:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Gadu-Gadu" = ""C:\PROGRA~1\GADU-G~1\gg.exe" /tray" ["sms-express.com"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Shell" = ""C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [null data]
"eDonkey2000" = "C:\Program Files\eDonkey2000\eDonkey2000.exe -t" [empty string]
"ashMaiSv" = "C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" [file not found]
"USB Disk Tool" = "C:\Program Files\USB Disk Tool\USNDISKT.EXE" [" "]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"NWEReboot" = (empty string)
"CMESys" = ""C:\Program Files\Common Files\CMEII\CMESys.exe"" ["GAIN Publishing"]
"MW1HelperStartUp" = "C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1" ["GAIN Publishing, Inc."]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{1B6B652D-4B1F-42A3-942E-19EDBA420510}\(Default) = "C:\WINDOWS\lbbho.dll"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\lbbho.dll" [null data]
{78364D99-A640-4ddf-B91A-67EFF8373045}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\appwiz.dll" [file not found]
{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "st"
-> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577-05B7-4963-911E-4A8588160DFA}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q17643734.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! style2\DLLName = "C:\WINDOWS\q17643734.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]
sysacpildap\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Startup items in "Roman" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Roman\Menu Start\Programy\Autostart
"iMesh" -> shortcut to: "C:\Program Files\iMesh\Client\iMeshClient.exe -s" [file not found]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"GStartup" -> shortcut to: "C:\Program Files\Common Files\GMT\GMT.exe /startup" [file not found]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Panda anti-virus service, PAVSRV, "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe" ["Panda Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 82 seconds, including 6 seconds for message boxes)

A ta strona główna usunęła się już jak zamknęłam porty i wyłączyłam Internet Logging, czy jak mu tam

Dzięki. Gdybym miała coś nie tak w logu powiedzcie Jeszcze raz wielkie dzięki