Aktualizacje na programosy.pl: Take CommandSIW (System Info)ChromiumKaspersky Rescue DiskVimLoom – Video Recorder for ChromepdfMachine WhiteFar ManagerMount Image Pro  

  • Ogłoszenie:

prosze o sprawdzenie loga

Bezpieczeństwo systemów, usuwanie wirusów, dobieranie programów antywirusowych. Obowiązkowe logi w tym dziale: trzy z FRST + Gmer.
Wyślij odpowiedź

prosze o sprawdzenie loga

Postprzez marcin_atr 21 Paź 2005, 11:21

reklama
jak w temacie. skasowalem ostatnio przesz 90 "swinstw" ale strona startowa nadal jest zmieniona... z góry dziekuje

Kod: Zaznacz wszystko
Logfile of HijackThis v1.99.1
Scan saved at 10:25:27, on 2005-10-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PZ2235~1.Z\USTAWI~1\Temp\Rar$EX00.829\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aszfvretpwxm.com/PYlos5lzwCJSO3EY_IkIj65ikfPYlhh3eVVKvYAisREmSdSqv9sx759PG4aW8kaN.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ikakwtlyekdcmrud.com/PYlos5lzwCL6qp0M2tKU4wLpcVr2u6UQPrc_pCeLUJk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {11BCFC47-E39B-C750-0B1A-6D54C14CAEB0} - C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\KINDBA~1\LOG BOOK.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: (no name) - {D5912FB1-461F-42CD-FBE5-A85FC17AE065} - C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\KINDBA~1\Okay site.exe (file missing)
O3 - Toolbar: (no name) - {8333C319-0669-4893-A418-F56D9249FCA6} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Ooze math about more] C:\Documents and Settings\All Users\Dane aplikacji\cake logo ooze math\Idolfile.exe
O4 - HKLM\..\Run: [Grim plus joy soap] C:\Documents and Settings\All Users\Dane aplikacji\Flaw16GrimPlus\htm keep.exe
O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 - HKLM\..\Run: [ANTEMEOWDALEDUMB] C:\Documents and Settings\All Users\Dane aplikacji\Onemanagerantemeow\error active.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Boob] C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\RULEEA~1\platformtick.exe
O4 - Startup: Rejestrowanie produktów Corela.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://ehttp.cc/?
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - http://www.advnt01.com/dialer/russia.CAB
O16 - DPF: {6814A9EF-FBF1-46B2-A46E-56B401079C26} - http://www.dialer-shop.com/cexe/b200999.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://aniolki.of.pl/td/onet.exe
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A310932A-8B70-4B2A-80E8-EA469E2A9E85}: NameServer = 195.114.161.61,195.114.181.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA295B3B-52F5-45AE-B493-11C04D778AF5}: NameServer = 195.114.161.61,195.114.181.131
O19 - User stylesheet:  (file missing)
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



a to log z Silent Runners

Kod: Zaznacz wszystko
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"The Boob" = "C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\RULEEA~1\platformtick.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Ooze math about more" = "C:\Documents and Settings\All Users\Dane aplikacji\cake logo ooze math\Idolfile.exe" [null data]
"Grim plus joy soap" = "C:\Documents and Settings\All Users\Dane aplikacji\Flaw16GrimPlus\htm keep.exe" [null data]
"MKS_MENU" = "C:\Program Files\MKS\Bin\mks_menu.exe" [file not found]
"ANTEMEOWDALEDUMB" = "C:\Documents and Settings\All Users\Dane aplikacji\Onemanagerantemeow\THUNKRDR.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{11BCFC47-E39B-C750-0B1A-6D54C14CAEB0}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\KINDBA~1\Okay site.exe" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{7B55BB05-0B4D-44fd-81A6-B136188F5DEB}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\questmod.dll" [file not found]
{D5912FB1-461F-42CD-FBE5-A85FC17AE065}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\KINDBA~1\Okay site.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\program files\microsoft office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\program files\microsoft office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\p.z.z\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "p.z.z" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\p.z.z\Menu Start\Programy\Autostart
"Rejestrowanie produktów Corela" -> shortcut to: "C:\Program Files\Corel\Graphics9\Register\Remind32.exe" [file not found]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"A8F867C791841E1F" -> launches: "c:\progra~1\ruleea~1\Surf grey frag.exe" [file not found]
"A818778E9183EE7A" -> launches: "c:\docume~1\pz2235~1.z\daneap~1\ruleea~1\Surf grey frag.exe" [null data]
"B63DD18291027B12" -> launches: "c:\docume~1\pz2235~1.z\daneap~1\ruleea~1\Surf grey frag.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
HIJACK WARNING! "www." = "http://ehttp.cc/?"


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

InterBase Guardian, InterBaseGuardian, "C:\Program Files\Borland\InterBase\bin\ibguard.exe" ["Inprise Corporation"]
InterBase Server, InterBaseServer, "C:\Program Files\Borland\InterBase\bin\ibserver.exe" ["Inprise Corporation"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Odbiornik RIP, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 101 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 54 seconds.
---------- (total run time: 201 seconds)


p.s. slyszalem ze w pewnym pliku windowsa mozna zapodac na "chama" strone startowa tak ze zadne swinstwo tego nie zmieni... niestety ani google ani szukaj nie nakierowaly mnie na ten temat jak to zrobic.. jakby ktos wiedzial jak albo mial linka to prosze o podanie.
marcin_atr
~user
 
Posty: 34
Dołączenie: 06 Paź 2004, 10:43


Góra

Postprzez Red 21 Paź 2005, 13:08

na poczatku sciagnij programik:
http://www.firewallleaktester.com/tools/wwdc.exe
pozamykaj wszystkie porty na enable
nastepnie przeskanuj kompa tym:
http://www.idg.pl/ftp/pc_3671/CWShredder%201.58.html
usun wszystko co znajdzie
wylacz przywracanie systemu wejdz w tryb awaryjny i za pomocą hijacka usun:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aszfvretpwxm.com/PYlos5lzwCJSO3EY_IkIj65ikfPYlhh3eVVKvYAisREmSdSqv9sx759PG4aW8kaN.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ikakwtlyekdcmrud.com/PYlos5lzwCL6qp0M2tKU4wLpcVr2u6UQPrc_pCeLUJk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O3 - Toolbar: (no name) - {8333C319-0669-4893-A418-F56D9249FCA6} - (no file)
O13 - WWW. Prefix: http://ehttp.cc/?
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://64.237.47.178//chm.chm::/1/e.exe
O16 - DPF: {3E339D3C-4B12-4E8C-A529-9CC4BEEAFD4F} (VacPro.russia_ver3) - http://www.advnt01.com/dialer/russia.CAB
O16 - DPF: {6814A9EF-FBF1-46B2-A46E-56B401079C26} - http://www.dialer-shop.com/cexe/b200999.exe
O19 - User stylesheet: (file missing)


daj log po działaniu :)
Awatar użytkownika
Red
^zasłużony
 
Posty: 8694
Dołączenie: 01 Wrz 2005, 10:57
Miejscowość: Piaseczno
Pochwały: 701

Góra

Postprzez marcin_atr 24 Paź 2005, 12:17

oto log :



Kod: Zaznacz wszystko
Logfile of HijackThis v1.99.1
Scan saved at 12:14:38, on 2005-10-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\PZ2235~1.Z\USTAWI~1\Temp\Rar$EX07.840\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.typeulnpphjnftdm.com/PYlos5lzwCJSO3EY_IkIj65ikfPYlhh3eVVKvYAisRHb4tFiYR6_F59PG4aW8kaN.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hevmkyjggejxre.net/PYlos5lzwCL6qp0M2tKU4yI5tHK66Qq8Prc_pCeLUJk.htm
O2 - BHO: (no name) - {11BCFC47-E39B-C750-0B1A-6D54C14CAEB0} - C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\KINDBA~1\LOG BOOK.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D5912FB1-461F-42CD-FBE5-A85FC17AE065} - C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\KINDBA~1\Okay site.exe (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Ooze math about more] C:\Documents and Settings\All Users\Dane aplikacji\cake logo ooze math\Idolfile.exe
O4 - HKLM\..\Run: [Grim plus joy soap] C:\Documents and Settings\All Users\Dane aplikacji\Flaw16GrimPlus\htm keep.exe
O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 - HKLM\..\Run: [ANTEMEOWDALEDUMB] C:\Documents and Settings\All Users\Dane aplikacji\Onemanagerantemeow\LiesGlobal.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [The Boob] C:\DOCUME~1\PZ2235~1.Z\DANEAP~1\RULEEA~1\platformtick.exe
O4 - Startup: Rejestrowanie produktów Corela.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://aniolki.of.pl/td/onet.exe
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A310932A-8B70-4B2A-80E8-EA469E2A9E85}: NameServer = 195.114.161.61,195.114.181.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA295B3B-52F5-45AE-B493-11C04D778AF5}: NameServer = 195.114.161.61,195.114.181.131
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




Mysle ze musze jeszcze wywalic:


Kod: Zaznacz wszystko
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.typeulnpphjnftdm.com/PYlos5lzwCJSO3EY_IkIj65ikfPYlhh3eVVKvYAisRHb4tFiYR6_F59PG4aW8kaN.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hevmkyjggejxre.net/PYlos5lzwCL6qp0M2tKU4yI5tHK66Qq8Prc_pCeLUJk.htm
O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://aniolki.of.pl/td/onet.exe


red nie zrobielm tego:
Kod: Zaznacz wszystko
na poczatku sciagnij programik:
http://www.firewallleaktester.com/tools/wwdc.exe
pozamykaj wszystkie porty na enable

Jest to komp firmowy i nie wiem czy bedzie dzialac siec wewnetrza do wypisywania faktur... (program do faktur wlacza sie z dosu przy rozruchu kompa)
prosze o wyjasnienie czy nie bedzie mi to blokowac dziala nia programu
marcin_atr
~user
 
Posty: 34
Dołączenie: 06 Paź 2004, 10:43


Góra

Postprzez Red 24 Paź 2005, 12:36

widze ze juz konczymy .To ponizej oczywiscie do wywalenia:
marcin_atr napisał(a):Kod:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.typeulnpphjnftdm.com/PYlos5lzwCJSO3EY_IkIj65ikfPYlhh3eVVKvYAisRHb4tFiYR6_F59PG4aW8kaN.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hevmkyjggejxre.net/PYlos5lzwCL6qp0M2tKU4yI5tHK66Qq8Prc_pCeLUJk.htm
O16 - DPF: {A67BA5E3-5B79-11D6-A711-00C12601EADE} - http://aniolki.of.pl/td/onet.exe

natomiast:
red nie zrobielm tego:
Kod:

na poczatku sciagnij programik:
http://www.firewallleaktester.com/tools/wwdc.exe
pozamykaj wszystkie porty na enable

Jest to komp firmowy i nie wiem czy bedzie dzialac siec wewnetrza do wypisywania faktur... (program do faktur wlacza sie z dosu przy rozruchu kompa)
prosze o wyjasnienie czy nie bedzie mi to blokowac dziala nia programu

jesli chodzi o wwdc to dzialanie jest w pelni odwracalne i mozesz odblokowac porty spowrotem :)

usun wpisy powyzej i jesli zaczną wracac to wtedy zainstaluj wwdc
jesli nie wrocą mozesz sobie odpuscic :)
Awatar użytkownika
Red
^zasłużony
 
Posty: 8694
Dołączenie: 01 Wrz 2005, 10:57
Miejscowość: Piaseczno
Pochwały: 701

Góra
Wyślij odpowiedź

Powróć do Bezpieczeństwo

Kto jest na forum

Użytkownicy przeglądający to forum: Brak zarejestrowanych użytkowników oraz 10 gości

Powered by phpBB © Group
Forum Programosy.pl