Dodaj do ulubionych

bardzo prosze o sprawdzenie loga

IP: *.net132.okay.pl 03.09.05, 19:49
Logfile of HijackThis v1.99.1
Scan saved at 19:48:21, on 2005-09-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Gadu-Gadu\PowerGG.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.wp.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = proxy.zetosa.pl/proxy.pac
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program
Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program
Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program
Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04
\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program
Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109163090920
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -
updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {81E688E8-36A4-4FEF-B70B-8B0A1C5C1308} (WebLauncherX Control) -
www.cadprojekt.com.pl/netdesign/launcher.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
217.117.128.162/activex/AxisCamControl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
www5.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B144D6EC-3EF9-42F9-9BB6-
630D33865D7F}: NameServer = 212.160.238.2,80.85.224.50
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe

Obserwuj wątek
                • Gość: ewka Re: bardzo prosze o sprawdzenie loga IP: *.net132.okay.pl 04.09.05, 14:06
                  "Silent Runners.vbs", revision 40.1, www.silentrunners.org/
                  Operating System: Windows XP
                  Output limited to non-default values, except where indicated by "{++}"


                  Startup items buried in registry:
                  ---------------------------------

                  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                  "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
                  "IncrediMail" = "C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]

                  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                  "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
                  ["Apple Computer, Inc."]
                  "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe""
                  ["Hewlett-Packard Company"]
                  "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3
                  \hpztsb10.exe" ["HP"]
                  "HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software
                  Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
                  "Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative
                  Technology Ltd."]
                  "UpdReg" = "C:\WINDOWS\Updreg.exe" [file not found]
                  "AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [file not
                  found]
                  "AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative
                  Technology Ltd."]
                  "CTAvTray" = "C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" ["Creative
                  Technology Ltd."]
                  "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
                  ["Sun Microsystems, Inc."]
                  "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
                  "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
                  "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

                  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
                  "CTAVTray" = "C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI"
                  [file not found]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
                  "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
                  wyświetlania"
                  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
                • Gość: ewka Re: bardzo prosze o sprawdzenie loga IP: *.net132.okay.pl 04.09.05, 14:07
                  Prosze, to chyba chodzi o ten log.

                  "Silent Runners.vbs", revision 40.1, www.silentrunners.org/
                  Operating System: Windows XP
                  Output limited to non-default values, except where indicated by "{++}"


                  Startup items buried in registry:
                  ---------------------------------

                  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                  "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
                  "IncrediMail" = "C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]

                  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                  "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
                  ["Apple Computer, Inc."]
                  "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe""
                  ["Hewlett-Packard Company"]
                  "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3
                  \hpztsb10.exe" ["HP"]
                  "HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software
                  Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
                  "Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative
                  Technology Ltd."]
                  "UpdReg" = "C:\WINDOWS\Updreg.exe" [file not found]
                  "AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [file not
                  found]
                  "AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative
                  Technology Ltd."]
                  "CTAvTray" = "C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" ["Creative
                  Technology Ltd."]
                  "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
                  ["Sun Microsystems, Inc."]
                  "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
                  "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
                  "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

                  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
                  "CTAVTray" = "C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI"
                  [file not found]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
                  "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
                  wyświetlania"
                  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
                  "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
                  ["Hilgraeve, Inc."]
                  "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                  ["WinZip Computing, Inc."]
                  "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                  ["WinZip Computing, Inc."]
                  "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                  ["WinZip Computing, Inc."]
                  "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                  ["WinZip Computing, Inc."]
                  "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                  [null data]
                  "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
                  Handler"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                  Office\Office10\OLKFSTUB.DLL" [MS]
                  "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                  Office\Office10\msohev.dll" [MS]
                  "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
                  "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
                  "{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                  data]
                  "{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                  data]
                  "{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                  data]
                  "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                  \ashShell.dll" ["ALWIL Software"]

                  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
                  INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft
                  AntiSpyware Service Hook"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                  AntiSpyware\shellextension.dll" [MS]
                  INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell
                  guard"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security
                  suite\shellhook.dll" ["TODO: <Firmenname>"]

                  HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
                  avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                  \ashShell.dll" ["ALWIL Software"]
                  ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security
                  suite\context.dll" ["ewido networks"]
                  IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll"
                  ["IncrediMail, Ltd."]
                  WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                  [null data]
                  WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                  data]

                  HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
                  ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security
                  suite\context.dll" ["ewido networks"]
                  WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                  [null data]
                  WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                  data]

                  HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
                  avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                  \ashShell.dll" ["ALWIL Software"]
                  WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                  [null data]
                  WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                  data]


                  Group Policies [Description]:
                  -----------------------------

                  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
                  HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
                  [prevents changes to Active Desktop; removes Web tab from Display Properties|
                  Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]


                  Active Desktop and Wallpaper:
                  -----------------------------

                  Active Desktop is disabled at this entry:
                  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

                  HKCU\Control Panel\Desktop\
                  "Wallpaper" = "C:\Documents and Settings\Właściciel\Ustawienia lokalne\Dane
                  aplikacji\Microsoft\Wallpaper1.bmp"


                  Winsock2 Service Provider DLLs:
                  -------------------------------

                  Namespace Service Providers

                  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
                  \Catalog_Entries\ {++}
                  000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
                  000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll"
                  • Gość: tata1959 Re: bardzo prosze o sprawdzenie loga IP: *.neoplus.adsl.tpnet.pl 04.09.05, 15:45
                    witaj
                    tak...to nie jest cały log,zaczekaj aż program skończy działanie(pokaże ci się
                    takie okienko),odinstaluj ewido jest już zbędne,wykonaj aktualizację windy.
                    w logu widać tylko restrykcje:
                    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
                    > HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
                    > [prevents changes to Active Desktop; removes Web tab from Display Properties|
                    > Desktop (tab)|
                    masz wyłączony active desktop,chyba że sama wyłączyłaś.
                    z tego kawałka loga nie widać aby exeki były trafione,zrób to co pisałem i
                    wykonaj pełnego loga,jak się nie zmieści wklej dwa razy i jeszcze wykonaj z
                    hijacka,a czy coś kombinowałaś z tu ofisem ,kiedy przestał się uruchamiać?
                    pozdrawiam
                    .
                    • Gość: ewka Re: bardzo prosze o sprawdzenie loga IP: *.net132.okay.pl 04.09.05, 16:27
                      nie moge odinstalowac ewido, nie ma go w dodaj/usun programy, nie mam ikonki
                      uinstall, a program jako taki nie dziala rowniez.
                      aktualizacje windy... to chodzi o Service Packa? chyba nie moge go zrobic, z
                      wiadomych powodow :|
                      z active desktop nic nie kombinowalam, ofis przestal dzialac jak mi wykrylo
                      tego wirusa, chce wlaczyc worda i pisze tak: instalator windows, "funkcja,
                      ktorej planujesz uzyc znajduje sie w niedostepnym zasobie sieciowym, Kliknij OK
                      aby sprobowac ponownie, lub wprowadz alternatywna sciezke do folderu
                      zawieracacego pakiet PROPLUS.MSI w polu ponizej"

                      LOG:

                      "Silent Runners.vbs", revision 40.1, www.silentrunners.org/
                      Operating System: Windows XP
                      Output limited to non-default values, except where indicated by "{++}"


                      Startup items buried in registry:
                      ---------------------------------

                      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                      "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
                      "IncrediMail" = "C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]

                      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                      "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
                      ["Apple Computer, Inc."]
                      "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe""
                      ["Hewlett-Packard Company"]
                      "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3
                      \hpztsb10.exe" ["HP"]
                      "HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software
                      Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
                      "Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative
                      Technology Ltd."]
                      "UpdReg" = "C:\WINDOWS\Updreg.exe" [file not found]
                      "AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [file not
                      found]
                      "AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative
                      Technology Ltd."]
                      "CTAvTray" = "C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" ["Creative
                      Technology Ltd."]
                      "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
                      ["Sun Microsystems, Inc."]
                      "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
                      "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
                      "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

                      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
                      "CTAVTray" = "C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI"
                      [file not found]

                      HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
                      "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
                      wyświetlania"
                      -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
                      "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
                      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
                      ["Hilgraeve, Inc."]
                      "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                      ["WinZip Computing, Inc."]
                      "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                      ["WinZip Computing, Inc."]
                      "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                      ["WinZip Computing, Inc."]
                      "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                      ["WinZip Computing, Inc."]
                      "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                      [null data]
                      "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
                      Handler"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                      Office\Office10\OLKFSTUB.DLL" [MS]
                      "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                      Office\Office10\msohev.dll" [MS]
                      "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
                      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
                      "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
                      -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
                      "{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                      data]
                      "{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                      data]
                      "{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                      data]
                      "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                      \ashShell.dll" ["ALWIL Software"]
                      HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
                      INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft
                      AntiSpyware Service Hook"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft
                      AntiSpyware\shellextension.dll" [MS]
                      INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell
                      guard"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security
                      suite\shellhook.dll" ["TODO: <Firmenname>"]

                      HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
                      avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                      \ashShell.dll" ["ALWIL Software"]
                      ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security
                      suite\context.dll" ["ewido networks"]
                      IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll"
                      ["IncrediMail, Ltd."]
                      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                      [null data]
                      WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                      data]
                      HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
                      ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security
                      suite\context.dll" ["ewido networks"]
                      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                      [null data]
                      WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                      data]

                      HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
                      avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                      \ashShell.dll" ["ALWIL Software"]
                      WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                      [null data]
                      WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
                      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null
                      data]
                      Group Policies [Description]:
                      -----------------------------

                      HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
                      HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
                      [prevents changes to Active Desktop; removes Web tab from Display Properties|
                      Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]


                      Active Desktop and Wallpaper:
                      -----------------------------

                      Active Desktop is disabled at this entry:
                      • Gość: ewka Re: bardzo prosze o sprawdzenie loga IP: *.net132.okay.pl 04.09.05, 16:28
                        dc..

                        Active Desktop and Wallpaper:
                        -----------------------------

                        Active Desktop is disabled at this entry:
                        HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

                        HKCU\Control Panel\Desktop\
                        "Wallpaper" = "C:\Documents and Settings\Właściciel\Ustawienia lokalne\Dane
                        aplikacji\Microsoft\Wallpaper1.bmp"


                        Winsock2 Service Provider DLLs:
                        -------------------------------

                        Namespace Service Providers

                        HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
                        \Catalog_Entries\ {++}
                        000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
                        000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
                        000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

                        Transport Service Providers

                        HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
                        \Catalog_Entries\ {++}
                        0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
                        %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
                        %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


                        Toolbars, Explorer Bars, Extensions:
                        ------------------------------------

                        Extensions (Tools menu items, main toolbar menu buttons)

                        HKLM\Software\Microsoft\Internet Explorer\Extensions\
                        {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
                        "MenuText" = "Sun Java Console"
                        "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
                        -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04
                        \bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]


                        Running Services (Display Name, Service Name, Path {Service DLL}):
                        ------------------------------------------------------------------

                        avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
                        \ashServ.exe"" [null data]
                        avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
                        \aswUpdSv.exe"" [null data]
                        avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
                        Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
                        avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
                        \ashWebSv.exe" /service" ["ALWIL Software"]
                        Creative Service for CDROM Access, Creative Service for CDROM
                        Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
                        ewido security suite control, ewido security suite control, "C:\Program
                        Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
                        Kerio Personal Firewall 4, KPF4, "C:\Program Files\Kerio\Personal Firewall 4
                        \kpf4ss.exe" ["Kerio Technologies"]
                        Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft
                        Shared\VS7Debug\mdm.exe"" [MS]
                        Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
                        WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


                        ----------
                        + This report excludes default entries except where indicated.
                        + To see *everywhere* the script checks and *everything* it finds,
                        launch it from a command prompt or a shortcut with the -all parameter.
                        + To search all directories of local fixed drives for DESKTOP.INI
                        DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
                        use the -supp parameter or answer "No" at the first message box.
                        ---------- (total run time: 53 seconds, including 4 seconds for message boxes)

                        z hijack

                        Logfile of HijackThis v1.99.1
                        Scan saved at 16:27:40, on 2005-09-04
                        Platform: Windows XP (WinNT 5.01.2600)
                        MSIE: Internet Explorer v6.00 (6.00.2600.0000)

                        Running processes:
                        C:\WINDOWS\System32\smss.exe
                        C:\WINDOWS\system32\winlogon.exe
                        C:\WINDOWS\system32\services.exe
                        C:\WINDOWS\system32\lsass.exe
                        C:\WINDOWS\system32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\system32\spoolsv.exe
                        C:\WINDOWS\Explorer.EXE
                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                        C:\Program Files\Alwil Software\Avast4\ashServ.exe
                        C:\WINDOWS\System32\CTsvcCDA.EXE
                        C:\Program Files\ewido\security suite\ewidoctrl.exe
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\System32\MsPMSPSv.exe
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                        C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                        C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                        C:\Program Files\QuickTime\qttask.exe
                        C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
                        C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
                        C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
                        C:\Program Files\Creative\ShareDLL\CtNotify.exe
                        C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
                        C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
                        C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
                        C:\Program Files\Creative\ShareDLL\MediaDet.Exe
                        C:\Program Files\Winamp\winampa.exe
                        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                        C:\Program Files\Messenger\msmsgs.exe
                        C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
                        C:\PROGRA~1\INCRED~1\bin\IMApp.exe
                        C:\Program Files\Internet Explorer\IEXPLORE.EXE
                        C:\WINDOWS\System32\msiexec.exe
                        C:\Program Files\Gadu-Gadu\gg.exe
                        C:\Documents and Settings\Właściciel\Pulpit\hijackthis\HijackThis.exe

                        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                        www.wp.pl/
                        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
                        Settings,AutoConfigURL = proxy.zetosa.pl/proxy.pac
                        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                        C:\WINDOWS\System32\msdxm.ocx
                        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
                        atboottime
                        O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
                        Files\HP\hpcoretech\hpcmpmgr.exe"
                        O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
                        \spool\drivers\w32x86\3\hpztsb10.exe
                        O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
                        Software Update\HPWuSchd2.exe"
                        O4 - HKLM\..\Run: [Disc Detector] C:\Program
                        Files\Creative\ShareDLL\CtNotify.exe
                        O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
                        O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
                        O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
                        O4 - HKLM\..\Run: [CTAvTray] C:\Program
                        Files\Creative\SBLive\Program\CTAvTray.EXE
                        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04
                        \bin\jusched.exe
                        O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
                        AntiSpyware\gcasServ.exe"
                        O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
                        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                        O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program
                        Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
                        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                        O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
                        O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
                        C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
                        O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
                        res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                        C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
                        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                        00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
                        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
                        update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125781290748
                        O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -
                        updates.lifescapeinc.com/installers/pinstall/pinstall.cab
                        O16 - DPF:

Popularne wątki

Nie pamiętasz hasła

lub ?

 

Nie masz jeszcze konta? Zarejestruj się

Nakarm Pajacyka