Dodaj do ulubionych

duuuuża prośba o weryfikację log'ów

18.03.06, 19:10
poniżej log z HijackThis.

z góry serdecznie dziękuję.
___________________________

Logfile of HijackThis v1.99.1
Scan saved at 19:09:19, on 2006-03-18
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\BANKRUT\BANKRUT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NEOSTRADA TP\CNXMON.EXE
C:\PROGRAM FILES\NEOSTRADA TP\TASKBARICON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\E_S5I0B1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\PULPIT\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.gazeta.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4
\ASHWEBSV.EXE
O4 - HKLM\..\Run: [Bankrut] C:\PROGRAM FILES\BANKRUT\bankrut.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4
\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -
service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series]
C:\WINDOWS\SYSTEM\E_S5I0B1.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus
CX3600" /EF "HKCU"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O14 - IERESET.INF: START_PAGE_URL=www.gazeta.pl/
O15 - Trusted Zone: www.mks.com.pl
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
www.mks.com.pl/skaner/SkanerOnline.cab
Edytor zaawansowany
  • x-ray77 18.03.06, 19:11
    "Silent Runners.vbs", revision 41, www.silentrunners.org/
    Operating System: Windows Me (Millennium Edition)
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "EPSON Stylus CX3600 Series" = "C:\WINDOWS\SYSTEM\E_S5I0B1.EXE /P26 "EPSON
    Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "internat.exe" = "internat.exe" [MS]
    "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
    "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
    "PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
    "SystemTray" = "SysTray.Exe" [MS]
    "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
    "C-Media Mixer" = "Mixer.exe /startup" [file not found]
    "avast! Web Scanner" = "C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE" ["ALWIL
    Software"]
    "Bankrut" = "C:\PROGRAM FILES\BANKRUT\bankrut.exe" [null data]
    "Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
    "Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone
    Labs, LLC"]
    "SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch
    USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [","]
    "WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]
    "WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]
    "ashMaiSv" = "C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe" ["ALWIL Software"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
    "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
    "SchedulingAgent" = "mstask.exe" [MS]
    "*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
    "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
    "avast!" = "C:\Program Files\Alwil Software\Avast4\ashServ.exe" [null data]
    "TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs,
    LLC"]
    "StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    PerUser_CVT_Inis\(Default) = "Instalator systemu Windows — Konwerter FAT32"
    \StubPath = "rundll.exe
    C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64
    C:\WINDOWS\INF\applets1.inf" [MS]
    PerUser_Dialer_Inis\(Default) = "Instalator systemu Windows — Telefon"
    \StubPath = "rundll.exe
    C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64
    C:\WINDOWS\INF\appletpp.inf" [MS]
    {44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01"
    \StubPath = "rundll32.exe
    advpack.dll,LaunchINFSection
    C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from
    CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0
    CE\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from
    CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06
    \bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll"
    [null data]
    "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\SYMANT~1
    \SSC\VPSHELL2.DLL" ["Symantec Corporation"]
    "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
    \ashShell.dll" ["ALWIL Software"]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll"
    [null data]
    LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\SYMANT~1
    \SSC\VPSHELL2.DLL" ["Symantec Corporation"]
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
    \ashShell.dll" ["ALWIL Software"]
    ClamWin\(Default) = "{65713842-C410-4f44-8383-BFE01A398C90}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program
    Files\ClamWin\bin\ExpShell.dll" ["alch"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll"
    [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll"
    [null data]
    LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\SYMANT~1
    \SSC\VPSHELL2.DLL" ["Symantec Corporation"]
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
    \ashShell.dll" ["ALWIL Software"]
    ClamWin\(Default) = "{65713842-C410-4f44-8383-BFE01A398C90}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program
    Files\ClamWin\bin\ExpShell.dll" ["alch"]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Moje dokumenty\Moje obrazy\views & wallpapers\florida
    keys.bmp"


    WIN.INI & SYSTEM.INI launch points:
    -----------------------------------

    SYSTEM.INI
    [boot]
    "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\WYGASZ~1.SCR" (Wygaszacz ekranu Moje
    obrazy.scr) [MS]


    Startup items in "Startup" & "All Users...Startup" folders:
    -----------------------------------------------------------

    C:\WINDOWS\Menu Start\Programy\Autostart
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft
    Office\Office\OSA9.EXE -b -l" [MS]


    Enabled Scheduled Tasks:
    ------------------------

    "Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]
    "Harmonogram programu PCHealth dla zbierania danych" ->
    launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
    "Konserwacja — Scandisk" ->
    launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
    "Konserwacja — Porządkowanie dysku" ->
    launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
    \Catalog_Entries\ {++}
    000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
    \Catalog_Entries\ {++}
    00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
    C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
    C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
    C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
  • x-ray77 18.03.06, 19:13
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06
    \bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


    Miscellaneous IE Hijack Points
    ------------------------------

    HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
    The Internet Explorer version cannot be found!

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
    The contents of IERESET.INF cannot be reliably checked!

    Added lines (compared with English-language version):
    [Strings]: START_PAGE_URL=www.gazeta.pl/
    [Strings]: MS_START_PAGE_URL="www.microsoft.com/isapi/redir.dll?
    prd=ie&pver=5.5&ar=msnhome"

    Missing lines (compared with English-language version):
    [Strings]: 2 lines


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    EPSON V5 Monitor\Driver = "EBPMON.DLL" ["SEIKO EPSON CORPORATION"]
    EPSON USB Printer Port Monitor\Driver = "EPUSBMN.DLL" ["SEIKO EPSON
    CORPORATION"]
    PDFCreator\Driver = "pdfcmn95.dll" [null data]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ---------- (total run time: 26 seconds, including 14 seconds for message boxes)
  • Gość: k IP: *.warszawa.sdi.tpnet.pl 18.03.06, 19:16
    Usun:
    R3 - Default URLSearchHook is missing

    Po co tyle tych logos skowo nic ciekawego w nich nie ma? :>
  • x-ray77 18.03.06, 19:21
    Gość portalu: k napisał(a):

    > Usun:
    > R3 - Default URLSearchHook is missing
    >
    > Po co tyle tych logos skowo nic ciekawego w nich nie ma? :>
    _________

    to mnie b. cieszy ;-)

    a te informacje w punkcie 'Miscellaneous IE Hijack Points' Silent Runners są OK?
  • x-ray77 19.03.06, 07:47
    na googlach (gdata.pl/virlist/nowewirusy_b.html) znalazłem taką
    informację:

    "Backdoor.Agobot.iq
    Robak internetowy typu backdoor. Rozprzestrzenia się wykorzystując typowe luki
    w zabezpieczeniach systemów Windows poprzez porty TCP nr 135, 80 oraz 445. Po
    uruchomieniu kopiuje do folderu systemowego plik o nazwie nwiz.exe."


    w moich procesach jest pozycja: O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    czy to ten robak??

Popularne wątki

Nie pamiętasz hasła

lub ?

 

Nie masz jeszcze konta? Zarejestruj się

Nakarm Pajacyka