Dodaj do ulubionych

Sprawdzenie loga z Hijack This

IP: *.autocom.pl 11.04.05, 07:19
Logfile of HijackThis v1.99.1
Scan saved at 07:18:14, on 05-04-11
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SOINTGR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TEMP\OM- LICZNIK 1.0.EXE
C:\PROGRAM FILES\REAL\REALJBOX.EXE
C:\PROGRAM FILES\SERVICEPACKFILES\MEMREALOAD.EXE
C:\PROGRAM FILES\D4\D4.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE
C:\PROGRAM FILES\ATNOTES\ATNOTES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: CrsHO Class - {5843A29E-1246-11D4-BA8C-0050DA707ACD} -
C:\WINDOWS\SYSTEM\CRS32.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
C:\WINDOWS\SYSTEM\MSBE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-
3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
O4 - HKLM\..\Run: [OM- Licznik 1.0] C:\WINDOWS\TEMP\OM- LICZNIK 1.0.EXE
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\SYSTEM\Indexindicator.exe /check
O4 - HKLM\..\Run: [MEMreaload] C:\Program
Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\SYSTEM\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program
Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
O4 - HKLM\..\Run: [LocalProxy] C:\Program Files\LocalProxy\proxy4free.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4
\ASHWEBSV.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
Network\bin\bargains.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4
\ashServ.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP
ARCHITECT\DATRAY.EXE" -S
O4 - Startup: ATnotes.lnk = C:\Program Files\ATnotes\ATnotes.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pcg: C:\PROGRA~1\INTERN~1\Plugins\nppcgplg.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c11.cab
Obserwuj wątek
    • m.gregor Re: Sprawdzenie loga z Hijack This 11.04.05, 09:09
      1.) Odinstaluj z panelu sterowania -> dodaj/usun programy wszystkie search
      acceleratory i inne cuda
      2.) Zaznacz i wykasuj:
      > O2 - BHO: CrsHO Class - {5843A29E-1246-11D4-BA8C-0050DA707ACD} -
      > C:\WINDOWS\SYSTEM\CRS32.DLL
      > O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
      > C:\WINDOWS\SYSTEM\MSBE.DLL
      > O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-
      > 3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL
      > O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
      > O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
      > O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
      > O4 - HKLM\..\Run: [OM- Licznik 1.0] C:\WINDOWS\TEMP\OM- LICZNIK 1.0.EXE
      > O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\SYSTEM\Indexindicator.exe /check
      > O4 - HKLM\..\Run: [MEMreaload] C:\Program
      > Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
      > O4 - HKLM\..\Run: [Suite] C:\WINDOWS\SYSTEM\SuiteOffices.exe /cleandb
      > O4 - HKLM\..\Run: [Reload] C:\Program
      > Files\ServicePackFiles\reload.exe /reloadenterpice
      > O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
      > O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
      > O4 - HKLM\..\Run: [LocalProxy] C:\Program Files\LocalProxy\proxy4free.exe
      > O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
      > O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
      > Network\bin\bargains.exe
      > O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
      > O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP
      > ARCHITECT\DATRAY.EXE" -S
      > O4 - Startup: ATnotes.lnk = C:\Program Files\ATnotes\ATnotes.exe
      > O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
      > static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c11.cab

      A potem zrob i wklej nowego loga.
      • Gość: Bezradna Nowy log IP: *.autocom.pl 11.04.05, 19:19
        Logfile of HijackThis v1.99.1
        Scan saved at 19:17:18, on 05-04-11
        Platform: Windows 98 SE (Win9x 4.10.2222A)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\SYSTEM\KERNEL32.DLL
        C:\WINDOWS\SYSTEM\MSGSRV32.EXE
        C:\WINDOWS\SYSTEM\MPREXE.EXE
        C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
        C:\WINDOWS\SYSTEM\mmtask.tsk
        C:\WINDOWS\EXPLORER.EXE
        C:\WINDOWS\TASKMON.EXE
        C:\WINDOWS\SYSTEM\SYSTRAY.EXE
        C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
        C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
        C:\WINDOWS\SYSTEM\RPCSS.EXE
        C:\WINDOWS\SYSTEM\INTERNAT.EXE
        C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
        C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
        C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
        C:\WINDOWS\SYSTEM\WMIEXE.EXE
        C:\WINDOWS\SYSTEM\PSTORES.EXE
        C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
        C:\WINDOWS\SYSTEM\DDHELP.EXE
        C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
        C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.onet.pl/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
        C:\WINDOWS\SYSTEM\MSDXM.OCX
        O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
        O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
        O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
        O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
        powrprof.dll,LoadCurrentPwrScheme
        O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
        O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
        O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
        O4 - HKLM\..\Run: [internat.exe] internat.exe
        O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
        O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
        O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
        O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
        O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
        O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
        powrprof.dll,LoadCurrentPwrScheme
        O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4
        \ashServ.exe
        O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
        C:\WINDOWS\web\related.htm
        O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
        00aa003c157a} - C:\WINDOWS\web\related.htm
        O12 - Plugin for .pcg: C:\PROGRA~1\INTERN~1\Plugins\nppcgplg.dll
        O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
        O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
        O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
        O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
        O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
        O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
        O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
        bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
        • m.gregor Re: Nowy log 11.04.05, 21:27
          Jesli wiesz co to za wpisy i jestes na 100% pewna tych programow mozesz je
          przywrocic. W tym celu uruchamiasz HijackThis, wybierasz 'View the list of
          backups' a potem zaznaczasz te dwie linijki i wybierasz Restore.

          A potem postepujesz tak jak podalem na stronie i kasujesz nastepujaca linie:
          > O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
          To trojan Lazar. Jesli problem bedzie sie powtarzal (po restarcie i ponownym
          skanowaniu ta linia sie pojawi) przeskanuj system skanerem on-line. Np. Pandy.
          • Gość: Bezradna OK IP: *.autocom.pl 12.04.05, 07:01
            Nie wiem, co to znaczy, czy jestem pewna ich na 100%. ATnotes wzięłam z płytki
            dołączonej do Komputer Świata, OM licznik ściągnęłam z netu. No ale potrzebne
            mi są trochę.
            Zrobiłam wszystko jak kazałeś, wczoraj przeskanowałam on line i wynalazło mi
            dwa trojany i poleciło skasować pliki. Komputer posłusznie się zamknął. Dziś
            rano sprawdziłam jeszcze, czy się nie pojawił ten trojan i przeskanowałam on
            line. Wszystko wydaje się w porządku.
            Dziękuję bardzo za pomoc! To niesamowita sprawa, że zawsze można na Was liczyć,
            towarzyszu ;-)
      • Gość: MAGDA Sprawdzenie loga z Hijack This - pomóżcie IP: *.neoplus.adsl.tpnet.pl 12.04.05, 20:50
        zainstalowało mi sie jakies cholerstwo z xxx praktycznie uniemozliwia
        korzystanie z sieci, uruchamia mnostwo roznych stroniczek
        oto moj log
        Logfile of HijackThis v1.99.1
        Scan saved at 20:49:34, on 2005-04-12
        Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\System32\nvsvc32.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
        C:\Program Files\RealVNC\VNC4\WinVNC4.exe
        C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\logon.exe
        C:\WINDOWS\System32\rundll32.exe
        C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
        C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
        C:\TV\moretv353pl\MoreTV.exe
        C:\TV\wilma21\Wilma.exe
        C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe
        C:\PROGRA~1\Wanadoo\ComComp.exe
        C:\PROGRA~1\Wanadoo\Watch.exe
        C:\Program Files\FlashGet\flashget.exe
        C:\WINDOWS\System32\winsys32.exe
        C:\WINDOWS\system32\ntvdm.exe
        C:\Program Files\Winamp\winamp.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\PROGRA~1\WINZIP\winzip32.exe
        C:\Documents and Settings\magda\Ustawienia lokalne\Temp\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.jimbutt.com/stuffs/
        O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
        \NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
        \bin\jusched.exe
        O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
        O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
        \NEWDOT~1.DLL,NewDotNetStartup -s
        O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
        O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
        O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
        O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -
        FastScan
        O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
        \dslmon.exe
        O4 - Global Startup: hp psc 1000 series.lnk = ?
        O4 - Global Startup: hpoddt01.exe.lnk = ?
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
        Office\Office\OSA9.EXE
        O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
        Labs\ZoneAlarm\zapro.exe
        O8 - Extra context menu item: Download All by FlashGet - C:\Program
        Files\FlashGet\jc_all.htm
        O8 - Extra context menu item: Download using FlashGet - C:\Program
        Files\FlashGet\jc_link.htm
        O10 - Hijacked Internet access by New.Net
        O10 - Hijacked Internet access by New.Net
        O10 - Hijacked Internet access by New.Net
        O10 - Hijacked Internet access by New.Net
        O17 - HKLM\System\CCS\Services\Tcpip\..\{872DE33C-3A18-4A44-A0C5-CCC9E8D3BF96}:
        NameServer = 194.204.152.34 217.98.63.164
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
        C:\WINDOWS\System32\nvsvc32.exe
        O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
        O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
        Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

        probowalam usunac r0 ale nie moge
        co robiC?
        dzieki magda
        • Gość: Kolobos Re: Sprawdzenie loga z Hijack This - pomóżcie IP: *.warszawa.sdi.tpnet.pl 12.04.05, 21:10
          Odinstaluj New.Net oraz Spyware Vanisher, uzyj tez tego:
          www.cexx.org/LSPFix.exe
          W hijackthis usun to:

          > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          > www.jimbutt.com/stuffs/
          > O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
          > O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
          > \NEWDOT~1.DLL,NewDotNetStartup -s
          > O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
          > O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
          > O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -
          > FastScan

          I Fix Checked.

          A co do jimbutt to tutaj jest opis jak usunac:
          www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&#entry58793
        • m.gregor Re: Sprawdzenie loga z Hijack This - pomóżcie 12.04.05, 21:16
          1.) Na poczatku zrob loga tak jak opisano tutaj:
          republika.pl/mgregor
          2.) Zdeinstaluj New.net, SpywareVanisher, (Start -> Panel sterowania ->
          Dodaj/usun programy)
          3.) A potem wykasuj nastepujace linie:
          > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          > www.jimbutt.com/stuffs/
          > O4 - HKLM\..\Run: [Microsoft Update] winsys32.exe
          > O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
          > O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
          > \NEWDOT~1.DLL,NewDotNetStartup -s
          > O4 - HKCU\..\Run: [Microsoft Update] winsys32.exe
          > O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -
          > FastScan
          > O10 - Hijacked Internet access by New.Net
          > O10 - Hijacked Internet access by New.Net
          > O10 - Hijacked Internet access by New.Net
          > O10 - Hijacked Internet access by New.Net
          4.) Jak juz wywalisz to:
          - aktualizacje z windows update
          - przestan korzystac z IE - zainstauj bezpieczna przegladarke: FireFox'a,
          Mozille, Opere
          - zainstaluj np. Kerio albo Sygate zamiast Zone Alarm
          - zainstaluj program antywirusowy (np. darmowego Avast'a)
          - przestan korzystac z neostradowego Wanadoo (odinstaluj je) i stworz polaczenie
          tak jak opisano to tutaj:
          forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=15680440
          - robisz i wklejasz loga po zrobieniu tego wszystkiego

          Linki i instrukcje:
          forum.gazeta.pl/forum/72,2.html?f=34&w=15679891&a=19472430 +POSTY
          NASTEPNE GDZIE SA ERRATY DO LINKOW I LINKI DO NOWSZYCH WERSJI (NP. DO JAVA SUN).
            • Gość: magda Re: Sprawdzenie loga z Hijack This - pomóżcie IP: *.neoplus.adsl.tpnet.pl 12.04.05, 21:44
              mgregor - postąpiła zgodnie z twoimi instr.
              nie usunęlo jimbutta i tych o10 - byl komunikat ze ich nie moze
              oto log po fix checked
              Logfile of HijackThis v1.99.1
              Scan saved at 21:42:04, on 2005-04-12
              Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\Explorer.EXE
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\System32\nvsvc32.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\ZoneLabs\vsmon.exe
              C:\Program Files\RealVNC\VNC4\WinVNC4.exe
              C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
              C:\WINDOWS\SOUNDMAN.EXE
              C:\WINDOWS\System32\rundll32.exe
              C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
              C:\WINDOWS\System32\ctfmon.exe
              C:\Program Files\Messenger\msmsgs.exe
              C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
              C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
              C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
              C:\TV\moretv353pl\MoreTV.exe
              C:\TV\wilma21\Wilma.exe
              C:\Program Files\FlashGet\flashget.exe
              C:\Program Files\Winamp\winamp.exe
              C:\Program Files\Microsoft Office\Office\WINWORD.EXE
              C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
              www.jimbutt.com/stuffs/
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
              \NvCpl.dll,NvStartup
              O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
              \bin\jusched.exe
              O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
              O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
              O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
              O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
              \NEWDOT~1.DLL,NewDotNetStartup -s
              O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
              O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
              \dslmon.exe
              O4 - Global Startup: hp psc 1000 series.lnk = ?
              O4 - Global Startup: hpoddt01.exe.lnk = ?
              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
              Office\Office\OSA9.EXE
              O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
              Labs\ZoneAlarm\zapro.exe
              O8 - Extra context menu item: Download All by FlashGet - C:\Program
              Files\FlashGet\jc_all.htm
              O8 - Extra context menu item: Download using FlashGet - C:\Program
              Files\FlashGet\jc_link.htm
              O10 - Hijacked Internet access by New.Net
              O10 - Hijacked Internet access by New.Net
              O10 - Hijacked Internet access by New.Net
              O10 - Hijacked Internet access by New.Net
              O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
              C:\WINDOWS\System32\nvsvc32.exe
              O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
              C:\WINDOWS\system32\ZoneLabs\vsmon.exe
              O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
              Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

              nie jest lepiej niestety
              magda
            • Gość: magda Re: Sprawdzenie loga z Hijack This - pomóżcie IP: *.neoplus.adsl.tpnet.pl 12.04.05, 21:47
              > jimbutt'a sie tak latwo nie da usunac, w C:\Windows\system\ tworzy on plik
              > systr.dll oraz drugi o losowej nazwie ale tej samej dacie utworzenia co
              ulatwia
              >
              > usuniecie w DllCompare.exe powinno go byc widac, trzeb oba pliki wywalic i
              > bedzie ok :-)
              > Zreszta jeden ze sposobow usuniecia jest w linku, ktory podalem w innym
              poscie.
              >
              A podasz linka, bo moja wyszukiwarka milczy:-((
              sprawa paląca naprawde
                • Gość: magda Re: Sprawdzenie loga z Hijack This - pomóżcie IP: *.neoplus.adsl.tpnet.pl 12.04.05, 22:26
                  przepraszam, pewnie myslicie ze ciezko mysle ale te gowienka ciagle mi sie
                  wlączaj ze po 2-3min musze wychodzic z neta i dlatego
                  skonfigurowalam polaczenie, wyrzucilam new neta - jednak był:-)))
                  sciagnelam ten programik zeby wywalic jimbutta, ale pokazaly sie tylko takie
                  pliki
                  mswsock.dll
                  winrnr.dll
                  rsvpsp.dll
                  wiec nie wiem czy cos z tego usunac
                  podaje nowego loga - jimbutt nadal siedzi

                  Logfile of HijackThis v1.99.1
                  Scan saved at 22:23:06, on 2005-04-12
                  Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\WINDOWS\System32\nvsvc32.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                  C:\Program Files\RealVNC\VNC4\WinVNC4.exe
                  C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
                  C:\WINDOWS\SOUNDMAN.EXE
                  C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
                  C:\WINDOWS\System32\ctfmon.exe
                  C:\Program Files\Messenger\msmsgs.exe
                  C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                  C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
                  C:\Program Files\FlashGet\flashget.exe
                  C:\Program Files\Internet Explorer\iexplore.exe
                  C:\WINDOWS\system32\NOTEPAD.EXE
                  C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                  www.jimbutt.com/stuffs/
                  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
                  \NvCpl.dll,NvStartup
                  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
                  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
                  \bin\jusched.exe
                  O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
                  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                  O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
                  O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
                  O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
                  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                  O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
                  \dslmon.exe
                  O4 - Global Startup: hp psc 1000 series.lnk = ?
                  O4 - Global Startup: hpoddt01.exe.lnk = ?
                  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                  Office\Office\OSA9.EXE
                  O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
                  Labs\ZoneAlarm\zapro.exe
                  O8 - Extra context menu item: Download All by FlashGet - C:\Program
                  Files\FlashGet\jc_all.htm
                  O8 - Extra context menu item: Download using FlashGet - C:\Program
                  Files\FlashGet\jc_link.htm
                  O17 - HKLM\System\CCS\Services\Tcpip\..\{872DE33C-3A18-4A44-A0C5-CCC9E8D3BF96}:
                  NameServer = 194.204.152.34 217.98.63.164
                  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
                  C:\WINDOWS\System32\nvsvc32.exe
                  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
                  C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                  O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
                  Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

                  • Gość: Kolobos Re: Sprawdzenie loga z Hijack This - pomóżcie IP: *.warszawa.sdi.tpnet.pl 12.04.05, 23:02
                    Musisz usunac ten plik:
                    C:\WINDOWS\System32\systr.dll

                    Otworz notatnik i wklej go nie go:

                    REGEDIT4

                    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-
                    00AAFF6D2EA4}]

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTas
                    kScheduler]
                    "{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

                    Zapisz jako fix.reg i kliknij dwa razy, nastepnie w Start->Uruchom
                    wpisz: regsvr32 /u systr.dll
                    nastepnie wpisz w uruchom:
                    Start->Uruchom->cmd i wpisz:
                    del C:\WINDOWS\System32\systr.dll

                    Nastepnie w hijack usun wpis:
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                    www.jimbutt.com/stuffs/

                    Po skasowaniu, uruchom ponownie komputer i sprawdz czy jimbutt zniknal czy tez
                    dalej jest :-)
                      • Gość: MAGDA DZIĘKI CHŁOPAKI!!!!!!!!!! IP: *.neoplus.adsl.tpnet.pl 12.04.05, 23:55
                        chyba mi się udało:-)))))
                        zresetowałam i nic na razie nie wyskakuje
                        wklejam loga
                        nie wiem czy cos jeszcze usunac
                        wanadoo wywalilam
                        ogfile of HijackThis v1.99.1
                        Scan saved at 23:49:37, on 2005-04-12
                        Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
                        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                        Running processes:
                        C:\WINDOWS\System32\smss.exe
                        C:\WINDOWS\system32\winlogon.exe
                        C:\WINDOWS\system32\services.exe
                        C:\WINDOWS\system32\lsass.exe
                        C:\WINDOWS\system32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\Explorer.EXE
                        C:\WINDOWS\system32\spoolsv.exe
                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                        C:\Program Files\Alwil Software\Avast4\ashServ.exe
                        C:\WINDOWS\ias.exe
                        C:\WINDOWS\ibz.exe
                        C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
                        C:\WINDOWS\SOUNDMAN.EXE
                        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                        C:\WINDOWS\System32\ctfmon.exe
                        C:\Program Files\Messenger\msmsgs.exe
                        C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                        C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
                        C:\WINDOWS\System32\nvsvc32.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                        C:\Program Files\RealVNC\VNC4\WinVNC4.exe
                        C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe
                        C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                        C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                        C:\WINDOWS\System32\wuauclt.exe

                        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
                        \NvCpl.dll,NvStartup
                        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
                        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
                        \bin\jusched.exe
                        O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
                        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                        O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
                        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                        O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
                        \dslmon.exe
                        O4 - Global Startup: hp psc 1000 series.lnk = ?
                        O4 - Global Startup: hpoddt01.exe.lnk = ?
                        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                        Office\Office\OSA9.EXE
                        O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
                        Labs\ZoneAlarm\zapro.exe
                        O8 - Extra context menu item: Download All by FlashGet - C:\Program
                        Files\FlashGet\jc_all.htm
                        O8 - Extra context menu item: Download using FlashGet - C:\Program
                        Files\FlashGet\jc_link.htm
                        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                        O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
                        Software\Avast4\ashServ.exe
                        O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
                        Software\Avast4\ashMaiSv.exe" /service (file missing)
                        O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
                        Software\Avast4\ashWebSv.exe" /service (file missing)
                        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
                        C:\WINDOWS\System32\nvsvc32.exe
                        O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
                        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                        O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
                        Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

                        jeszcze tylko jedno:-))
                        nadal pojawia mi sie komunikat ze twoj system został zawirusowany, osobite
                        porty 8080 i 3128 i zeby uzyc free spyvirus czy cuś takiego
                        mam nadzieje ze jak uruchomie avasta to zniknie

                        magda
                          • Gość: magda Re: DZIĘKI CHŁOPAKI!!!!!!!!!! IP: *.neoplus.adsl.tpnet.pl 13.04.05, 17:20
                            no tak, a mowili nie chwal dnia i tak dalej...
                            krótko po napisaniu posta avast wykryl trojana
                            czesc usunal ale pewnie nie wszystko chociaz nic sie nie otwiera
                            ale w logu widze ibz.exe i ias. exe - tego chyba nie powinno być?
                            magda

                            "Silent Runners.vbs", revision 34, www.silentrunners.org/
                            Operating System: Windows XP
                            Output limited to non-default values, except where indicated by "{++}"


                            Startup items buried in registry:
                            ---------------------------------

                            HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                            "CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
                            "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

                            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
                            "Ias" = "C:\WINDOWS\ias.exe" [null data]
                            "Ibz" = "C:\WINDOWS\ibz.exe" [null data]

                            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                            "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
                            "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
                            "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
                            [null data]
                            "NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
                            "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
                            "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

                            HKLM\Software\Microsoft\Active Setup\Installed Components\
                            {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                            \StubPath = ""C:\WINDOWS\System32
                            \rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

                              • Gość: Kolobos cd.. bo mi sie nacisnelo ;-) IP: *.warszawa.sdi.tpnet.pl 13.04.05, 17:40
                                przejdz do:
                                HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

                                i tam usun te dwa wpisy:

                                "Ias" = "C:\WINDOWS\ias.exe" [null data]
                                "Ibz" = "C:\WINDOWS\ibz.exe" [null data]

                                Nastepnie w hijackthis wybierz Open Misc Tools i delte file on reboot i wklej
                                sciezke do:

                                C:\WINDOWS\ias.exe a nastepnie do C:\WINDOWS\ibz.exe i po resecie juz ich nie
                                powinno byc.

                                Doklej tez reszte log'a z silentrunners.
                                • Gość: magda log po usunieciu ias.exe i ibz.exe IP: *.neoplus.adsl.tpnet.pl 13.04.05, 17:58
                                  "Silent Runners.vbs", revision 34, www.silentrunners.org/
                                  Operating System: Windows XP
                                  Output limited to non-default values, except where indicated by "{++}"


                                  Startup items buried in registry:
                                  ---------------------------------

                                  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                                  "CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
                                  "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

                                  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
                                  "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
                                  "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
                                  "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
                                  [null data]
                                  "NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
                                  "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
                                  "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

                                  HKLM\Software\Microsoft\Active Setup\Installed Components\
                                  {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                  \StubPath = ""C:\WINDOWS\System32
                                  \rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

                                  HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
                                  "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
                                  wyświetlania"
                                  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
                                  "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
                                  ["Hilgraeve, Inc."]
                                  "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitu"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll"
                                  ["NVIDIA Corporation"]
                                  "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll"
                                  ["NVIDIA Corporation"]
                                  "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
                                  Handler"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2
                                  \Office\OLKFSTUB.DLL" [MS]
                                  "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
                                  [null data]
                                  "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                                  ["WinZip Computing, Inc."]
                                  "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                                  ["WinZip Computing, Inc."]
                                  "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                                  ["WinZip Computing, Inc."]
                                  "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL"
                                  ["WinZip Computing, Inc."]
                                  "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4
                                  \ashShell.dll" ["ALWIL Software"]

                                  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
                                  INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop
                                  Handler"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [file
                                  not found]


                                  Enabled Wallpaper and Active Desktop:
                                  -------------------------------------

                                  Active Desktop is disabled.

                                  HKCU\Control Panel\Desktop\
                                  "Wallpaper" = "C:\Documents and Settings\magda\Ustawienia lokalne\Dane
                                  aplikacji\Microsoft\Wallpaper1.bmp"


                                  Startup items in "magda" & "All Users" startup folders:
                                  -------------------------------------------------------

                                  C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
                                  "DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840
                                  \dslmon.exe /W" [empty string]
                                  "hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital
                                  Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
                                  "hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital
                                  Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
                                  "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft
                                  Office\Office\OSA9.EXE -b -l" [MS]
                                  "ZoneAlarm Pro" -> shortcut to: "C:\Program Files\Zone
                                  Labs\ZoneAlarm\zapro.exe -nopopup" ["Zone Labs Inc."]


                                  Enabled Scheduled Tasks:
                                  ------------------------

                                  "FRU Task #Hewlett-Packard#hp psc 1100 series#1090148201" ->
                                  launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -
                                  I "#Hewlett-Packard#hp psc 1100 series#1090148201"" [empty string]


                                  Winsock2 Service Provider DLLs:
                                  -------------------------------

                                  Namespace Service Providers

                                  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
                                  \Catalog_Entries\ {++}
                                  000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
                                  000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
                                  000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

                                  Transport Service Providers

                                  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
                                  \Catalog_Entries\ {++}
                                  0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
                                  %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
                                  %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


                                  Toolbars, Explorer Bars, Extensions:
                                  ------------------------------------

                                  Toolbars

                                  HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
                                  "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
                                  -> {CLSID}\(Default) = "Yahoo! Toolbar"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!
                                  \Companion\Installs\cpn\ycomp5_3_16_0.dll" [file not found]

                                  "{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}"
                                  -> {CLSID}\(Default) = "My &Search Bar"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\Program
                                  Files\MyWay\myBar\1.bin\MYBAR.DLL" [file not found]

                                  "{014DA6C9-189F-421A-88CD-07CFE51CFF10}"
                                  -> {CLSID}\(Default) = "iMesh Bar"
                                  -> {CLSID}\InProcServer32\(Default) = "C:\Program
                                  Files\MySearch\bar\1.bin\S4BAR.DLL" [file not found]

                                  Dormant Explorer Bars in "View, Explorer Bar" menu

                                  HKLM\Software\Classes\CLSID\{014DA6CE-189F-421A-88CD-07CFE51CFF10}\
                                  (Default) = "iMesh Bar Quick View"
                                  Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
                                  InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

                                  HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\
                                  (Default) = "My Search Bar Quick View"
                                  Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
                                  InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

                                  HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\
                                  (Default) = "My Web Search Quick View"
                                  Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
                                  InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

                                  HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\
                                  (Default) = "&Dyskusja"
                                  Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
                                  InProcServer32\(Default) = "shdocvw.dll" [MS]


                                  Running Services (Display Name, Service Name, Path {Service DLL}):
                                  ------------------------------------------------------------------

                                  avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
                                  \ashServ.exe"" [null data]
                                  avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
                                  \aswUpdSv.exe"" [null data]
                                  avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
                                  Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
                                  avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
                                  \ashWebSv.exe" /service" ["ALWIL Software"]
                                  NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
                                  ["NVIDIA Corpor
                                    • Gość: magda Re: log po usunieciu ias.exe i ibz.exe IP: *.neoplus.adsl.tpnet.pl 13.04.05, 18:09
                                      Running Services (Display Name, Service Name, Path {Service DLL}):
                                      ------------------------------------------------------------------

                                      avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
                                      \ashServ.exe"" [null data]
                                      avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
                                      \aswUpdSv.exe"" [null data]
                                      avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
                                      Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
                                      avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
                                      \ashWebSv.exe" /service" ["ALWIL Software"]
                                      NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
                                      ["NVIDIA Corporation"]
                                      TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -
                                      service" ["Zone Labs Inc."]
                                      VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -
                                      service" ["RealVNC Ltd."]
                                      masz racje nie wyskakuje juz ten blad z 8080:-)))
                                      wklejam ostatnia czesc

                                      zaraz wrzuce z hijacka
                                      mgd
                                      Running Services (Display Name, Service Name, Path {Service DLL}):
                                      ------------------------------------------------------------------

                                      avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4
                                      \ashServ.exe"" [null data]
                                      avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4
                                      \aswUpdSv.exe"" [null data]
                                      avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil
                                      Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
                                      avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4
                                      \ashWebSv.exe" /service" ["ALWIL Software"]
                                      NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe"
                                      ["NVIDIA Corporation"]
                                      TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -
                                      service" ["Zone Labs Inc."]
                                      VNC Server Version 4, WinVNC4, ""C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -
                                      service" ["RealVNC Ltd."]


                                      ----------
                                      This report excludes default entries except where indicated.
                                      To see *everywhere* the script checks and *everything* it finds,
                                      launch it from a command prompt or a shortcut with the -all parameter.
                                      ----------
                                      • Gość: magda log z hijacka IP: *.neoplus.adsl.tpnet.pl 13.04.05, 18:10
                                        Logfile of HijackThis v1.99.1
                                        Scan saved at 18:09:40, on 2005-04-13
                                        Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
                                        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                                        Running processes:
                                        C:\WINDOWS\System32\smss.exe
                                        C:\WINDOWS\system32\winlogon.exe
                                        C:\WINDOWS\system32\services.exe
                                        C:\WINDOWS\system32\lsass.exe
                                        C:\WINDOWS\system32\svchost.exe
                                        C:\WINDOWS\System32\svchost.exe
                                        C:\WINDOWS\Explorer.EXE
                                        C:\WINDOWS\system32\spoolsv.exe
                                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                                        C:\Program Files\Alwil Software\Avast4\ashServ.exe
                                        C:\WINDOWS\System32\nvsvc32.exe
                                        C:\WINDOWS\System32\svchost.exe
                                        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                                        C:\Program Files\RealVNC\VNC4\WinVNC4.exe
                                        C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
                                        C:\WINDOWS\SOUNDMAN.EXE
                                        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                                        C:\WINDOWS\System32\ctfmon.exe
                                        C:\Program Files\Messenger\msmsgs.exe
                                        C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
                                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
                                        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                                        C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
                                        C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                                        C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                                        C:\Program Files\Internet Explorer\iexplore.exe
                                        C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
                                        C:\Program Files\Microsoft Office\Office\WINWORD.EXE
                                        C:\TV\moretv353pl\MoreTV.exe
                                        C:\TV\wilma21\Wilma.exe
                                        C:\WINDOWS\system32\NOTEPAD.EXE
                                        C:\Downloads\Różne dziwne\hijackthisnew\HijackThis.exe

                                        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
                                        \NvCpl.dll,NvStartup
                                        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
                                        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
                                        \bin\jusched.exe
                                        O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
                                        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                                        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                                        O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
                                        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                                        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                                        O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
                                        \dslmon.exe
                                        O4 - Global Startup: hp psc 1000 series.lnk = ?
                                        O4 - Global Startup: hpoddt01.exe.lnk = ?
                                        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                                        Office\Office\OSA9.EXE
                                        O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
                                        Labs\ZoneAlarm\zapro.exe
                                        O8 - Extra context menu item: Download All by FlashGet - C:\Program
                                        Files\FlashGet\jc_all.htm
                                        O8 - Extra context menu item: Download using FlashGet - C:\Program
                                        Files\FlashGet\jc_link.htm
                                        O17 - HKLM\System\CCS\Services\Tcpip\..\{872DE33C-3A18-4A44-A0C5-CCC9E8D3BF96}:
                                        NameServer = 194.204.152.34 217.98.63.164
                                        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
                                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                                        O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
                                        Software\Avast4\ashServ.exe
                                        O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
                                        Software\Avast4\ashMaiSv.exe" /service (file missing)
                                        O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
                                        Software\Avast4\ashWebSv.exe" /service (file missing)
                                        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
                                        C:\WINDOWS\System32\nvsvc32.exe
                                        O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
                                        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                                        O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program
                                        Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

                                        • Gość: Kolobos Re: log z hijacka IP: *.warszawa.sdi.tpnet.pl 13.04.05, 18:17
                                          Uruchom menadzer zadan (kliknij prawym przyciskiem na pasku start i wybierz
                                          menadzera) odszukaj proces -> winsys32.exe i zakoncz go, nastepnie w
                                          Start->Uruchom->cmd wpisz:

                                          del C:\WINDOWS\System32\winsys32.exe

                                          i w hijackthis skasuj ten wpis:
                                          O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe

                                          Upewnij sie ze po resecie nie ma go juz w hijackthis.

                                          Zainstaluj tez:
                                          www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D
                                          www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster
                                          I w obu zaznacz ochrone przegladarki (nie wiem czy juz tego nie pisalem ;-))

                                          Na koniec przeskanuj system tymi skanerami:
                                          housecall.trendmicro.com/housecall/start_corp.asp
                                          www.windowsecurity.com/trojanscan/
                                          www.pandasoftware.com/activescan/
                                          I to juz wszystko :-)

Nie pamiętasz hasła

lub ?

 

Nie masz jeszcze konta? Zarejestruj się

Nakarm Pajacyka