prosze o sprawdzenie hijakcthis

05.06.05, 09:40
Logfile of HijackThis v1.99.1
Scan saved at 09:37:10, on 2005-06-05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\jrupsvc.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\Drivers\svchost.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\godqdll.exe
C:\WINDOWS\godqenc.EXE
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\newdial1.exe
C:\WINDOWS\System32\newdial1.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\newdial1.exe
C:\WINDOWS\System32\newdial1.exe
D:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program
Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -
C:\WINDOWS\System32\nsy3C.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Generic Host Process for Win32 Services]
C:\WINDOWS\System32\Drivers\svchost.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [godqdll] C:\WINDOWS\godqdll.exe
O4 - HKLM\..\Run: [godqenc] C:\WINDOWS\godqenc.EXE
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper -
{C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O15 - Trusted Zone: *.bestcounter.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.170
O17 -
HKLM\System\CCS\Services\Tcpip\..\{593EF498-A1C8-46E9-A6B8-372CF1B4CEFD}:
NameServer = 194.204.152.34,194.204.159.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany -
C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\jrupsvc.exe

    • Gość: Kolobos Re: prosze o sprawdzenie hijakcthis IP: *.warszawa.sdi.tpnet.pl 05.06.05, 11:05
      Sciagasz:
      users.pandora.be/bluepatchy/nailfix.zip
      www.downloads.subratam.org/KillBox.zip
      Uruchamiasz windows w trybie awaryjnym, uzywasz nailfix, w hijackthis
      zaznaczasz te wpisy:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      195.95.218.172/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      195.95.218.172/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      195.95.218.172/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      195.95.218.172/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      195.95.218.172/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      195.95.218.172/index.php
      F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
      O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -
      C:\WINDOWS\System32\nsy3C.dll
      O4 - HKLM\..\Run: [Generic Host Process for Win32 Services]
      C:\WINDOWS\System32\Drivers\svchost.exe
      O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O4 - HKLM\..\Run: [godqdll] C:\WINDOWS\godqdll.exe
      O4 - HKLM\..\Run: [godqenc] C:\WINDOWS\godqenc.EXE
      O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
      O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
      O9 - Extra button: Microsoft AntiSpyware helper -
      {C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll
      O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
      {C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll
      O9 - Extra button: Microsoft AntiSpyware helper -
      {C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll (HKCU)
      O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
      {C2610784-E278-4B49-B6F5-9080E8048FD8} - C:\WINDOWS\System32\wldr.dll (HKCU)
      O15 - Trusted Zone: *.bestcounter.biz
      O15 - Trusted Zone: *.skoobidoo.com
      O15 - Trusted Zone: *.slotchbar.com
      O15 - Trusted Zone: *.windupdates.com
      O15 - Trusted Zone: *.skoobidoo.com (HKLM)
      O15 - Trusted Zone: *.slotchbar.com (HKLM)
      O15 - Trusted Zone: *.windupdates.com (HKLM)
      O15 - Trusted IP range: 195.95.218.170
      O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\jrupsvc.exe

      I Fix Checked, nastepnie uruchom killbox zaznacz Delete file on reboot wklej
      sciezke do pliku (sam/a nie szukaj tylko wklejaj gotowa) i naciskaj czerwony
      przycisk ale na pytanie o reset odpowiadaj nie i tak zrob z tymi plikami:

      C:\WINDOWS\jrupsvc.exe
      C:\WINDOWS\System32\wldr.dll
      C:\WINDOWS\System32\win32.exe
      C:\WINDOWS\Nail.exe
      C:\WINDOWS\System32\Drivers\svchost.exe
      C:\WINDOWS\System32\paytime.exe
      C:\WINDOWS\godqdll.exe
      C:\WINDOWS\godqenc.EXE
      C:\WINDOWS\System32\newdial1.exe
      C:\WINDOWS\msmsgr2.exe
      C:\WINDOWS\System32\nsy3C.dll

      Po resecie sciagasz i skanujesz tym:
      download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe

      Zamykasz porty tym:
      www.firewallleaktester.com/tools/wwdc.exe
      + skan tym:
      housecall.trendmicro.com/housecall/start_corp.asp
      www.windowsecurity.com/trojanscan/
      www.pandasoftware.com/activescan/pol/activescan_principal.htm
      Zainstaluj tez aktualizacje jak mozesz, ale pewnie nie mozesz...
      www.windowsupdate.com
      Po wszystkim wklej nowy log z hijackthis.

      • Gość: paw8 Re: prosze o sprawdzenie hijakcthis IP: *.internetdsl.tpnet.pl 05.06.05, 22:00
        Logfile of HijackThis v1.99.1
        Scan saved at 21:58:31, on 2005-06-05
        Platform: Windows XP (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\AVPersonal\AVGUARD.EXE
        C:\Program Files\AVPersonal\AVWUPSRV.EXE
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\AVPersonal\AVGNT.EXE
        C:\Program Files\SpywareGuard\sgmain.exe
        C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
        C:\Program Files\SpywareGuard\sgbhp.exe
        C:\WINDOWS\System32\svchost.exe
        D:\Hijackthis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.gazeta.pl/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.gazeta.pl/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} -
        C:\WINDOWS\System32\vbrundll.dll
        O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
        0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
        \SPYBOT~1\SDHelper.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
        C:\WINDOWS\System32\msdxm.ocx
        O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
        O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
        O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
        AntiSpyware\gcasServ.exe"
        O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
        v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117980974338
        O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
        a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
        www.pandasoftware.com/activescan/as5/asinst.cab
        O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
        www.windowsecurity.com/trojanscan/axscan.cab
        O17 - HKLM\System\CCS\Services\Tcpip\..\{593EF498-A1C8-46E9-A6B8-372CF1B4CEFD}:
        NameServer = 194.204.152.34,194.204.159.1
        O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
        C:\Program Files\AVPersonal\AVGUARD.EXE
        O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany -
        C:\Program Files\AVPersonal\AVWUPSRV.EXE

        jestem w trakcie inst uaktualnien do win pozdr i dzieki
        • Gość: Kolobos Re: prosze o sprawdzenie hijakcthis IP: *.icm.edu.pl / *.icm.edu.pl 05.06.05, 22:42
          Co to jest:
          O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} -
          C:\WINDOWS\System32\vbrundll.dll
          O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe

          Juz cos nowego Ci sie zainstalowalo?

          Zamknij porty tym:
          www.firewallleaktester.com/tools/wwdc.exe
          Te dwa wpisy wywal w hijackthis, a pliki usun killbox'em.
          • Gość: paw8 Re: prosze o sprawdzenie hijakcthis IP: *.internetdsl.tpnet.pl 06.06.05, 10:16
            Logfile of HijackThis v1.99.1
            Scan saved at 10:14:46, on 2005-06-06
            Platform: Windows XP (WinNT 5.01.2600)
            MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\Explorer.EXE
            C:\Program Files\AVPersonal\AVGUARD.EXE
            C:\Program Files\AVPersonal\AVWUPSRV.EXE
            C:\Program Files\AVPersonal\AVGNT.EXE
            C:\Program Files\SpywareGuard\sgmain.exe
            C:\WINDOWS\System32\wuauclt.exe
            C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
            C:\Program Files\SpywareGuard\sgbhp.exe
            C:\WINDOWS\System32\wuauclt.exe
            D:\Hijackthis\HijackThis.exe

            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
            www.gazeta.pl/
            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
            www.gazeta.pl/
            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
            O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
            0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
            O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
            \SPYBOT~1\SDHelper.dll
            O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
            C:\WINDOWS\System32\msdxm.ocx
            O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
            O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
            AntiSpyware\gcasServ.exe"
            O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
            O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
            v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117980974338
            O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
            a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
            O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
            www.pandasoftware.com/activescan/as5/asinst.cab
            O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
            www.windowsecurity.com/trojanscan/axscan.cab
            O17 - HKLM\System\CCS\Services\Tcpip\..\{593EF498-A1C8-46E9-A6B8-372CF1B4CEFD}:
            NameServer = 194.204.152.34,194.204.159.1
            O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
            C:\Program Files\AVPersonal\AVGUARD.EXE
            O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany -
            C:\Program Files\AVPersonal\AVWUPSRV.EXE

            • Gość: Kolobos Re: prosze o sprawdzenie hijakcthis IP: *.warszawa.sdi.tpnet.pl 06.06.05, 10:29
              Juz jest ok, ciekawe na jak dlugo ;-)
              • Gość: barracuda7110 Re: prosze o sprawdzenie hijakcthis IP: *.dsl.telepac.pt 06.06.05, 13:23
                Jak gość nie załata systemu to raczej niezbyt długo...
                • Gość: paw8 Re: prosze o sprawdzenie hijakcthis IP: *.internetdsl.tpnet.pl 07.06.05, 08:28
                  zalatalem juz chyba zainstalowalem SP2 i wszystkie uaktualnienia czy wiecej cos
                  trzeba ? pozdr
                  • Gość: Kolobos Re: prosze o sprawdzenie hijakcthis IP: *.warszawa.sdi.tpnet.pl 07.06.05, 12:20
                    Nie, wszystko co potrzeba juz masz/zrobiles :-)
Pełna wersja