Prosze o sprawdzenie loga z Hijack This

06.03.06, 18:26
Logfile of HijackThis v1.99.1
Scan saved at 10:23:17 AM, on 06/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\nvidGUIv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.yahoo.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo
Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Printer Spooler] C:\WINNT\system32\4.tmp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: OpenOffice.org 1.1.1.lnk = C:\Program Files\OpenOffice.org1.1.1
\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) -
Unknown owner - C:\WINNT\system32\dfrgfat32.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown
owner - C:\WINNT\system32\Rpcmon.exe (file missing)

Dzieki!!!
Ilona
    • kolobos Re: Prosze o sprawdzenie loga z Hijack This 06.03.06, 18:34
      Gdzie masz aktualizacj!?
      Internet Explorer v5.00 SP4 (5.00.2920.0000) heh...
      Teraz jest juz IE 6! Wiec odwiedz www.windowsupdate.com i zainstaluj najnowsza
      wersje.

      W hijackthis usun:
      O4 - HKLM\..\Run: [Printer Spooler] C:\WINNT\system32\4.tmp <- usun plik
      O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
      C:\WINNT\web\related.htm
      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
      00aa003c157a} - C:\WINNT\web\related.htm

      Uslugi do kasacji:
      O23 - Service: Defragmentation Management Handler (FAT Defragmentation) -
      Unknown owner - C:\WINNT\system32\dfrgfat32.exe (file missing)
      O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe <-
      po usunieciu uslugi, usun plik.
      O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown
      owner - C:\WINNT\system32\Rpcmon.exe (file missing)

      Start->Uruchom i tam wpisz:
      sc stop Rpcmon
      sc stop nvidGUIv2
      sc stop "FAT Defragmentation"
      sc delete nvidGUIv2
      sc delete Rpcmon
      sc delete "FAT Defragmentation"

      Zrob tez skan tym:
      linorg.ciagri.usp.br/ftp/pub/windows/anti-spyware/ssfsetup1_0.exe
      download.ewido.net/ewido-setup.exe
      Przed skanowaniem zrob update definicji, po przeskanowaniu odinstaluj oba
      programy.
      • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 07.03.06, 19:24
        Jak usunac uslugi (do kasacji)?
        Wpisuje w Start->Uruchom, ale nie moze odnalezc pliku "sc".
        • neder Re: Prosze o sprawdzenie loga z Hijack This 07.03.06, 19:31
          wpisujesz po kolei całe linijki które podał kolobos a nie samo sc, czyli 'sc
          stop coś_tam_dalej'
          pzdr
          • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 07.03.06, 19:53
            Mam Windows w English.
            Wpisuje cale linki (wchodze w Start->Run) i wyskakuje: "Cannot find file 'sc'
            (or one of its components). Make sure the path and filename are correct and
            that all required libraries are available."
            A co z tymi uslugami, gdzie je usunac? W co mam wejsc?
    • Gość: niki pe Re: Prosze o sprawdzenie loga z Hijack This IP: *.nat.kon.tvknet.pl 07.03.06, 19:42
      :)
      • Gość: tata1959 Re: Prosze o sprawdzenie loga z Hijack This IP: *.neoplus.adsl.tpnet.pl 07.03.06, 22:21
        witaj
        start>>>uruchom>>>cmd i wpisać komendy:
        sc stop Rpcmon
        sc stop nvidGUIv2
        sc stop "FAT Defragmentation"
        sc delete nvidGUIv2
        sc delete Rpcmon
        sc delete "FAT Defragmentation"

        pozdrawiam

        .
        • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 08.03.06, 21:51
          Co z tymi uslugami, gdzie je usunac? W co mam wejsc?
          Wpisuje te komendy w Start >> Uruchom, ale wyskakuje info, ze nie moze
          znalezc 'sc'.
          Prosze o pomoc, jak usunac te trojany (Win 32 Trojano - 2365 i 3410).
          Z gory dzieki!


          • kolobos Re: Prosze o sprawdzenie loga z Hijack This 08.03.06, 22:06
            Nie zobaczylem, ze masz w2k w ktorym nie ma sc ;-)
            Wiec w uruchom services.msc tam wylacz uslugi ktore podalem, wchodzisz we
            wlasciwosci i tam zmieniasz na wylaczone, a nastepnie w hijackthis -> delete nt
            service wpisujesz nazwy ktore podalem.
            Tylko nie pomyl sie podczas wylaczania :P
            W jakich plikach masz te trojany?
            • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 08.03.06, 22:58
              Dzieki wielkie! Wylaczylam, a nastepnie usunelam te uslugi. Ale nadal mam
              problem z trojanami!

              C:\WINNT\system32\remon.sys
              Win32:Trojano-2365 [Trj]
              0610-1, 08/03/2006

              Wklejam nowego loga:

              Logfile of HijackThis v1.99.1
              Scan saved at 2:53:59 PM, on 08/03/2006
              Platform: Windows 2000 SP4 (WinNT 5.00.2195)
              MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

              Running processes:
              C:\WINNT\System32\smss.exe
              C:\WINNT\system32\winlogon.exe
              C:\WINNT\system32\services.exe
              C:\WINNT\system32\lsass.exe
              C:\WINNT\system32\svchost.exe
              C:\WINNT\system32\spoolsv.exe
              C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
              C:\Program Files\Alwil Software\Avast4\ashServ.exe
              C:\WINNT\System32\svchost.exe
              C:\WINNT\system32\MSTask.exe
              C:\WINNT\win32ssr.exe
              C:\WINNT\System32\WBEM\WinMgmt.exe
              C:\WINNT\system32\svchost.exe
              C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
              C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
              C:\WINNT\Explorer.EXE
              C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
              C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
              C:\WINNT\system32\internat.exe
              C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
              C:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
              C:\Program Files\Internet Explorer\iexplore.exe
              C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
              C:\WINNT\system32\mmc.exe
              C:\Program Files\Internet Explorer\IEXPLORE.EXE
              C:\Documents and Settings\Administrator\Desktop\hijackthis\hijackthis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
              www.yahoo.com/
              O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
              C:\WINNT\system32\msdxm.ocx
              O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
              O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo
              Imaging\Hpi_Monitor.exe"
              O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
              Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
              O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
              O4 - HKCU\..\Run: [Internat.exe] internat.exe
              O4 - Startup: OpenOffice.org 1.1.1.lnk = C:\Program Files\OpenOffice.org1.1.1
              \program\quickstart.exe
              O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
              Office\Office\OSA9.EXE
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
              C:\WINNT\System32\msjava.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
              00401C608501} - C:\WINNT\System32\msjava.dll
              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
              update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141667664255
              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
              update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141667645017
              O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
              O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
              C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
              O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
              Software\Avast4\ashServ.exe
              O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
              Software\Avast4\ashMaiSv.exe" /service (file missing)
              O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
              Software\Avast4\ashWebSv.exe" /service (file missing)
              O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS
              Software Corp. - C:\WINNT\System32\dmadmin.exe
              O23 - Service: Win32Sr - Unknown owner - C:\WINNT\win32ssr.exe

              Co dalej? Juz kilka dni z walcze z tymi wirusami :-(
              • kolobos Re: Prosze o sprawdzenie loga z Hijack This 08.03.06, 23:33
                Dzieki wielkie! Wylaczylam, a nastepnie usunelam te uslugi. Ale nadal mam
                problem z trojanami!

                Opis usuwania:
                C:\WINNT\system32\remon.sys
                masz tutaj:
                www.searchengines.pl/phpbb203/index.php?showtopic=6745&st=0&p=217687&#entry217687
                W razie problemow z plikiem uzyj killbox z opcja delete on reboot.

                Usun:
                O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
                O23 - Service: Win32Sr - Unknown owner - C:\WINNT\win32ssr.exe <- nastepna
                usluga do kasacji, a plik do usuniecia.
                Nazwa uslugi to Win32sr


                Zamknelas porty w wwdc? Jezeli nie to zrob to.
                • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 09.03.06, 20:33
                  Usunelam 020 - Winlogon i 023 - Servive:Win32

                  Nie mam plytki instalacyjnej Windows i dzis nie usune C:\WINNT\system32
                  \remon.sys


                  A to jak usunac?

                  C:\Documents and Settings\Default User\Local Settings\Temporary Internet
                  Files\Content.IE5\CVE3MH6P\tds[1].exe
                  Win32:Trojano-3410 [Trj]

                  C:\U.exe
                  Win32:Trojano-3410 [Trj]

                  Ciagle pojawia mi sie okno, zebym zainstalowala "Macromedia Flash Player 8". Co
                  z tym zrobic?

                  Jeszcze raz bardzo dziekuje za pomoc.
                  • Gość: k Re: Prosze o sprawdzenie loga z Hijack This IP: *.warszawa.sdi.tpnet.pl 09.03.06, 21:12
                    Usun te wszystkie pliki przy pomocy killbox (sciagnij z google) wklejasz do
                    niego sciezke do pliku czyli np: C:\U.exe zaznaczasz delete on reboot i tak
                    samo robisz z pozostalymi plikami.

                    Moze zainstaluj macromedia player skoro wyskakuje.
                    • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 10.03.06, 20:43
                      Dzieki za pomoc. Chyba juz jest ok. Ale dla pewnosci wklejam nowy log.
                      Prosze o jego sprawdzenie.
                      Pozdrawiam!

                      Logfile of HijackThis v1.99.1
                      Scan saved at 12:41:52 PM, on 10/03/2006
                      Platform: Windows 2000 SP4 (WinNT 5.00.2195)
                      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                      Running processes:
                      C:\WINNT\System32\smss.exe
                      C:\WINNT\system32\winlogon.exe
                      C:\WINNT\system32\services.exe
                      C:\WINNT\system32\lsass.exe
                      C:\WINNT\system32\svchost.exe
                      C:\WINNT\system32\spoolsv.exe
                      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                      C:\Program Files\Alwil Software\Avast4\ashServ.exe
                      C:\WINNT\System32\svchost.exe
                      C:\WINNT\system32\MSTask.exe
                      C:\WINNT\System32\WBEM\WinMgmt.exe
                      C:\WINNT\system32\svchost.exe
                      C:\WINNT\Explorer.EXE
                      C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                      C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                      C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
                      C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                      C:\WINNT\system32\internat.exe
                      C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
                      C:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
                      C:\Program Files\ewido anti-malware\ewidoctrl.exe
                      C:\Program Files\Skype\Phone\Skype.exe
                      C:\Documents and Settings\Administrator\Desktop\hijackthis\hijackthis.exe

                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                      www.yahoo.com/
                      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                      C:\WINNT\system32\msdxm.ocx
                      O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
                      O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo
                      Imaging\Hpi_Monitor.exe"
                      O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
                      Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
                      O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                      O4 - HKCU\..\Run: [Internat.exe] internat.exe
                      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
                      O4 - Startup: OpenOffice.org 1.1.1.lnk = C:\Program Files\OpenOffice.org1.1.1
                      \program\quickstart.exe
                      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                      Office\Office\OSA9.EXE
                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                      C:\WINNT\System32\msjava.dll
                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
                      00401C608501} - C:\WINNT\System32\msjava.dll
                      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
                      update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141667664255
                      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
                      update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141667645017
                      O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
                      C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                      O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
                      Software\Avast4\ashServ.exe
                      O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
                      Software\Avast4\ashMaiSv.exe" /service (file missing)
                      O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
                      Software\Avast4\ashWebSv.exe" /service (file missing)
                      O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS
                      Software Corp. - C:\WINNT\System32\dmadmin.exe

                      • Gość: k Re: Prosze o sprawdzenie loga z Hijack This IP: *.warszawa.sdi.tpnet.pl 10.03.06, 21:41
                        Wyglada ok.
                        • ilona1201 Re: Prosze o sprawdzenie loga z Hijack This 10.03.06, 21:50
                          Super! Dzieki!
Inne wątki na temat:
Pełna wersja