PROSZE o pomoc w logu

[Gość: popo]

Logfile of HijackThis v1.99.1
Scan saved at 16:22:59, on 2006-11-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN
Driver and Utility\RtlWake.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Gadu-Gadu\gg.exe
E:\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dom\Pulpit\hijackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [AtiTrayTools] "D:\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [traytwo] C:\DOCUME~1\Dom\DANEAP~1\VCGRAM~1\16 once rdr.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
D:\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
kaspersky.com.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) -
mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155811575642
O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) -
www.lemontv.pl/lmctrlp.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{EE4DF6F1-775F-4D7E-85AB-0805129DFAF1}:
NameServer = 194.204.159.1,194.204.152.34
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

[Gość: Kolobos]

Skan przy pomocy ewido.

Sciagnij i uruchom:
metallica.geekstogo.com/findlop.zip
Wygeneruje sie plik findlop.txt, jego zawartosc wklej na forum.

W hjt usun:
O4 - HKCU\..\Run: [traytwo] C:\DOCUME~1\Dom\DANEAP~1\VCGRAM~1\16 once rdr.exe

[Gość: popo]

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A9CF8C419184034D.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\dom\daneap~1\vcgram~1\OPTION BOWS DEFAULT.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Dom'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/10/2006 18:00:00
NextRun: 11/10/2006 19:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/09/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[kolobos]

Dlaczego utworzylas/es dwa identyczne watki?!
Usun z katalogu C:\WINDOWS\Tasks plik A9CF8C419184034D.job oraz katalog \vcgram~1\ w c:\docume~1\dom\daneap~1.

Na przyszlosc naucz sie korzystac z forum!

[Gość: popo]

Gdzie jest ten plik A9CF8C419184034D.job? ja go nie widze w logu, na kompie tez
nie ma

[kolobos]

Otworz sobie notatnik, wklej do niego:
@echo off
jt /sd A9CF8C419184034D.job

Nastepnie zapisz jako kill.bat w katalogu w ktorym masz findlop i uruchom ten plik, po wszystkim wklej nowy wynik skanowania przy pomocy findlop + log z hjt.

[Gość: popo]

ten findlop po tej zmianie nie chce sie pokazac i widze napis [TRACE]
Enumerating jobs and queues. A log z hjt wygląda następująco:

Logfile of HijackThis v1.99.1
Scan saved at 07:49:56, on 2006-11-11
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\ewido anti-spyware 4.0\guard.exe
D:\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver
and Utility\RtlWake.exe
D:\ewido anti-spyware 4.0\ewido.exe
D:\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dom\Pulpit\hijackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [AtiTrayTools] "D:\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [traytwo] C:\DOCUME~1\Dom\DANEAP~1\VCGRAM~1\16 once rdr.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
D:\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
kaspersky.com.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) -
mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155811575642
O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) -
www.lemontv.pl/lmctrlp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE4DF6F1-775F-4D7E-85AB-0805129DFAF1}:
NameServer = 194.204.159.1,194.204.152.34
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -
D:\ewido anti-spyware 4.0\guard.exe


A nadal czasem wyskakują mi okna z Intrenet explorerem i reklamami

[Gość: Kolobos]

W hjt mialas usunac:
O4 - HKCU\..\Run: [traytwo] C:\DOCUME~1\Dom\DANEAP~1\VCGRAM~1\16 once rdr.exe
Lacznie z katalogiem VCGRAM~1

+ oczywiscie podany plik .job przy pomocy pliku bat, ktory mialas utworzyc.

> A nadal czasem wyskakują mi okna z Intrenet explorerem i reklamami

Nic dziwnego skoro nie zrobilas tego co napisalem!

Sprobuj po usunieciu w hjt itd, zrobic nowy log z findlop.

[Gość: popo]

Czy teraz log jest w porządku?


Logfile of HijackThis v1.99.1
Scan saved at 18:52:24, on 2006-11-11
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\ewido anti-spyware 4.0\guard.exe
D:\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver
and Utility\RtlWake.exe
E:\Steam\Steam.exe
C:\Documents and Settings\Dom\Pulpit\hijackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [AtiTrayTools] "D:\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
D:\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
kaspersky.com.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) -
mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155811575642
O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) -
www.lemontv.pl/lmctrlp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE4DF6F1-775F-4D7E-85AB-0805129DFAF1}:
NameServer = 194.204.159.1,194.204.152.34
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -
D:\ewido anti-spyware 4.0\guard.exe

[Gość: Kolobos]

Jezeli findlop nie pokazuje w logu pliku .job to tak.
Log z hjt jest ok.