Pokaż pełną wersje : Usuwanie owntbia
Starałeś się zabezpieczyć swój komputer, dobrze chroniłeś hasło i ważne dane, jednak chwila nieuwagi i niewykrywalny keylogger znalazł się na twoim komputerze...Taki scenariusz może spotkać każdego, postaram się więc opisać jak oczyścić swoją maszyną z tego plugastwa.
1.Detekcja
Jeżeli podejrzewamy, że nasz komputer został zainfekowany Owntibią pobieramy narzędzie diagnostyczne hijackthis (stabilna wersję 1.99.1 ) z witryny:
www.merijn.org/files/hijackthis. zip (mirror:www.server.9x.pl/prv/hijackthis. zip )
Następnie uruchamiamy program hijackthis. exe, wybierając opcję „Do a system scan and save a logfile” (Wykonaj skanowane systemu i zapisz plik log’a).
Następnie przyglądamy się log'owi i wyszukujemy wpisów :
C:\WINDOWS\services. exe
O4 - HKLM\..\Run: [orcToByloLatwe] C:\WINDOWS\services. exe
lub
O4 - HKLM\..\Run: [auto] C:\WINDOWS\services*****
Owntibia Vip może tworzyć plik o dowolnej nazwie w katalogu C:\Windows należy wtedy sprawdzić jakie pliki powinny być w tym katalogu, a jeżeli jakiś plik nazywa się podobnie do innego, a nie jest plikiem systemowym to na pewno nie jest bezpieczny plik
Uwaga ! W katalogu C:/windows/system32 znajduje się plik servicess. exe jednak to ważny plik systemowy i nie wolno go usuwać.
2.Usuwanie
Jeżeli wykryjemy na naszym komputerze owntibię uruchamiamy windows w trybie awaryjnym(klawisz F8 przy starcie systemu), oraz ponownie uruchamiamy hijackthin tym razem zaznaczamy "ptaszkiem" wpisy owntibii i klikamy na "fix checked". Teraz przechodzimy do katalogu C:\WINDOWS\ i usuwamy plik services. exe używając killbox'a http://www.idg.pl/ftp/pc_8881/Pocket.KillBox.2.0.0.473. html
Teraz ponownie uruchamiamy komputer i tworzymy log kontrolny by upewnić się o neutralizacji owntibii.
3.Zabezpieczanie na przyszłość
Szukamy pliku hosts: C:\WINDOWS\system32\drivers\etc i otwieramy go edytorem tekstowym.
I dodajemy do niego:
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
127.0.0.1 wizzard.home.pl
Co spowoduje zablokowanie możliwości łączenia się do strony gdzie wysyłane są logi ;)
*Linki aby poprawnie działały należy usunąć spację z przed rozszerzenia np exe, html.
Działające linki:
Hijackthis - http://www.instalki.pl/programy/download/antyspyware/HijackThis.php
KillBox - http://www.instalki.pl/programy/download/narzedzia_dyskowe/Pocket_KillBox.php
Wspaniałe, :D GZ
Więcej takich ludzi
@edit pierwszy :D
Poradnik ładnie opisany i chyba przydałyby go sie przenieść :)
Sorki za literówkę w nazwie tematu ;)
Ale proszę komentować bo nie wiem czy dobrze napisałem etc ;)
owntibia.exe
27-05-2007, 20:25
Podsumowując, do usunięcie tego ścierwa wystarczy hijack, żaden deleter =)
Milu Arhangel
27-05-2007, 21:26
Ładny poradnik, myślę że pomoże wielu ludziom z tego forum. O dziwo jak otwierałem plik "hosts" to już miałem wpisane adresy, które tu zamieściłeś, a wcześniej tego nie robiłem O_o. Jestem za przeniesieniem ;)
No poradnik dobry sam w sumie z niego skorzystalem tylko jedno pytanko autor tematu radzi usunac plik
C:\WINDOWS\system32\services*****
ale za to nie usuwac pliku C:\WINDOWS\system32\servicess*****
sek tego ze pierwszy plik odnalazlem a 2 - systemowego nie Oo
Hmm jakies propozycje co by z tym zrobic ?
Autor radzi usunąć C:\WINDOWS\services. exe, nie C:\WINDOWS\system32\services. exe (no chyba, że coś źle zrozumiałem :P)
No w sumie racja inna sciezka dostepu wiec chyba jest dobrze :P
Znaczy sie nie dysponuje owntibia :d
były różne poradniki, ale najbardziej spodobała mi się opcja jak się zabezpieczyć przed tym, thx dla autora - jestem za przeniesieniem bo tego jeszcze tutaj nie było ;p
Autor radzi usunąć C:\WINDOWS\services. exe, nie C:\WINDOWS\system32\services. exe (no chyba, że coś źle zrozumiałem :P)
Dobrze zrozumiałeś :)
C:\WINDOWS\system32\services. exe to ważny plik systemowy - NIE USUWAĆ !
Marecki666
29-05-2007, 19:55
a gdy zmienie te hosts.msm czy jakos tak na hosts.txt i dopisze te linijki to potem mam go zmienic znowu na .msm?
Przyda sie :D
Staram sie nie dac sie hacknac, ale ostroznosci nigdy za wiele
PS. HiJackThis 1.99.1 mozna pobrac jeszcze z serwisu www.dobreprogramy.pl
PS2. jesli NIE MAM na kompie tego shitu, i mam zablokowane strony z owntibia,
i nagle na moim kompie znajdzie sie owntibia, to NIE MOZE MNIE HACKNAC?
(poniewaz mam zablokowane strony)
a gdy zmienie te hosts.msm czy jakos tak na hosts.txt i dopisze te linijki to potem mam go zmienic znowu na .msm?
Powinno działać, ale lepiej po prostu otworzyć plik msm w notatniku ;)
@Up
Jeżeli nie zmienią IP to tak.
Hellraiser
29-05-2007, 23:10
3.Zabezpieczanie na przyszłość
Szukamy pliku hosts: C:\WINDOWS\system32\drivers\etc i otwieramy go edytorem tekstowym.
I dodajemy do niego:
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
Co spowoduje zablokowanie możliwości łączenia się do strony gdzie wysyłane są logi ;)
Czyli tak?
# Copyright (c) 1993-1999 Microsoft Corp.
#
# To jest przykładowy plik HOSTS używany przez Microsoft TCP/IP
# w systemie Windows.
# Ten plik zawiera mapowania adresów IP na nazwy komputerów
# Każdy wpis powinien być w osobnej linii.
# W pierwszej kolumnie powinny być umieszczone adresy IP, a następnie
# odpowiadające im nazwy komputerów. Adres i nazwa powinny być oddzielone
# co najmniej jedną spacją
#
# Dodatkowo, komentarze (takie jak te) można wstawiać w poszczególnych
# liniach lub po nazwie komputera, oznaczając je symbolem '#'.
#
# Na przykład:
#
# 102.54.94.97 rhino.acme.com # serwer źródłowy
# 38.25.63.10 x.acme.com # komputer kliencki x
127.0.0.1 localhost
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
No, raczej przykoksowałeś z tym, jestem za przeniesieniem mate.
Na czerwono niepokojąca mnie rzecz. Powiedzcie co jeszcze naprawić! Zmieniłem hasło na tibia.com i sie nie loguje bo się boje... Powiedzcie, czy to co na czerwono to coś złego? Bo na zielono zanzaczyłem systemowy plik. Co jeszcze usunąć? Mój log:
Logfile of HijackThis v1.99.1
Scan saved at 23:59:42, on 2007-05-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\csrss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\Program Files\Spyware Doctor\sdhelp*****
C:\Program Files\Windows Media Player\WMPNetwk*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\System32\alg*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\iTunes\iTunesHelper*****
C:\WINDOWS\system32\ctfmon*****
D:\kopia\RNEFOL~1\DOKUME~1\MMDiag*****
C:\WINDOWS\system32\WgaTray*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui*****
C:\Program Files\iPod\bin\iPodService*****
D:\kopia\Różne foldery\Dokumenty inne\mim*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\WinRAR\WinRAR*****
C:\DOCUME~1\Komputer\USTAWI~1\Temp\Rar$EX00.385\Hi jackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock*****
O4 - HKLM\..\Run: [services] C:\windows\services*****
O4 - HKLM\..\Run: [MimBoot] D:\kopia\RNEFOL~1\DOKUME~1\mimboot*****
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper*****"
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Odkurzacz-MCD] D:\Odkurzacz\odk_mcd*****
O17 - HKLM\System\CCS\Services\Tcpip\..\{A546C956-0D00-4D33-9BE5-128A7CFC47BF}: NameServer = 194.204.159.1 217.98.63.164
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss*****
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp*****
@edit
Usunołem to na czerwono. Był to keylogger, gdyż po dotknięciu tego, antywirus zaczoł szalec. Prosze jeszcze tylko specjalistow o rade, czy cos jeszcze nie tak w moim logu : )
Jeśli chodzi o zabezpieczenie w przyszłości, to wszedłem tam gdzie powiedziałeś i te logi były już zapisane. Nie musiałem nic wpisyac aby sie zabezpieczyc. Wczesniej uzywalem own tibia deleter, czy to on utworzyl te logi?
@Up
Daj jako załącznik plik txt...bo tu na forum jest cenzura plików . exe ;) Będzie łatwiej przeanalizować.
A deleter przy opcji "chroń w przyszłości" dodaje te wpisy to hosts ;)
Wystarczy najprostszy firewall!! Kolega ma owntibie, to ja mu powiedzałem żeby mi wysłał plik włączyłem go chciałem dać loga do tibi i wtedy mi go wykrył, dałem bloka i po sprawie :>
A pomógł mi przy tym troche owntibia***** !! :D
Iron'knight
30-05-2007, 10:45
Ok, macie załącznik =)
wiesz, co do services . e x e to chyba raczej sa w porzadku, ale inne wpisy sa podejrzane. Radze dac loga z Hijacka i Silent Runner na forum Arcabit.
Duch Niespokojny
30-05-2007, 12:07
No poradnik dobry sam w sumie z niego skorzystalem tylko jedno pytanko autor tematu radzi usunac plik
C:\WINDOWS\system32\services*****
Nie, właśnie tego masz nie usuwać.
sek tego ze pierwszy plik odnalazlem a 2 - systemowego nie Oo
Hmm jakies propozycje co by z tym zrobic ?
Pewnie masz ukryty albo właśnie pomyliłeś je ze sobą (ten evul to C:\Windows\Sevices. exe).
wiesz, co do services . e x e to chyba raczej sa w porzadku, ale inne wpisy sa podejrzane. Radze dac loga z Hijacka i Silent Runner na forum Arcabit.
I tak tam trafi ;) Oprócz forum arcabit na wszelki wypadek daj na http://cybertrash.netarteria.pl/cyber/
@Edit
Czysto..prawie.
Usuń to:
C:\DOCUME~1\Komputer\USTAWI~1\Temp\update.tmp --- fałszywa aktualizacja ;)
I tak tam trafi ;) Oprócz forum arcabit na wszelki wypadek daj na http://cybertrash.netarteria.pl/cyber/
@Edit
Czysto..prawie.
Usuń to:
C:\DOCUME~1\Komputer\USTAWI~1\Temp\update.tmp --- fałszywa aktualizacja ;)
Usunąłem to co mówisz : )
Jeszcze mam wątpliwości (nie wiem co to) do:
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\System32\alg*****
C:\WINDOWS\system32\WgaTray*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\ctfmon*****
D:\kopia\RNEFOL~1\DOKUME~1\MMDiag*****
C:\DOCUME~1\Komputer\USTAWI~1\Temp\Rar$EX00.649\Hi jackThis***** (wiem, że hijack, ale czy nie czasem coś podszywającego sie pod niego?)
Usunąć to, czy jest bezpieczne?
Explorer. exe to chyba to, dzięki czemu w ogóle możesz foldery itp. przeglądać, reszta nie wiem, nie znam się; )
Btw, svchost. exe w procesach boinien być 1 czy kilka (a może 0?) bo w sumie widzę ich u siebie 8 w tej chwili ;>
Olorion.
30-05-2007, 20:46
Usunąłem to co mówisz : )
Jeszcze mam wątpliwości (nie wiem co to) do:
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\System32\alg*****
C:\WINDOWS\system32\WgaTray*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\ctfmon*****
D:\kopia\RNEFOL~1\DOKUME~1\MMDiag*****
C:\DOCUME~1\Komputer\USTAWI~1\Temp\Rar$EX00.649\Hi jackThis***** (wiem, że hijack, ale czy nie czasem coś podszywającego sie pod niego?)
Usunąć to, czy jest bezpieczne?
sprawdz hijackthis!'em
C:\WINDOWS\system32\spoolsv*****
nie wiem
C:\WINDOWS\System32\svchost*****
czyste
C:\WINDOWS\System32\alg*****
czyste...chyba
C:\WINDOWS\system32\WgaTray*****
ma sie pirata co ? ;)
C:\WINDOWS\Explorer*****
czyste
C:\WINDOWS\system32\ctfmon*****
czyste
D:\kopia\RNEFOL~1\DOKUME~1\MMDiag*****
nie wiem co to O.o
C:\DOCUME~1\Komputer\USTAWI~1\Temp\Rar$EX00.649\Hi jackThis***** (wiem, że hijack, ale czy nie czasem coś podszywającego sie pod niego?)
Tymczasowy plik loga hijackthis...chyba
Kean_Arcaron
31-05-2007, 13:41
Mam pytanko. Który plik w folderze "etc" mam wy edytować i wpisać "127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19 " ?
Gatho Gokhinin
31-05-2007, 14:17
Hosts- otworz go notatnikiem (np otworz notatnik i przecignij plik na puste pole)
Dobra robota ;] Jestem z siebie zadowolony bo żadnego szitu na kompie nie mam, dzięki :]
haxzproxx_bat
31-05-2007, 17:12
- W win98 istnieje plik \WINDOWS\services\ ale nie jest to plik .e x e
najprawdopodobniej systemowy:
# Copyright (c) 1993-1995 Microsoft Corp.
#
# Ten plik zawiera numery portów dla usług zdefiniowane w
# RFC 1060 (przydzielone numery).
#
# Format:
#
# <nazwa usługi> <numer portu>/<protokól> [alias...] [#<komentarz>]
#
- Jak rozumiem taka opcja jest tylko na Xp? W Win98 nie moge odnalesc takiej sciezki:"\WINDOWS\system32\drivers\etc"
\/-------------------------------------------\/
/EDITED
Plik Host w WIN98 jest w WINDOWS/
edytuje go w notatniku
dodaje do konca wpis:
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
ale zapisuje jako plik textowy. MA KTOS POMYSL JAK TO ZAPISAC? WIN 98!!
/\--------------------------------------------/\
- W win98 istnieje plik \WINDOWS\services\ ale nie jest to plik .e x e
najprawdopodobniej systemowy:
# Copyright (c) 1993-1995 Microsoft Corp.
#
# Ten plik zawiera numery portów dla usług zdefiniowane w
# RFC 1060 (przydzielone numery).
#
# Format:
#
# <nazwa usługi> <numer portu>/<protokól> [alias...] [#<komentarz>]
#
Zdaje sie, że w win98 to normalny plik systemowy, ale nigdy nie miałem i raczej nie będę miał win 98, żeby sprawdzić ;(
co do tibi sciagam tylko same .rec i nic mi sie nie stalo od 3 lat i pewnie sie nie stanie
bezpieczenstwa nigdy za wiele
a jak sie ktos podnieca tym ze ktos hackuje i ma free itemki i sam chce hackowac to wlasnie oni staja sie najczestszymi ofiarami
topic
tez sie zabezpieczylem* ; )
Makaveli Tha Don
06-06-2007, 16:03
Dzisiaj sciagnalem bot o nazwie Tibia Auto. Po zainstalowaniu go zauwazylem, ze na pulpicie pojawil sie dziwny plik o nazwie "server*****". Zorientowalem sie, ze to plik owntibii, wiec sciagnalem "owntibia-deleter". Program wykryl owntibie, ale nie moglem jej usunac. Zajzalem do tego tematu i sciagnalem "Hijackthis!". Zrobilem skan i nie wiem ktory plik jest tym "owntibiowym.
Prosze o pomoc!
Udostepniam zapis mojego logu:
Logfile of HijackThis v1.99.1
Scan saved at 14:49:04, on 2007-06-06
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\Explorer*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\=WSZYSTKIE=\Winamp\Winampa*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Documents and Settings\adrian\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find.fm/?aid=95&sid=99
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: XBTB04482 - {D72F6457-DDC6-4bc2-9DB5-97AD696800B6} - C:\PROGRA~1\FINDFM~1\toolbar.dll (file missing)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] "C:\=WSZYSTKIE=\Winamp\Winampa*****"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC*****" -servicehelper
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\INTERN~2\MEDIAKEY*****
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun*****
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray*****" /s
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001*****"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam***** -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent*****" --force_start_minimized
O4 - Startup: UniSpiker-2.6.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet*****/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet*****/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet*****/AddLink.htm
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130355726364
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: NetTime (NetTimeSvc) - Unknown owner - C:\Documents and Settings\Administrator\Pulpit\NetTime\NeTmSvNT**** * (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC*****" -service (file missing)
Fixchecked
07-06-2007, 15:19
Czegoś tu nie rozumiem,jeśli mam w logu wpis:
C:\WINDOWS\system32\services*****
to znaczy że mam owtibie?
Duch Niespokojny
07-06-2007, 15:45
Czegoś tu nie rozumiem,jeśli mam w logu wpis:
C:\WINDOWS\system32\services*****
to znaczy że mam owtibie?
Nie, to jest plik systemowy.
JanCzarny
07-06-2007, 21:03
Atrybut w pliku hosts tylko do odczytu zabezpieczy to przed zmianami w tym pliku i można zrobić trik żeby windows zainstalować w innym katalogu niż windows Np C:/winnt -- Taki jest w Win 2000
oraz można zablokować operacje zapis dla danego użytkownika w zakładce zabezpieczenia i logować się użytkownika a nie Admina dla Bezpieczeństwa
@up Makaveli Tha Don
Plik Service***** Jest Chroniony Windows Protect System Files
Który w Częściowo jest wyłączony w Trybie awryjnym
A najlepiej taki plik usunać z dos a dla NTFS - Dos pod NTFS
Ale c/windows/sytem32/services***** --- Jest Ważny plikiem sytemowym znam efekt jego usunęcia
http://img78.imageshack.us/my.php?image=plikiserviceef6.jpg -- Pliki muszą mieć podpis MC
Oraz sprawdzać datę utworzenia pliku.
LOL Gdyby nie ten poradnik mialbym po moim koncieX(!!! THX:cup:
Super poradnik :cup: ale ja mam jedno pytanie w jaki sposób może dostać się owntibia do mojego kompa?? proszę o odpowiedź
Witam Mam Pytanie Chodzi mi o 3 Punkt :p
# Copyright (c) 1993-1999 Microsoft Corp.
#
# To jest przykładowy plik HOSTS używany przez Microsoft TCP/IP
# w systemie Windows.
# Ten plik zawiera mapowania adresów IP na nazwy komputerów
# Każdy wpis powinien być w osobnej linii.
# W pierwszej kolumnie powinny być umieszczone adresy IP, a następnie
# odpowiadające im nazwy komputerów. Adres i nazwa powinny być oddzielone
# co najmniej jedną spacją
#
# Dodatkowo, komentarze (takie jak te) można wstawiać w poszczególnych
# liniach lub po nazwie komputera, oznaczając je symbolem '#'.
#
# Na przykład:
#
# 102.54.94.97 rhino.acme.com # serwer źródłowy
# 38.25.63.10 x.acme.com # komputer kliencki x
127.0.0.1 localhost
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
Czy Dobrze to Zrobiłem? Proszę O odpowiedź
Super poradnik :cup: ale ja mam jedno pytanie w jaki sposób może dostać się owntibia do mojego kompa?? proszę o odpowiedź
Przez pliki ściągnięte z internetu, oraz jak nie aktualizujesz systemu to przez exploita.
@Up
Wszystko dobrze.
Yy.. co do metody usunięcia trochę do bani, za dużo zachodu, istnieją lepsze, prostsze metody.
Skorzystałem jednak z tego wpisu do "host", może się kiedyś przyda ;)
lukaszlukasz
08-06-2007, 15:32
Btw, svchost. exe w procesach boinien być 1 czy kilka (a może 0?) bo w sumie widzę ich u siebie 8 w tej chwili ;>
mam 5 czy 6, i zaraz po formacie też kilka było, także myślę, że wszysko jest OK :)
A właśnie po skanowaniu HjT widzę, że aktywny jest proces
C:\WINDOWS\system32\services*****
Ale to chyba nie owntibia, bo po formatce miałem takie cuś już o.O
mam 5 czy 6, i zaraz po formacie też kilka było, także myślę, że wszysko jest OK :)
A właśnie po skanowaniu HjT widzę, że aktywny jest proces
C:\WINDOWS\system32\services*****
Ale to chyba nie owntibia, bo po formatce miałem takie cuś już o.O
Co do svhost to normalne, a ten plik to plik systemowy. Ludzie czytajcie uważnie, przecież pisze.
Update !
Do pliku hosts dopiszcie:
127.0.0.1 wizzard.home.pl
Dzięki tobie pozbyłem sie OWNTIBI z kompa. Teraz już mi nie grozi hack (mam zadzieje ). Oby takich poradnikow jak najwiecej.!!!:cup::cup::cup:
Vlad Dracula
14-06-2007, 14:36
A może po prostu trzeba wejść do c:/windows i usunąć podejrzany plik(wystarczy raz na niego kliknac a antywirus go wykryje)przeważnie jest ostatni
Shaolin_Hunter
14-06-2007, 15:23
o lol xD
dzis znalazlem proces winampa. exe
;d (winaMPA)
Avallach
14-06-2007, 17:55
@up ja tez co to jest??
aaa ja mam w windows/system32 plik services. exe a nie servicess. exe czemu??
@up
bo servicess***** to inny program niż ten systemowy (możliwe, że wirus)
Co do svhost to normalne
Systemowy proces nazywa się svCHost nie svHost
zresztą, jakby owntibia się podszyła to byłby to svchost***** tylko z innej lokalizacji.
Na wszystkie wiry itp. proponuję co jakiś czas zaglądać do katalogu c:\WINDOWS\system32 (oraz c:\WINDOWS\)trzeba kliknąć żeby pokazywało pliki według zmodyfikowanych. Nowe pliki (raczej wirus) będzie na samym dole, chyba, że wcześniej instalowałeś drivery do karty graficzej albo cos. Ja tak usunąłem kiedyś wirusa nie do wykrycia ;) . No i oczywiście jeśli się ukrywa w menadżerze urządzeń to szybko, szybko zanim się windows włączy ciągle klikać alt+ctrl+delete, obczaić nietypowe procesy (w zakładce procesy), potem w start->wyszukaj->pliki lub foldery. Wprowadzić nazwę podejrzanego procesu, a następnie po jego wykryciu usunąć (tylko przedtem sprawdzić na google.pl czy żeczywiście jest wirem!). Jak się nie da usunąć to ściągnij program Unlocker.
Zrobił się mały poradnik :)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\System32\nvsvc32*****
C:\WINDOWS\SOUNDMAN*****
usunąć Smss***** winlogon***** :confused::confused: Pomocy
o lol xD
dzis znalazlem proces winampa. exe
;d (winaMPA)
Winampa-winamp agent. Proces autostartu winamp'a.
Prosye o odpowiedy cyz tu jest jakis keyloger??
Bardzo mi zalezy na odpowiedzi bo dzis rano pod moja nieobecnosc byl ktoas na mojej postaci :(
Logfile of HijackThis v1.99.1
Scan saved at 15:25:17, on 2007-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\system32\wscntfy*****
C:\WINDOWS\Explorer*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
C:\WINDOWS\system32\ctfmon*****
C:\WINDOWS\system32\service*****
C:\PROGRA~1\NEOSTR~1\NeostradaTP*****
C:\PROGRA~1\NEOSTR~1\ComComp*****
C:\PROGRA~1\NEOSTR~1\Watch*****
C:\Program Files\Tibia\Tibia*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Internet Explorer\iexplore*****
C:\WINDOWS\system32\wpabaln*****
C:\Documents and Settings\Artur\Pulpit\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - Global Startup: service*****.lnk = C:\WINDOWS\system32\service*****
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O17 - HKLM\System\CCS\Services\Tcpip\..\{9879D2DC-0BEA-4342-98D9-6D994686C867}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
Do wywalenia na 100%
C:\WINDOWS\system32\service****
O4 - Global Startup: service*****.lnk = C:\WINDOWS\system32\service*****
A to nie wiem czy bezpieczne. Jak wiesz co to, to zostaw a jak nei to wywal:
HKLM\System\CCS\Services\Tcpip\..\{9879D2DC-0BEA-4342-98D9-6D994686C867}: NameServer = 194.204.152.34 217.98.63.164
***
Wpisy zaznaczasz "ptaszkiem" i potem dajesz "fix checked", pogrubiony plik wywalasz ręcznie z dysku.
Milu Arhangel
17-06-2007, 19:52
Poproszę o sprawdzenie także mojego raportu :) Sprawdzałem na hijackthis.de i niby nic nie ma, ale chcę być pewny na 100%
Logfile of HijackThis v1.99.1
Scan saved at 18:44:57, on 2007-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\TBPanel*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Java\jre1.6.0_01\bin\jusched*****
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2*****
C:\Program Files\QuickTime\qttask*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\system32\rundll32*****
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Eraser\eraser*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\wuauclt*****
F:\Milu\PowerMenu_1_5_1\PowerMenu*****
E:\xXx\Tlen.pl\tlen-nowy*****
C:\Program Files\Microsoft Office\OFFICE11\OIS*****
C:\Program Files\Tibia\Tibia*****
C:\Program Files\Mozilla Firefox\firefox*****
F:\Milu\Programy\Antyviry & nietylko\hijackthis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel***** /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2***** /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32***** bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall*****" -TRAY
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser***** -hide
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B44C090-7729-4D20-B303-9BBD03583F9A}: NameServer = 194.204.159.1,194.204.152.34
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
Z góry thx
Czysto, ewentualnie przyczepiłbym się do tego:
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B44C090-7729-4D20-B303-9BBD03583F9A}: NameServer = 194.204.159.1,194.204.152.34
Abus_LoLo
17-06-2007, 20:45
Prosze sprawdz mi :):baby:
Logfile of HijackThis v1.99.1
Scan saved at 19:36:35, on 2007-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\AntiVir PersonalEdition Classic\avguard*****
C:\Program Files\AntiVir PersonalEdition Classic\sched*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\wscntfy*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\Program Files\ATI Technologies\ATI.ACE\cli*****
C:\WINDOWS\system32\RunDll32*****
D:\Programy\mouse driver\MouseDrv*****
C:\Program Files\AntiVir PersonalEdition Classic\avgnt*****
D:\Programy\sony\SsAAD*****
D:\Programy\Logitech kierownica\lwemon*****
C:\Program Files\Messenger\msmsgs*****
C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
D:\Programy\Mozilla\firefox*****
C:\Documents and Settings\ABUS\Pulpit\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programy\acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli*****" runtime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CreativeMouse ] D:\Programy\mouse driver\MouseDrv*****
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKLM\..\Run: [SsAAD*****] D:\Programy\sony\SsAAD*****
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtim e.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Programy\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Start WingMan Profiler] "D:\Programy\Logitech kierownica\lwemon*****" /noui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - Global Startup: ATI CATALYST – pasek zadań.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O17 - HKLM\System\CS2\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O17 - HKLM\System\CS3\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms*****
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV*****
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR*****
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd*****" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02*****
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV*****
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV*****
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disten...fyLauncher.cab UWAGA
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O17 - HKLM\System\CS2\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
O17 - HKLM\System\CS3\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
Jak nie wiesz co to, to wywal.
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd*****" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Ty zainstalowałeś to coś do przechwycenia pakietów ? Jak nie to leci w kosmos.
Abus_LoLo
17-06-2007, 20:54
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd*****" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
to jest potrzebne do jakiegos programu ;)
ale te inne to nie wiem co to jest i napewno wywale :)
DZieki
Usunolem to co napisales i niewiem dlaczego ale po resecie usunelo mi z ustawien internetowych kody DNS :/
Ale juz wszystko si ;]
Znalazłem u siebie
O4 - HKLM\..\Run: [orcToByloLatwe] C:\WINDOWS\services. exe
Usunąłem. Wywaliłem services. exe (prawy przycisk usun). Daje jeszcze loga. Czy nic mi już nei grozi?
Logfile of HijackThis v1.99.1
Scan saved at 20:00:47, on 2007-06-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\SYSTEM32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\PROGRA~1\A4Tech\Mouse\Amoumain*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\PROGRA~1\NEOSTR~2\CnxMon*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\AutoConnect\AutoConnect*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\WINDOWS\system32\oodag*****
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Opera\Opera*****
C:\DOCUME~1\aaa\USTAWI~1\Temp\Rar$EX01.846\HijackT his*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~2\SEARCH~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit*****
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4289bcbe-e100-4999-a98b-dd6b3e9586ac} - C:\WINDOWS\SYSTEM32\usrenh.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINDOWS\system32\tmp132.tmp.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~2\CnxMon*****
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~2\Watch*****
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE***** /AUTORUN
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN***** /logon
O4 - HKLM\..\Run: [setup] rundll32***** "C:\WINDOWS\tuvvwu.dll",realset
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services*****
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect*****
O4 - Global Startup: DSLMON .lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra button: Download this Web Site's Images - {2D0DA413-B24C-4C23-87D5-9F66DAAE02DB} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Download this Web Site's Images - {2D0DA413-B24C-4C23-87D5-9F66DAAE02DB} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget*****
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget*****
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF76839B-042C-42C2-912A-791A6ACA46D6}: NameServer = 194.204.152.34 217.98.63.164
O20 - AppInit_DLLs: c:\windows\system32\byvturo.dll
O20 - Winlogon Notify: usrenh - C:\WINDOWS\SYSTEM32\usrenh.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD*****
O23 - Service: MySql - Unknown owner - c:\krasnal/MYSQL/bin/mysqld***** (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag*****
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit*****
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} - C:\WINDOWS\system32\tmp132.tmp.dll
O20 - AppInit_DLLs: c:\windows\system32\byvturo.dll
O20 - Winlogon Notify: usrenh - C:\WINDOWS\SYSTEM32\usrenh.dll
O4 - HKLM\..\Run: [setup] rundll32***** "C:\WINDOWS\tuvvwu.dll",realset
W sieci nie ma nic o tych procesach, więc raczej systemowymi plikami to one nie są-dla pewności wywal.
Poza tym czysto.
Milu Arhangel
17-06-2007, 21:34
Czysto, ewentualnie przyczepiłbym się do tego:
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B44C090-7729-4D20-B303-9BBD03583F9A}: NameServer = 194.204.159.1,194.204.152.34
Hmm... wywaliłem ten wpis, potem chciałem sie zalogować do Tibii i nie mogłem, przeinstalowywałem klienta, ale to nic nie dało. Dopiero przywracanie systemu poskutkowało. Pewnie ten wpis jest ważny i niezbędny do połączenia do serwera w Tibii. Taki mały problemik i tyle ;)
@down
Sam nie wiem, ale bez niego do Tibii nie wejde...
Pewnie tak, więc nie wywale, ale to chyba nic groźnego, bo dużo razy skanowałem kompa hijackiem i na stronie zawsze był ten wpis. Po za tym ani jednego hacka nie miałem jeszcze :)
Eee...mały błąd...to łączy twój komputer z 194.204.159.1 i 194.204.152.34, więc może coś związanego z dostawca ?
Nie wiem sam...
Cześć, mógłbys pomóc? :>
Logfile of HijackThis v1.99.1
Scan saved at 20:52:36, on 2007-06-17
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\SYSTEM32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
d:\Program Files\Alwil Software\Avast4\aswUpdSv*****
d:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\Program Files\Analog Devices\SoundMAX\Smtray*****
D:\Program Files\HP\HP Software Update\HPWuSchd2*****
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
D:\Program Files\Java\jre1.6.0_01\bin\jusched*****
D:\Program Files\Creative\Mouse Optical\mouse_2k*****
D:\Program Files\Zone Labs\ZoneAlarm\zlclient*****
D:\Program Files\Google\Gmail Notifier\gnotify*****
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier*****
D:\Program Files\Advanced Registry Doctor\RegDfrgSch*****
D:\Program Files\Gadu-Gadu\gg*****
D:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
C:\WINDOWS\system32\spoolsv*****
D:\Program Files\HP\Digital Imaging\bin\hpqimzone*****
C:\WINDOWS\System32\nvsvc32*****
C:\WINDOWS\System32\HPZipm12*****
d:\Program Files\Advanced Registry Doctor\RegManServ*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\ZoneLabs\vsmon*****
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08*****
d:\Program Files\Alwil Software\Avast4\ashWebSv*****
d:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\WINDOWS\System32\WgaTray*****
D:\Program Files\Tibia\Tibia*****
D:\Winamp\winamp*****
C:\Program Files\firefox*****
C:\Documents and Settings\Przemek\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2*****
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr*****
O4 - HKLM\..\Run: [AVPDWIN] "C:\Program Files\Panda Software\Panda Demo\pandasft*****"
O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake***** /h
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ*****"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [BearShare] "D:\Program Files\BearShare\BearShare*****" /pause
O4 - HKLM\..\Run: [CreativeMouse ] d:\Program Files\Creative\Mouse Optical\mouse_2k*****
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient*****"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\gnotify*****
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BPS Spyware Remover] d:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem*****
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier*****
O4 - HKCU\..\Run: ["C:\WINDOWS\SoftwareDistribution\Download\6365088f8 5b501588ee599470d0e71a8\msmsgs*****" /background] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [RegDfrgSch] D:\Program Files\Advanced Registry Doctor\RegDfrgSch***** /tray
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA*****
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://D:\Program Files\BitComet\BitComet*****/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program Files\BitComet\BitComet*****/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Program Files\BitComet\BitComet*****/AddLink.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget*****
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget*****
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS***** (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS***** (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12*****
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - d:\Program Files\Advanced Registry Doctor\RegManServ*****
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon*****
Z góry dzięki, prosiłbym o PW
Jakby ktoś sprawdzając swój log nie był pewien co do jakiegoś procesu to an stronach:
www.processlibrary.com
www.fbmsoftware.com/spyware-net
www.pcpitstop.com/spycheck/known.asp
można sprawdzić dany proces.
@topic
wszystko ladnie pieknie ale gdzie te porty wstawic?
w którym miejscu
zabezpieczyc sie chce bo ofiarą juz byłem..
Abus_LoLo
17-06-2007, 22:56
Eee...mały błąd...to łączy twój komputer z 194.204.159.1 i 194.204.152.34, więc może coś związanego z dostawca ?
Nie wiem sam...
to sa "preferowany dns" i " alternatywny dns"
to samo tez usunolem i tez mi z netem nie chcialo sie loczyc dopiero jak wszedlrem na ustawienia internetowe i zobaczylem ze brakuje tych nr to je wpisalem od nowa i juz wszystko si
ps. oczywiscie te nr nie sa takie same co moje ale jest ta sama "sciezka"
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B44C090-7729-4D20-B303-9BBD03583F9A}: NameServer = Tu amm inne numery ;)
@topic
wszystko ladnie pieknie ale gdzie te porty wstawic?
w którym miejscu
zabezpieczyc sie chce bo ofiarą juz byłem..
Przecież napisałem gdzie to dopisać ;)
@Edit
Zapraszam na moją nową stronę o bezpieczeństwie Tibijskim.
Jak ktoś chce link to pisać na PW bo reklamy nie chce robić ;)
Goku_Sayian
18-06-2007, 18:10
wszystko piekne ^^ postarales sie.
Poproszę o sprawdzenie także mojego raportu ;) Przepraszam ze pisze już 2 raz :(
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard*****
C:\WINDOWS\System32\nvsvc32*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss*****
C:\WINDOWS\SOUNDMAN*****
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\AutoConnect\AutoConnect*****
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\Winamp\winamp*****
D:\Tomuss\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit*****
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas*****" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare*****" /pause
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect*****
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B4482F1-E814-40EA-BCA0-69B43F071F5D}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B4482F1-E814-40EA-BCA0-69B43F071F5D}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal
Rofocale
19-06-2007, 18:29
ema zamieszcze tu loga od hijacka powie mi ktos czy mam cos zjebane? bo ja sien ie lapie ^.^ :<
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:10:31, on 2007-06-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Common Files\Symantec Shared\ccSvcHst*****
C:\WINDOWS\System32\nvsvc32*****
C:\Program Files\BearShare\BearShare*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\RTHDCPL*****
C:\Program Files\Winamp\winampa*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Messenger\msmsgs*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Tlen.pl\tlen*****
C:\Documents and Settings\ffffff\Pulpit\movie*****
C:\Documents and Settings\ffffff\Pulpit\movie*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\WINDOWS\system32\rundll32*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\ffffff\Pulpit\movie*****
C:\Documents and Settings\ffffff\Pulpit\movie*****
C:\Documents and Settings\ffffff\Pulpit\movie*****
C:\Documents and Settings\ffffff\Pulpit\movie*****
C:\Program Files\Tibia\Tibia*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Documents and Settings\ffffff\Pulpit\Programy\HiJackThis_v2*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare*****" /pause
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN***** /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [orcToByloLatwe] C:\WINDOWS\mandr*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen*****
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'Default user')
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32*****
O4 - Global Startup: D-Link AirPlus.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk789YYPL
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak*****.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90016C3B-4223-4CB4-9D14-9FCD525E7CDF}: NameServer = 213.199.197.214,82.160.1.1
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst***** (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
EDIT: ey a jak mam na pulpicie taki folder co sie go nie da wyjebac a jak go przeskanuje na online malware scan to ma pelno trojanow wie ktos co z tym zrobic ? ; o
syfu tu jest bardzooo dużo :O
Daj to an forum idg.pl-tam są ludzie bardziej kompetentni ;)
Rofocale
19-06-2007, 19:25
chyba formata jebne ^^
World_of_naabz
19-06-2007, 22:19
Chciałbym prosić o wzgląd w ten log ^^
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:10:22, on 2007-06-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\system32\oodag*****
C:\Program Files\Outpost Firewall\outpost*****
C:\WINDOWS\RTHDCPL*****
C:\Program Files\Eset\nod32kui*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Spybot\TeaTimer*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Mozilla Firefox\firefox*****
D:\Gry\Tibia 7.92\Tibia*****
D:\Gry\Tibia 7.92\TibiaBot NG\loader*****
D:\Gry\Tibia 7.92\TibiaBot NG\loader*****
C:\Program Files\Winamp\winamp*****
C:\Documents and Settings\b\Pulpit\HiJackThis_v2*****
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Outpost Firewall\outpost***** /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Outpost Firewall\feedback***** /dump:os_startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig***** /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer*****
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag*****
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Outpost Firewall\outpost*****
--
End of file - 3909 bytes
D:\Gry\Tibia 7.92\TibiaBot NG\loader*****
D:\Gry\Tibia 7.92\TibiaBot NG\loader*****
nieładnie...
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
spyware... (niegroźne ale zamula)
Oto moj log, plz sprawdzcie go 8o
Logfile of HijackThis v1.99.1
Scan saved at 06:25:45, on 2007-06-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Eset\nod32kui*****
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\QuickTime\qttask*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
D:\Program Files\Winamp\winampa*****
D:\Gadu-Gadu\gg*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\system32\PSIService*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\wuauclt*****
C:\PROGRA~1\NEOSTR~1\NeostradaTP*****
C:\PROGRA~1\NEOSTR~1\ComComp*****
C:\PROGRA~1\NEOSTR~1\Watch*****
C:\Program Files\Mozilla Firefox\firefox*****
D:\Program Files\No-IP\DUC20*****
C:\Documents and Settings\Administrator\Pulpit\evolutions0.7.8xml 2\Evolutions 0.7.8 XML\Evolutions-XML*****
C:\Documents and Settings\Administrator\Pulpit\hijackthis\HijackThi s*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - D:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray*****"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Program Files\Anti-Blaxx\Anti-Blaxx*****
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O8 - Extra context menu item: Download with Star Downloader - D:\PROGRA~1\STARDO~1\sdie.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: FreshDownload - {06995615-BCE2-46CF-B740-34445B6595C7} - D:\Program Files\FreshDevices\FreshDownload\fd*****
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178724051228
O17 - HKLM\System\CCS\Services\Tcpip\..\{50819844-F5DC-444D-B843-A572F56780CB}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService*****
gory thx za sprawdzenie czy nie ma syfu :)
@Up
Groźnych rzeczy tu nie ma, ale przeczyść autostart i dodatki do przeglądarek ;)
Jesli to nie problem mozesz mi sprawdzic to:
a tak na boku wczoraj pozbylem sie C:\WINDOWS\services. exe to owntibia?
Logfile of HijackThis v1.99.1
Scan saved at 13:37:33, on 2007-06-20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\AntiVir PersonalEdition Classic\sched*****
C:\Program Files\AntiVir PersonalEdition Classic\avguard*****
C:\WINDOWS\System32\nvsvc32*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\Explorer*****
C:\Program Files\AntiVir PersonalEdition Classic\avgnt*****
C:\WINDOWS\System32\ctfmon*****
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch*****
C:\Program Files\Skype\Phone\Skype*****
E:\Programy\Gadu-Gadu\gg*****
C:\Program Files\ivo\UniSpiker-2.6\uni_spiker-2.6*****
C:\WINDOWS\System32\devldr32*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\DOCUME~1\Maciek\USTAWI~1\Temp\Rar$EX00.775\Hija ckThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\System32\ctfmon*****
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch*****"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Programy\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [IDMan] D:\Przyspieszacz\Internet Download Manager\IDMan***** /onboot
O4 - Startup: UniSpiker-2.6.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
World_of_naabz
20-06-2007, 14:54
D:\Gry\Tibia 7.92\TibiaBot NG\loader*****
D:\Gry\Tibia 7.92\TibiaBot NG\loader*****
nieładnie...
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
spyware... (niegroźne ale zamula)
Dzięki :)
@NG
Co prawda nigdy nie afkuje na bocie, ale gdy 1 skill wchodzi co ~12h nie mam siły na to patrzeć...
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
można to raczej usunąć
owntibia bardzo często podszywa się pod c:\windows\services***** bo tamte dzieci nie potrafią zmienić.
proszę o wgląd w ten log:
Logfile of HijackThis v1.99.1
Scan saved at 08:53:37, on 2007-06-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss*****
C:\WINNT\system32\winlogon*****
C:\WINNT\system32\services*****
C:\WINNT\system32\lsass*****
C:\WINNT\system32\svchost*****
C:\Program Files\Common Files\Symantec Shared\ccSetMgr*****
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr*****
C:\Program Files\Common Files\Symantec Shared\ccProxy*****
C:\Program Files\Common Files\Symantec Shared\SNDSrvc*****
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc*****
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc*****
C:\WINNT\system32\spoolsv*****
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService*****
C:\WINNT\System32\svchost*****
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc*****
C:\Program Files\Nero\Nero 7\InCD\InCDsrv*****
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc*****
C:\WINNT\System32\nvsvc32*****
C:\WINNT\system32\regsvc*****
C:\WINNT\system32\MSTask*****
C:\WINNT\System32\WBEM\WinMgmt*****
C:\WINNT\system32\svchost*****
C:\WINNT\System32\svchost*****
C:\WINNT\Explorer*****
C:\Program Files\Java\jre1.6.0_01\bin\jusched*****
C:\Program Files\Nero\Nero 7\InCD\NBHGui*****
C:\Program Files\Nero\Nero 7\InCD\InCD*****
C:\WINNT\services*****
C:\Program Files\Common Files\Symantec Shared\ccApp*****
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor*****
C:\Program Files\Weather Alarm Clock\WeatherAlarmClock*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService*****
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr*****
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Bartek.BARTEK\Pulpit\hijackthis\HijackThi s*****
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync***** /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon*****" -lang 1033 -lock
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon*****"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck*****
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui*****
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD*****
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop*****" /startup
O4 - HKLM\..\Run: [kernell31] C:\WINNT\services*****
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp*****"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt*****
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl*****"
O4 - HKCU\..\Run: [Expressivo] "C:\Program Files\ivo\Expressivo\expressivo*****" -t
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor*****"
O4 - HKCU\..\Run: [zRain] C:\Program Files\Weather Alarm Clock\zRain*****
O4 - HKCU\..\Run: [WeatherAlarmClock] C:\Program Files\Weather Alarm Clock\WeatherAlarmClock*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr*****
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc*****
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy*****
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr*****
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost*****
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService*****
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin*****
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager*****
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc*****
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv*****
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1*****
O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc*****
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService*****
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService*****
O23 - Service: Usługa Norton Protection Center (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32*****
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan*****
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc*****
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc*****
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc*****
C:\WINNT\system32\services*****
czy coś jest w tym pliku?
yahoopila
23-06-2007, 10:19
Fajny poradnik;p. Ja tam nie ściągam nic takiego co jest podejrzane więc ja nie daje się haknąć(odpukać-puk-puk). Poradnik 10/10 XDD
C:\WINNT\system32\services*****
czy coś jest w tym pliku?
Masz go w dwóch lokacjach i zapewne ten jest owntibią.
O4 - HKLM\..\Run: [kernell31] C:\WINNT\services*****
Użyj "fix it" albo usuń z rejestru ręcznie.
Wladca sedesu
23-06-2007, 16:34
prosze o mój:
Logfile of HijackThis v1.99.1
Scan saved at 15:03:56, on 2007-06-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\RUNDLL32*****
C:\WINDOWS\RTHDCPL*****
C:\Program Files\CyberLink\PowerDVD\PDVDServ*****
C:\Program Files\Eset\nod32kui*****
C:\Program Files\Java\jre1.6.0_01\bin\jusched*****
C:\Program Files\Gadu-Gadu\gg*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Winamp\winamp*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Daniel\Pulpit\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://bosbank24.pl/twojekonto
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel*****
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ*****"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
co to fix chcked i cos sie stanie ze systemem??
fixujemy:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services*****
Dla mnie to już koniec z tibią, tak jak i u kumpla. Ja prawie nic nie straciłem, ale kumpel, 87 EK z Avenger'em. Ale jakoś lekko jest nam ;) Wielki pożeracz czasu poszedł w niepamięć. Ale najpierw hack dla hackera :evul:
Moge odrazu dac to
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
do pliku hosts nie? Jezeli jestem 2 dni po formacie :D
tak, i dopisz jescze :
127.0.0.1 wizzard.home.pl
@up
Czemu jescze to ? :PPP
Hmm wiec zrokowalem swojego 85palla ale mam kase na drucie i myslalem ze mam keyloga i sie nie logowalem noi skanowalem avastem i nod32 avast wykryl trojany usunelo mi all ale keyloga nie wykrylo zalogowalem sie na 10sorca i mi hakli :P i teraz znalalem ten plik xxx.bat to jest owntibia?;>czy zwykly keylog
ss wrzucilem do mojego albumu http://s94.photobucket.com/albums/l96/Pazdi/?action=view¤t=lol-1.jpg
jeszcze znalalezlem ikone tego w system32 bylo pod nazwa sys34 ale zakonczylem dzialanie i usunelem to byl ten ip changer do ots 8.0 keylog :P
Masz keylogga lord of tibia.
Davido16
26-06-2007, 12:10
Zaczęło się od ,,niby'' programu zabezpieczającego foldery hasłem. Potem NOD zaczął szaleć, usunąłem to. Myślałem, że już jest ok ale dzisiaj jak włączałem Tibię, to ciągle przy logowaniu zmieniało mi się aktywne okienko. Dzisiaj patrze HiJackThis'em mam ten proces od tego programu i services. e.x.e
http://img171.imageshack.us/my.php?image=exploitiv5.png
usunąć to up?
Logfile of HijackThis v1.99.1
Scan saved at 19:32:58, on 2007-06-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\SOUNDMAN*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
C:\Program Files\HP\HP Software Update\HPWuSchd*****
C:\Program Files\Java\j2re1.4.2_06\bin\jusched*****
C:\Program Files\GameDeviceDriver\RFPIcon*****
C:\WINDOWS\system32\rundll32*****
C:\Program Files\Common Files\Real\Update_OB\realsched*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\QuickTime\qttask*****
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1**** *
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\LClock\LClock*****
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Skype\Phone\Skype*****
C:\valve\steam\steam*****
C:\Program Files\Common Files\Teleca Shared\CapabilityManager*****
C:\Program Files\Messenger\msmsgs*****
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1**** *
C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare*****
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater*****
C:\Program Files\Common Files\Teleca Shared\Generic*****
C:\WINDOWS\system32\CTSvcCDA*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\MsPMSPSv*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\HPZipm12*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Opera\Opera*****
C:\Program Files\WinRAR\WinRAR*****
C:\DOCUME~1\MATEUS~1\USTAWI~1\Temp\Rar$EX00.031\Hi jackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd*****"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched*****
O4 - HKLM\..\Run: [RTBatteryMeter] C:\Program Files\GameDeviceDriver\RFPIcon*****
O4 - HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg*****
O4 - HKLM\..\Run: [CnxTrApp] rundll32***** "C:\Program Files\ADSL USB Router\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched*****" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1**** *
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock*****
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [ssgrate*****] C:\WINDOWS\system32\winsystems*****
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam*****" -silent
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen*****
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON*****
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT*****
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare*****
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater*****
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON*****
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCzfw012YYPL
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_21.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_21.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA*****
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12*****
tu na 90% jest owntibia bo po skanie kompa ie znalazlo zadnego wira. ktos kto sie zna to porsze go o pomoc bo dla mnie to czarna magia :/ a format u mnie odpada bo mam trooooche waznych rzeczy na kompie :|:/
@davido16
Masz owntibie, użyj FindIt albo usuń ręcznie. Daj potem znowu loga.
@matej91
Twój log jak dla mnie wygląda na czysty.
Zeskanuj go jescze na http://www.hijackthis.de/en
@Matej
Masz spyware "myglobalsearch"
Wywal to:
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
to moglo byc powodem hacka ?
Nie to tylko troszkę zamula kompa.
Davido16
28-06-2007, 16:43
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:35:10, on 2007-06-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\wscntfy*****
C:\WINDOWS\system32\RUNDLL32*****
C:\WINDOWS\SOUNDMAN*****
C:\Program Files\Java\jre1.5.0_11\bin\jusched*****
C:\Program Files\Eset\nod32kui*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Messenger\msmsgs*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Kalendarz XP\Kalendarz*****
C:\Program Files\AVerTV\QuickTV*****
C:\Program Files\UltraVNC\winvnc*****
C:\Program Files\Tlen.pl\tlen*****
C:\WINDOWS\system32\svchost*****
C:\totalcmd\TOTALCMD*****
C:\Program Files\Winamp\winamp*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Dawid\Pulpit\Z neta\HiJackThis_v2*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Multi_Media toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMul0.dll
O1 - Hosts: 69.80.225.31 nprotect.ryl.com.my
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Multi_Media toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMul0.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Multi_Media toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMul0.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched*****"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Startup: Adobe.lnk = C:\Program Files\UltraVNC\winvnc*****
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz*****
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV*****
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet*****
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet*****
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O15 - Trusted Zone: http://mks.com.pl
O17 - HKLM\System\CCS\Services\Tcpip\..\{5278F8BC-87BD-49C4-82A0-A29C186E5C58}: NameServer = 194.204.159.1,194.204.159.34
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
--
End of file - 5895 bytes
usunąłem hijackiem... jest czysto?
czyli co ja mam jakas mega hiper niewykrywalna owntibie ?:P ehh czuje ze format jest blisko... a moze przeskanuje kompa czyms innym procz mks jaki skaner online polecacie ?
@Davido
Co to za wpisy przy ctfmon ?
@Up
Daj logi z gmera i sillent runner.
Davido16
28-06-2007, 17:27
[Y] O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon***** - This entry was classified from our visitors as good.
[Y] O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA') - Office related
[Y] O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA') - Office related
[Y] O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM') - Office related
[Y] O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user') - Office related
pisze, że chyba są dobre... (?)
uther najpierw to musze wiedziec co to gmer i sillent runer :)
@Up
Wpisz w google a znajdziesz :P
@Davido
Ja sie tylko z czystej ciekawości pytałem :P
granat85
28-06-2007, 22:13
Logfile of HijackThis v1.99.1
Scan saved at 20:23:38, on 2007-06-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Ahead\InCD\InCDsrv*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\SOUNDMAN*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Eset\nod32kui*****
C:\Program Files\Gadu-Gadu\gg*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Windows Media Player\wmplayer*****
C:\Program Files\Gadu-Gadu\gg*****
C:\DOCUME~1\ZWADZIK\USTAWI~1\Temp\devilr*****
C:\Program Files\Opera\Opera*****
C:\WINDOWS\system32\wuauclt*****
D:\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKLM\..\Run: [iPlusManager] C:\Program Files\iPlus\iPlusChecker*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\sytem32\devilr*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF52C0DC-8557-4001-B3A6-38ED379AE4DB}: NameServer = 212.2.96.51 212.2.96.52
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv*****
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd*****" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
moj komp jest czysty czy nie bo jak odpalam konto na tibi to mi proces iexplore***** wyskakuje
Kochan666
29-06-2007, 19:17
Niewiem co usunąć. Pomożecie?
Logfile of HijackThis v1.99.1
Scan saved at 18:08:39, on 2007-06-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
D:\Programy\Avast\aswUpdSv*****
D:\Programy\Avast\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
D:\Programy\Avast\ashMaiSv*****
D:\Programy\Avast\ashWebSv*****
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP*****
C:\Program Files\Analog Devices\SoundMAX\Smax4*****
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\Program Files\Neostrada TP\NeostradaTP*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5*****
D:\Programy\Avast\ashDisp*****
D:\Programy\Winamp\winampa*****
C:\Program Files\QuickTime\qttask*****
C:\Program Files\Common Files\Real\Update_OB\realsched*****
C:\Program Files\Neostrada TP\ComComp*****
C:\WINDOWS\system32\ctfmon*****
D:\Programy\DAEMON Tools\daemon*****
D:\Programy\Gadu-Gadu\gg*****
C:\Program Files\Neostrada TP\Watch*****
C:\WINDOWS\system32\wuauclt*****
D:\Programy\Winamp\winamp*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Internet Explorer\iexplore*****
D:\Programy\Avast\ashSimpl*****
\?\C:\WINDOWS\system32\WBEM\WMIADAP*****
D:\Programy\jhj\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Program Files\Online_TV\tbOnli.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programy\adobe reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Program Files\Online_TV\tbOnli.dll
O3 - Toolbar: Online_TV toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Program Files\Online_TV\tbOnli.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP*****
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4*****" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5*****
O4 - HKLM\..\Run: [avast!] D:\Programy\Avast\ashDisp*****
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [WinampAgent] D:\Programy\Winamp\winampa*****
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [e-Kiosk] "D:\Kohan\Newsweek\e-Kiosk Reader\eGazetaST*****"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched*****" -osboot
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programy\DAEMON Tools\daemon*****" -lang 1033
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Programy\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Steam] "d:\programy\steam\steam*****" -silent
O4 - Startup: hamachi.lnk = D:\Programy\Hamachi\hamachi*****
O4 - Startup: Registration Prince of Persia T2T.LNK = D:\Bartek\pop3\Support\Register\RegistrationRemind er*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programy\adobe reader\Reader\reader_sl*****
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\Programy\MSOFFI~1\OFFICE11\EXCEL*****/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programy\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A6C9CD-3548-4264-8210-9C885489619C}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{978CBDCA-2251-4BF0-AF6F-5A07F06F09A3}: NameServer = 194.204.159.1,217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programy\Avast\aswUpdSv*****
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programy\Avast\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programy\Avast\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programy\Avast\ashWebSv*****" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
@Up
Jak dla mnie to masz czysto...tylko trochę niegroźnych śmieci typu toolbary ;)
Ale tym nie ma sie co przejmować.
Kochan666
29-06-2007, 23:26
Właśnie oto chodzi ,że mnie dzisiaj hakneli :(
I niewiem czy mi usuneło wszystkie keyloggery i czy moge grać :]
W logu nic nie ma, ale 100% pewności nie mam.
Kochan666
29-06-2007, 23:34
Ściągnełem program "Findit" i "Owntibia Deleter" i pisze:
Nie znaleziono OwnTibia, Nie znaleziono Lord of Tibia, Nie znaleziono Tibia Mail,
Nie znaleziono Tibia Loger. Chyba już powinien czysty. Ale nadal niewiem czy logować moją główną postać
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
nie podoba mi się to, zwykle nie ma wpisu do rejestru z ctfmon***** (jest samo ctfmon). Ktoś podpowie?
Dla siebie (ale wam też dam;)) napisałem w dosie programik, który zabezpiecza przed zainstalowaniem nowych keyloggerów. Tylko, że zabezpiecza a nie usuwa! Ale lepiej dmuchać na zimno;). I jeszcze jedno nie działa to na Tibia Mail, próbowałem no, ale nie wyszło. klik (http://rapidshare.com/files/40264729/delete_keyloggers.pif.html)
delete_keyloggers.pif
OMFG next dziecko neo - wyjdz!
@xoz
To jest prawidłowy wpis :P Bez obaw :]
@edit
Przejrzałem temat i ktoś pisze, że nie wie ocb z wpisem:
O17 - HKLM\System\CS3\Services\Tcpip\..\{5CBF62E0-227F-470B-8809-5304E1B704AD}: NameServer = 194.204.152.34,217.98.63.164
To są DNS'y od Neostrady. Usuwasz -> nie masz neta.
czy to jest prawdom ze jak sie ma ip zmienne (np mamy neta Neo)to nas nie \haknom?X(
@Up
-.- n/c
czy to jest prawdom ze jak sie ma ip zmienne (np mamy neta Neo)to nas nie \haknom?X(
Nie, tylko poprawi ci się bezpieczeństwo kompa bo trudniej będzie zrobić skanowanie portów etc ;)
C:\WINDOWS\system32\drivers\etc --
Nie mam tam pliku host. Co robić?
Miałem hacka - bezmyślnie otworzyłem scr . e x e, Dwa dni kompa skanowałem. Rano Ad-Aware, Kasperky Internet Security nic nie wykryły. Boję się jednak, że trojan nadal może byc gdzies ukryty:
Log z Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 15:12:36, on 2007-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Intel\Wireless\Bin\EvtEng*****
C:\Program Files\Intel\Wireless\Bin\S24EvMon*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****
C:\Acer\Empowering Technology\admServ*****
C:\WINDOWS\system32\rundll32*****
C:\WINDOWS\RTHDCPL*****
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins*****
C:\WINDOWS\eHome\ehRecvr*****
C:\Program Files\Synaptics\SynTP\SynTPEnh*****
C:\Acer\Empowering Technology\admtray*****
C:\WINDOWS\eHome\ehSched*****
C:\Acer\Empowering Technology\ePower\ePower_DMC*****
C:\PROGRA~1\LAUNCH~1\LManager*****
C:\Acer\Empowering Technology\eRecovery\Monitor*****
C:\Program Files\Common Files\LightScribe\LSSrvc*****
C:\WINDOWS\system32\ElkCtrl*****
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm*****
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Messenger\msmsgs*****
C:\WINDOWS\system32\lvcomsx*****
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr*****
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray*****
C:\Program Files\Intel\Wireless\Bin\RegSrvc*****
C:\WINDOWS\system32\svchost*****
C:\DOCUME~1\Darek\LOCALS~1\Temp\RtkBtMnt*****
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost*****
C:\WINDOWS\system32\wbem\unsecapp*****
C:\WINDOWS\system32\dllhost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\OpenOffice.org 2.1\program\soffice*****
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Tibia\Tibia*****
C:\PROGRA~1\Mozilla Firefox\firefox*****
C:\Documents and Settings\Darek\Desktop\hijackthis~\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aceradvantage.com/stdreg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray*****
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd*****
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers*****
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32***** bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh*****
O4 - HKLM\..\Run: [ADMTray*****] "C:\Acer\Empowering Technology\admtray*****"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG*****" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst***** /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP***** /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP***** /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp*****"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC*****
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management***** boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager*****
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor*****
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl***** /automation
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck*****
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater*****" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc*****" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm*****
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****"
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171381205433
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****" -r (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ*****
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins*****
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr***** (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr***** (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng*****
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc*****
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc*****" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv***** (file missing)
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr*****" -sPINNACLESYS (file missing)
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE***** (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost*****
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc*****
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd*****" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon*****
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer*****
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc***** (file missing)
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent*****" -i PINNACLESYS (file missing)
Daj loga na stronie którą mam w podpisie ;)
Hmm... 105 EK... a nabrał się na sztuczki h4x0rów ;)
Daj loga na stronie którą mam w podpisie ;)
Hmm... 105 EK... a nabrał się na sztuczki h4x0rów ;)
http://forum.idg.pl/index.php?showtopic=96228
http://forum.pclab.pl/t268878.html
Dałem na tych dwóch forach. Gdzie mam jeszcze loga umieścić ??
Odpowiedziałem na idg.pl ;)
A co do pliku hosts to użyj hijackthis do jego edycji.
luxbartek
02-07-2007, 11:32
Poradnik nawet niezły. może pomoże tym co nie chcą mieć hacka ale nie sądze.
A mi tu jednego brakuje ... :P
Jeżeli w przeglądarce Internet Explorer mamy skonfigurowane proxy to te przekierowane hosty nic nie daja !
Przekierowane bo tak to można nazwać one nie są blokowane bo blokowane by byly gdyby byly wpisane w jakiś firewall
W sumie ja radze całkowicie wywalić IEXPLORE***** z katalogow \Windows\System32\dllcache i \Program Files\Internet Explorer i działać na Firefoxie albo Operze ;S
A jeszcze lepiej to wywalic całkowicie M$ Shita i zainstalować Linuxa
@Up
-.- n/c
Nie, tylko poprawi ci się bezpieczeństwo kompa bo trudniej będzie zrobić skanowanie portów etc ;)
Głupota :-)
Dlaczego ma niby utrudniac zmienne ip w skanowaniu portow ? I co da że jakis pr0 h4x0r zna jakie masz uslugi odpalone na kompie jak itak nie da rady tego wykorzystac ...
A bezpieczeństwa napewno nie poprawi ... h4xi0r!
Mam pytanie...po zabezpieczeniu mój plik hosts powinien wyglądać tak:
127.0.0.1 localhost
127.0.0.1 owntibia.com
127.0.0.1 vip.owntibia.com
127.0.0.1 87.98.239.19
127.0.0.1 wizzard.home.pl
????
Dobrze to zrobiłem? ;p
Logfile of HijackThis v1.99.1
Scan saved at 21:18:23, on 2007-07-13
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr*****
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc*****
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm*****
C:\WINDOWS\System32\nvsvc32*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui*****
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui*****
C:\WINDOWS\System32\WgaTray*****
C:\WINDOWS\Explorer*****
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc*****
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc*****
D:\gry\steam\steam*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Teamspeak2_RC2\TeamSpeak*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\WinRAR\WinRAR*****
C:\DOCUME~1\Artur\USTAWI~1\Temp\Rar$EX01.891\Hijac kThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 - Hosts: l2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll (file missing)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc*****
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc***** /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "d:\gry\steam\steam*****" -silent
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Komunikator] "C:\Program Files\Tlen.pl\tlen*****" --confdir=home
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.74\AMVConverter\grab.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL*****/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 3.74\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178306987437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178306949765
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr*****
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss*****
Clean?:cyclops:
@up
taaa
masz chyba najladniejiejszy wpis jaki czytalem:)
maticusso
13-07-2007, 23:55
Moje loga !
Niejestempewien co do kilku ale dziś miałęm formata , jeśli to coś pomoże :P
niechce znowu schrzanić systemu więc czekam na rady czego sie pozbyć :>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:06, on 2007-07-13
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol*****
C:\WINDOWS\system32\Rundll32*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\system32\ctfmon*****
C:\WINDOWS\system32\CTsvcCDA*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\PROGRA~1\NEOSTR~1\ComComp*****
C:\PROGRA~1\NEOSTR~1\Watch*****
D:\Program Files\Gadu-Gadu\gg*****
C:\PROGRA~1\MOZILL~1\FIREFOX*****
C:\Program Files\Windows Media Player\wmplayer*****
C:\WINDOWS\system32\taskmgr*****
D:\Program Files\Trend Micro\HijackThis\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol***** /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [BearShare] "D:\Program Files\BearShare\BearShare*****" /pause
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O17 - HKLM\System\CCS\Services\Tcpip\..\{1833B75D-28FE-4C0F-803C-8A2D00BA70C6}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{1833B75D-28FE-4C0F-803C-8A2D00BA70C6}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA*****
Piterownik
16-07-2007, 16:24
Poproszę o mały wzgląd ;D
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:02:45, on 2007-07-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\Program Files\Outpost Firewall\outpost*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\RTHDCPL*****
C:\Program Files\Eset\nod32kui*****
C:\WINDOWS\system32\RUNDLL32*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Spybot - Search & Destroy\TeaTimer*****
C:\WINDOWS\system32\wuauclt*****
C:\Documents and Settings\Pit\Pulpit\HiJackThis*****
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Outpost Firewall\outpost***** /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Outpost Firewall\feedback***** /dump:os_startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Outpost Firewall\outpost*****
Piterownik
17-07-2007, 09:55
Dzięki <10 znaków>
mateuszKnight
17-07-2007, 13:42
Poradnik ładnie opisany i wiele mi pomógł Wielkie Thx dla Autora ;p
gruszeczek
19-07-2007, 20:39
Logfile of HijackThis v1.99.1
Scan saved at 19:29:13, on 2007-07-19
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Running processes:
C:\Windows\system32\Dwm*****
C:\Windows\system32\taskeng*****
C:\Windows\Explorer*****
C:\Program Files\Windows Defender\MSASCui*****
C:\Program Files\Motorola\SMSERIAL\sm56hlpr*****
C:\Program Files\AntiVir PersonalEdition Classic\avgnt*****
C:\Windows\RtHDVCpl*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
C:\Program Files\Google\Google Talk\googletalk*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Windows Media Player\wmpnscfg*****
C:\Program Files\Winamp\winamp*****
C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
C:\Program Files\Avant Browser\avant*****
C:\wamp\wampmanager*****
C:\Users\Patryk\Desktop\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui***** -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart*****"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr*****
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl*****
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [orcToByloLatwe] C:\WINDOWS\winlogon*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck*****
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\svchost*****
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask*****" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk***** /autostart
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_46.cab
O16 - DPF: {881290B9-F53C-4676-8DAF-3DBEFC297308} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/makao_2_0_0_23.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx*****
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost***** (file missing)
O23 - Service: MySql - Unknown owner - c:\usr/MYSQL/bin/mysqld***** (file missing)
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash*****
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost***** (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost***** (file missing)
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd*****" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt*****
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk*****,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk***** (file missing)
Czy to jest czysta bo niepokoi mnie to:
O4 - HKLM\..\Run: [orcToByloLatwe] C:\WINDOWS\winlogon*****
Owntibia jak wół, tylko masz zamiast services, winlogon...
gruszeczek
19-07-2007, 20:42
Aha ok już zaraz usówam weź też napisz ze winlogin tez moze byc
gruszeczek
19-07-2007, 20:44
A czy jak usunę keya to już nie będzie tego wpisu w hijackthis?
Nie będę pisał, bo to może być dowolna nazwa. Poza tym daj loga na forum idg.pl albo na czymś podobnym bo masz jeszcze trochę syfu.
@Edit/up
nie będzie.
gruszeczek
19-07-2007, 20:45
tzn co bym musiał jeszcze usunąć?
gruszeczek
19-07-2007, 20:47
i czy ja powinienem z usuwaniem nie usówać service tylko winlogin ?
czy mam tak zrobić jak
2.Usuwanie
Jeżeli wykryjemy na naszym komputerze owntibię uruchamiamy windows w trybie awaryjnym(klawisz F8 przy starcie systemu), oraz ponownie uruchamiamy hijackthin tym razem zaznaczamy "ptaszkiem" wpisy owntibii i klikamy na "fix checked". Teraz przechodzimy do katalogu C:\WINDOWS\ i usuwamy plik services. exe używając killbox'a http://www.idg.pl/ftp/pc_8881/Pocket.KillBox.2.0.0.473 . html
Teraz ponownie uruchamiamy komputer i tworzymy log kontrolny by upewnić się o neutralizacji owntibii.
Daj to an forum idg.pl, tam są eksperci i ci dokładnie powiedzą co i jak.
@Up
Tak robisz wszystko jak opisałem tylko zamiast services, winlogon i nie pisz 500 postów pod rząd.
gruszeczek
19-07-2007, 21:17
Usunąłem hijackiem wpis oraz killboxem zaznaczyłem to usunięcia C:\WINDOWS\system32\winlogon***** jak dałem czarwony kwadracik do usunięcia wylogowało mnie. Uruchomiłem ponownie komputer. Teraz już wszystko powinno byś ok ??
Jak sprawdzić czy wszystko poprawnie zrobiłem?
Napisz o tym na forum idg.pl z nowym logiem.
thx, przydalo mi sie :D uwazam ze temat powinien byc przyklejony
Jestem ci bardzo wdzieczny za ten temat... :)
Logfile of HijackThis v1.99.1
Scan saved at 20:20:07, on 2007-07-30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\System32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\Explorer*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\System32\CTHELPER*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\System32\ctfmon*****
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier*****
C:\Program Files\Creative\MediaSource\Detector\CTDetect*****
C:\Program Files\Messenger\MSMSGS*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
C:\WINDOWS\System32\CTsvcCDA*****
C:\WINDOWS\System32\UAService7*****
C:\WINDOWS\System32\MsPMSPSv*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\System32\wuauclt*****
C:\Program Files\Neostrada TP\NeostradaTP*****
C:\Program Files\Neostrada TP\ComComp*****
C:\Program Files\Neostrada TP\Watch*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Documents and Settings\Mateusz\Moje dokumenty\majhut@neostrada.pl\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER*****
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet*****"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl***** /run
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl*****"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\System32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier*****
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect*****" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS*****" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS*****
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184764752862
O17 - HKLM\System\CCS\Services\Tcpip\..\{16ED3AC6-D9D5-4D75-BE7D-ECD223E97FA3}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{16ED3AC6-D9D5-4D75-BE7D-ECD223E97FA3}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7*****
Cos tu moze mam?? :>
Prosilbym o sprawdzenie mojego jesli mozna ;P
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:09:16, on 2007-08-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\CyberLink\PowerDVD\PDVDServ*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Java\jre1.5.0_09\bin\jusched*****
C:\Program Files\Winamp\winampa*****
C:\WINDOWS\system32\drivers\lsass*****
C:\Program Files\Messenger\msmsgs*****
C:\Program Files\Skype\Phone\Skype*****
C:\Program Files\Gadu-Gadu\gg*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\wscntfy*****
C:\Program Files\Common Files\Teleca Shared\Generic*****
C:\Documents and Settings\User\Pulpit\drchgfvhgbjhg\Mobile Phone Monitor\epmworker*****
C:\Program Files\Winamp\winamp*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Java\jre1.5.0_09\bin\jucheck*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tibia.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ*****"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched*****"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\drivers\lsass*****
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Documents and Settings\User\Pulpit\drchgfvhgbjhg\Application Launcher\Application Launcher*****" /startoptions
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam*****" -silent
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O12 - Plugin for .pcg: C:\Program Files\Internet Explorer\Plugins\nppcgplg.dll
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98387A34-4605-4010-B6BE-CE33FE8C762F}: NameServer = 194.204.159.1,194.204.152.34
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv*****
--
End of file - 5664 bytes
@Up
Proponuje www.pcformat.pl albo idg.pl
@Cbo666
Masz sessera albo coś w tym stylu, zastosuj sie do tego co powiedział pan up.
dzienki za pomoc chlopcy :)
macie u mnie plusa
Merisquendi
08-08-2007, 13:32
own nie działa...
za to stealer wraca =/
http://www.youtube.com/watch?v=vSt1HOCzX_M
better of owntibia, better of lord of tibia
Kali robić keyloggery.
Zamieszcze tu mój skan systemu. Dziś miałem hacka więc napewno coś musi być -,- Prosze o wykrycie złych procesów i propo jak to usunąć -,-
Logfile of HijackThis v1.99.1
Scan saved at 12:07:39, on 2007-08-11
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\SOUNDMAN*****
C:\Program Files\Elantech\ktp*****
C:\WINDOWS\System32\igfxtray*****
C:\WINDOWS\System32\hkcmd*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****
C:\PROGRA~1\LAUNCH~1\LManager*****
C:\Program Files\Java\jre1.5.0_10\bin\jusched*****
C:\Program Files\QuickTime\qttask*****
C:\WINDOWS\services*****
C:\WINDOWS\System32\ctfmon*****
C:\Program Files\Skype\Phone\Skype*****
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Common Files\Teleca Shared\CapabilityManager*****
C:\Program Files\DAEMON Tools\daemon*****
C:\Program Files\Kalendarz XP\Kalendarz*****
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare*****
C:\Program Files\Common Files\Teleca Shared\Generic*****
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker*****
C:\Program Files\Skype\Plugin Manager\SkypePM*****
C:\Program Files\Internet Explorer\iexplore*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\System32\wuauclt*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Tibia\Tibia*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\Opera\Opera*****
C:\Program Files\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp*****
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray*****
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****" /startoptions
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched*****"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\System32\ctfmon*****
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon*****" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz*****
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS*****
O15 - Trusted Zone: http://mks.com.pl
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS*****
Z góry thx
Wiz~
@Up
To
C:\WINDOWS\services*****
i to
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services*****
zaznaczasz tym kwadratem obok i klikasz na "fix checked".
A plik C:\WINDOWS\services. exe kasujesz z dysku ręcznie.
Cool_man
12-08-2007, 22:43
Hiho. Wiem że macie setki takich postów o sprawdzenie logów. Ja podaje mój bo parę wpisów mnie nie pokoi...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:59, on 2007-08-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\ATKKBService*****
C:\WINDOWS\system32\CTsvcCDA*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\Explorer*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\WgaTray*****
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\system32\rundll32*****
D:\Program Files\D-Tools\daemon*****
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder*****
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy*****
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9*****
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Picasa2\PicasaMediaDetector*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU*****
C:\Program Files\Messenger\msmsgs*****
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1**** *
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: rundll32***** bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon*****" -lang 1033
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder*****
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy*****"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9*****
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
[B]O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector*****
O4 - HKCU\..\Run: [Qdafo] C:\Program Files\Fgctw\Wktpkit*****
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [CTSyncU*****] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU*****"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'Default user')
O4 - Global Startup: Server4PC.lnk = C:\Program Files\TechniSat DVB\bin\Server4PC*****
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON*****
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel*****
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel*****
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_63.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB49741D-E454-469C-921A-B814D0912334}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC***** (file missing)
--
End of file - 7854 bytes
Mam nadzieje że to tylko kilka toolbarów albo jakiś mało groźny syf.;)
Dwa wpisy są bezpieczne, ale co do tego:
O4 - HKCU\..\Run: [Qdafo] C:\ProgramFiles\Fgctw\Wktpkit*****
To nie wiem, bo nigdzie nie ma żadnego info o tym.
Matth'ew
20-08-2007, 01:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:23:30, on 2007-08-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Ahead\InCD\InCDsrv*****
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Bonjour\mDNSResponder*****
C:\WINDOWS\System32\CTsvcCDA*****
C:\WINDOWS\System32\nvsvc32*****
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr*****
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv*****
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51*****
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE*****
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc*****
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Canon\CAL\CALMAIN*****
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD*****
C:\WINDOWS\explorer*****
C:\WINDOWS\system32\devldr32*****
C:\Program Files\Konnekt\konnekt*****
C:\WINDOWS\system32\wscntfy*****
C:\Program Files\Neostrada TP\NeostradaTP*****
C:\Program Files\Neostrada TP\ComComp*****
C:\Program Files\Neostrada TP\Watch*****
C:\Program Files\Opera\Opera*****
C:\Program Files\Winamp\winamp*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=explorer***** C:/windows/services*****
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 6*****
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ*****"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM***** -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch*****" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy*****"
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect***** /R
O4 - HKCU\..\Run: [Konnekt] "C:\Program Files\Konnekt\konnekt*****" /autostart
O4 - HKCU\..\Run: [Dtth] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\spoolsv*****" -vt yazb
O4 - HKCU\..\Run: [Umfexvi] "C:\Program Files\Common Files\?icrosoft.NET\w?aclt*****"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O4 - Global Startup: NkbMonitor*****.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor*****
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151070849883
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6064AA82-2B70-4206-8D36-4A0223D7D02B}: NameServer = 194.204.159.1 217.98.63.164
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder*****
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA*****
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT*****
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr*****
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv*****
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51*****
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc*****
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV*****
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc*****
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv*****
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv*****
--
End of file - 8100 bytes
Z góry dz :P
Logfile of HijackThis v1.99.1
Scan saved at 20:50:50, on 2007-08-28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\SYSTEM32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
d:\Program Files\Alwil Software\Avast4\aswUpdSv*****
d:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Analog Devices\SoundMAX\Smtray*****
D:\Program Files\HP\HP Software Update\HPWuSchd2*****
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Java\jre1.6.0_02\bin\jusched*****
D:\Program Files\Creative\Mouse Optical\mouse_2k*****
D:\Program Files\Zone Labs\ZoneAlarm\zlclient*****
D:\Program Files\Google\Gmail Notifier\gnotify*****
C:\Winamp\winampa*****
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier*****
C:\WINDOWS\System32\nvsvc32*****
D:\Program Files\Advanced Registry Doctor\RegDfrgSch*****
C:\WINDOWS\System32\HPZipm12*****
d:\Program Files\Advanced Registry Doctor\RegManServ*****
D:\Program Files\Gadu-Gadu\gg*****
C:\WINDOWS\System32\svchost*****
D:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
D:\Program Files\Vasilios Applications\TranspApps\TranspApps*****
D:\Program Files\HP\Digital Imaging\bin\hpqimzone*****
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08*****
d:\Program Files\Alwil Software\Avast4\ashWebSv*****
d:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\WINDOWS\system32\ZoneLabs\vsmon*****
c:\Winamp\winamp*****
C:\WINDOWS\System32\WgaTray*****
C:\Program Files\firefox*****
C:\Documents and Settings\Przemek\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2*****
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr*****
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ*****"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched*****"
O4 - HKLM\..\Run: [CreativeMouse ] d:\Program Files\Creative\Mouse Optical\mouse_2k*****
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient*****"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\gnotify*****
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] c:\Winamp\winampa*****
O4 - HKCU\..\Run: [BPS Spyware Remover] d:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem*****
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier*****
O4 - HKCU\..\Run: ["C:\WINDOWS\SoftwareDistribution\Download\6365088f8 5b501588ee599470d0e71a8\msmsgs*****" /background] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [RegDfrgSch] D:\Program Files\Advanced Registry Doctor\RegDfrgSch***** /tray
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Startup: TranspApps.lnk = D:\Program Files\Vasilios Applications\TranspApps\TranspApps*****
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA*****
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all links using BitComet - res://D:\Program Files\BitComet\BitComet*****/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://D:\Program Files\BitComet\BitComet*****/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://D:\Program Files\BitComet\BitComet*****/AddLink.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget*****
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget*****
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS***** (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS***** (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12*****
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - d:\Program Files\Advanced Registry Doctor\RegManServ*****
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon*****
Prosiłbym o pw, i powiedz mi jeśli możesz, czy ogólnie tu się czai jakiś vir/script/inny syf? Bo ostatnio był hack.
@2up
obaj nie macie owntibi i innego shitu, moze jakies niepotrzebne toolbary i spyware, nie sprawdzalem tak dokladnie
--Cienius--
29-08-2007, 11:10
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:59:56, on 2007-08-29
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm*****
C:\Windows\system32\taskeng*****
C:\Windows\Explorer*****
C:\Program Files\Windows Defender\MSASCui*****
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Users\Paweł\Desktop\HiJackThis_v2*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui***** -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig*****" /auto
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService*****
--
End of file - 3508 bytes
Chce wiedziec czy jestem bezpieczny
PS jak wzialem w viscie zeby pokaza all procesy to tam bylo ich od chuuuja...
I nie wiem czy sie bac czy nie
Wygląda na czysty...aczkolwiek nie znam się na procesach systemowych visty. Daj loga na idg.pl albo na forum.pcformat.pl
Knighter2
04-09-2007, 19:35
Siemka. Zrobilem wszystko tak jak mowiles i wykrylo mi plik C:\WINDOWS\services. exe Mam tylko pytanie czy jest jakas roznica jak usunwalem ten plik nie w trybie awaryjnym tylko normalnie. Koniecznie trzeba go usunac w trybie awaryjnym? PLX O Szybka odpowiedz. Z gory thx
KapitanHajdukow
05-09-2007, 09:22
ogfile of HijackThis v1.99.1
Scan saved at 08:10:24, on 2007-09-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\SYSTEM32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51*****
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv*****
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\System32\FTRTSVC*****
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr*****
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv*****
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc*****
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc*****
C:\WINDOWS\Explorer*****
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin*****
C:\Program Files\Java\jre1.6.0_01\bin\jusched*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\DAEMON Tools\daemon*****
C:\Program Files\VIA\RAID\raid_tool*****
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD*****
c:\program files\panda software\panda internet security 2007\WebProxy*****
C:\PROGRA~1\NEOSTR~1\TaskBarIcon*****
C:\Program Files\neostrada tp\neostradatp*****
C:\Program Files\neostrada tp\ComComp*****
C:\PROGRA~1\NEOSTR~1\Toaster*****
C:\PROGRA~1\NEOSTR~1\Inactivity*****
C:\PROGRA~1\NEOSTR~1\PollingModule*****
C:\WINDOWS\System32\ALERTM~1\ALERTM~1*****
C:\Program Files\neostrada tp\Watch*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\czoper\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj***** TaskBarIcon*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [dmlco*****] C:\WINDOWS\system32\dmlco*****
O4 - HKLM\..\Run: [dmuql*****] C:\WINDOWS\system32\dmuql*****
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN*****" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio*****"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv*****"
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon*****" -lang 1033
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool*****
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C78289E-FAA4-4CAB-94F3-4D8F0AD30C6D}: NameServer = 194.204.159.1 217.98.63.164
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC*****
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr*****
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv*****
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51*****
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc*****
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV*****
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc*****
O23 - Service: Zapora systemu Windows/Udostępnianie połączenia internetowego SharedAccessLmHosts (SharedAccessLmHosts) - Unknown owner - C:\WINDOWS\system32\1042z***** (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv*****
@up
Log wydaję się czysty, chociaż wrzuć go na http://www.hijackthis.de/
KapitanHajdukow:
C:\WINDOWS\Explorer*****
ja bym to sprawdzil bo wyglada to na podejrzane, aczkolwiek moge sie mylic.
KapitanHajdukow:
C:\WINDOWS\Explorer*****
ja bym to sprawdzil bo wyglada to na podejrzane, aczkolwiek moge sie mylic.
A co może być złego w explorerze ? O.o
Szybki'Byll
09-09-2007, 16:07
Logfile of HijackThis v1.99.1
Scan saved at 14:57:16, on 2007-09-09
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\Program Files\Eset\nod32krn*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\system32\HPZipm12*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Eset\nod32kui*****
C:\PROGRA~1\MyPortal\Speed-X\SpeedX*****
C:\WINDOWS\system32\ctfmon*****
D:\Program Files\Hide IP Platinum\hideippla*****
E:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter*****
D:\Program Files\Tibia\Tibia*****
C:\Documents and Settings\PC\Pulpit\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ip:port
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKCU\..\Run: [SpeedX] C:\PROGRA~1\MyPortal\Speed-X\SpeedX*****
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Hide IP Platinum] D:\Program Files\Hide IP Platinum\hideippla*****
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL*****/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{33EE4D6A-1E14-4B6C-90C2-9D565345578C}: NameServer = 212.85.112.32,193.110.121.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12*****
Troche krzyzykow miałem na stronie.
Nic podejrzanego tu nie ma. co najwyżej możesz wywalić search bar'y od bearshare.
Logfile of HijackThis v1.99.1
Scan saved at 17:50:16, on 2007-09-09
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\csrss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\ctfmon*****
C:\WINDOWS\System32\alg*****
C:\WINDOWS\system32\wscntfy*****
C:\Program Files\WapSter\AQQ\AQQ*****
C:\Program Files\AIMP2\AIMP2*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Michał\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL*****/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: AusLogics Windows Themes Helper (ALThemeHelper) - Unknown owner - C:\Program Files\AusLogics Visual Styler\themehelpersvc*****
O23 - Service: ArcaBit.Core.Configurator - Unknown owner - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2*** ** (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
Jest cosik?
Szybki'Byll
09-09-2007, 20:04
Albo mi się wydaje, albo za dużo svchostów masz - keylogger. Ale lepiej niech Ci uther odpowie, bo się zna.
Albo mi się wydaje, albo za dużo svchostów masz - keylogger. Ale lepiej niech Ci uther odpowie, bo się zna.
svchost to jest [System] gdyby byl uzytkownik to bym sie kapnol ze keylogger, ale poczekamy na uthera
log czyściutki a wy @up nie straszczie go jak sie nie znacie -.-
svchost to proces systemowy który działa nie tylko w 1 "kopi"
jezeli jest w system32 to wszystko gra (chyba ze cos bardzie zaawansowanego)
Sciaglem pilk z owntibią nie otwierałem go odrazu sprawdzilem finditem nic nie wykrylo.
Zrobilem pkt 3. z pierwszej strony dalem logi z hijackthis na http://www.hijackthis.de/
i nic nie wykazało wiec jest sie czego obawiac?:P
i dam loga jeszcze =P
Logfile of HijackThis v1.99.1
Scan saved at 21:14:31, on 2007-09-09
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService*****
C:\WINDOWS\SOUNDMAN*****
C:\Program Files\Java\jre1.6.0_02\bin\jusched*****
C:\Program Files\Eset\nod32krn*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\QuickTime\QTTask*****
C:\Program Files\iTunes\iTunesHelper*****
C:\Program Files\Eset\nod32kui*****
C:\WINDOWS\system32\ctfmon*****
C:\WINDOWS\System32\nvsvc32*****
C:\Program Files\iPod\bin\iPodService*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Winamp\winamp*****
C:\WINDOWS\explorer*****
C:\WINDOWS\system32\ping*****
C:\Program Files\MoorHunt\MoorHunt*****
C:\Program Files\Opera\Opera*****
E:\!!! UWAGA NIE KASOWAC !!!!!!\INNE\Instalki\hijackthis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.imesh.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched*****"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask*****" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper*****"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_29.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
@Micu
Log jest czysty.
Tylko zastanawia mnie ten wpis
O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected*****
instalowałeś może coś do CS'a? Oczywiście to zostaw bo to nie jest nic szkodliwego.
Możesz usunąć to:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
Takto reszta logu jest czysta. Pozdrawiam :)
@Rafayen
Jak możesz wklej tutaj jeszcze raz loga z hijackthis, albo podaj mi link gdzie masz tego loga to go zbadam.
Log jest czysty możesz ewentualnie wywalić pare takich wpisów:
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa***** (ten wpis możesz wywalić jeżeli, chcesz żeby Ci sie agent winampa na starcie systemu nie odpalał, jest on nie potrzebny przynajmniej dla mnie, jeżeli chcesz by sie uruchamiał zostaw.)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background (jeżeli nie korzystasz z messengera to go wywal na starcie i radziłbym go odinstalować w dodaj lub usuń programy w panelu sterowania)
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray (ten wpis usuwasz jeżeli chcesz by nie Ci sie gg nie uruchamiało przy każdym starcie systemu)
Pozdrawiam
Sciaglem pilk z owntibią nie otwierałem go odrazu sprawdzilem finditem nic nie wykrylo.
Zrobilem pkt 3. z pierwszej strony dalem logi z hijackthis na http://www.hijackthis.de/
i nic nie wykazało wiec jest sie czego obawiac?:P
Jeżeli nie uruchomiłeś tego pliku to nic ci nie grozi.
@Co do Svchost*****
http://support.microsoft.com/kb/314056/pl
@Micu
Log jest czysty.
Tylko zastanawia mnie ten wpis
O4 - HKLM\..\Run: [sXe Injected] C:\Program Files\sXe Injected\sXe Injected*****
instalowałeś może coś do CS'a? Oczywiście to zostaw bo to nie jest nic szkodliwego.
Możesz usunąć to:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
Takto reszta logu jest czysta. Pozdrawiam :)
@Rafayen
Jak możesz wklej tutaj jeszcze raz loga z hijackthis, albo podaj mi link gdzie masz tego loga to go zbadam.
Log jest czysty możesz ewentualnie wywalić pare takich wpisów:
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa***** (ten wpis możesz wywalić jeżeli, chcesz żeby Ci sie agent winampa na starcie systemu nie odpalał, jest on nie potrzebny przynajmniej dla mnie, jeżeli chcesz by sie uruchamiał zostaw.)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background (jeżeli nie korzystasz z messengera to go wywal na starcie i radziłbym go odinstalować w dodaj lub usuń programy w panelu sterowania)
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray (ten wpis usuwasz jeżeli chcesz by nie Ci sie gg nie uruchamiało przy każdym starcie systemu)
Pozdrawiam
Taa do cs-a to jest anty cheat , niewiem na co to jest, jak mam steama xD
Hehe nikt nie ma żadnych problemów z owntibią i innym świństwem ?:P Jak nie to gites. a jak tak to wklejać tu swoje logi ;p chętnie pomogę ;p
Ściągnąłem taki plik "serwer. exe" uruchomiłem go, zniknął i okazało się, że to keylogger... Czy ktoś mógłby pomóc mi go usunąć?
Logfile of HijackThis v1.99.1
Scan saved at 20:06:52, on 2007-09-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\htpatch*****
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
C:\WINDOWS\system32\CTHELPER*****
C:\Program Files\CyberLink\PowerDVD\PDVDServ*****
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd*****
C:\Program Files\HP\hpcoretech\hpcmpmgr*****
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9*****
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01*****
F:\Quick Time\qttask*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Java\jre1.5.0_08\bin\jusched*****
C:\Program Files\Winamp\winampa*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray*****
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask*****
H:\Phone\Skype*****
C:\WINDOWS\system32\CTsvcCDA*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
C:\WINDOWS\system32\MsPMSPSv*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
H:\Plugin Manager\SkypePM*****
C:\Program Files\Java\jre1.5.0_08\bin\jucheck*****
C:\hosted*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info*****
F:\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbSha1.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll
O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbSha1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbSha1.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch*****
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg*****
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER*****
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet*****"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl***** /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ*****"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd*****"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr*****"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9*****
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01*****
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "F:\Quick Time\qttask*****" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched*****"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray*****"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask*****"
O4 - HKCU\..\Run: [Skype] "H:\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [CursorXP] G:\Kursory fajne\CursorXP*****
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk570YYPL
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EDB3B2C-0C69-4B77-842B-2DFB82CD2007}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
Rysiek_90
21-09-2007, 19:15
uff, wielkie dzieki za poradnik, ja miałem owna, lecz postać naszczęscie nie została shackowana ;p
Logfile of HijackThis v1.99.1
Scan saved at 10:49:12, on 2007-09-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss*****
C:\windows\system32\winlogon*****
C:\windows\system32\services*****
C:\windows\system32\lsass*****
C:\windows\system32\Ati2evxx*****
C:\windows\system32\svchost*****
C:\windows\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\windows\system32\spoolsv*****
C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService*****
C:\windows\system32\svchost*****
C:\windows\system32\wuauclt*****
C:\windows\system32\Ati2evxx*****
C:\windows\Explorer*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Java\jre1.5.0_11\bin\jusched*****
C:\Program Files\HP\HP Software Update\HPWuSchd2*****
C:\Program Files\HP\hpcoretech\hpcmpmgr*****
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
C:\Program Files\Common Files\Teleca Shared\CapabilityManager*****
D:\gry\valve\steam\steam*****
C:\Program Files\Xfire\xfire*****
C:\Program Files\HP\Digital Imaging\bin\hpqgalry*****
C:\Program Files\Common Files\Teleca Shared\Generic*****
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\MatiZ\Pulpit\hijackthis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [FortKnoxPersonalFirewall] "C:\Program Files\NETGATE\FortKnox Personal Firewall 2006\FortKnoxGUI*****"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched*****"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****" /startoptions
O4 - HKLM\..\Run: [No-IP Client 1.42] "C:\Program Files\No-IP Client\noipclient*****"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2*****"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr*****"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0*****
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon*****" -lang 1033
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent*****" --force_start_minimized
O4 - HKCU\..\Run: [system] c:\windows\system\system*****
O4 - HKCU\..\Run: [Steam] "d:\gry\valve\steam\steam*****" -silent
O4 - HKCU\..\Run: [VoipDiscount] "C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount** ***" -nosplash -minimized
O4 - HKCU\..\Run: [LowRateVoip] "C:\Program Files\LowRateVoip\LowRateVoip*****" -nosplash -minimized
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt*****" -nosplash -minimized
O4 - HKCU\..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ*****
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire*****
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9*****
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\MatiZ\Menu Start\Programy\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O20 - Winlogon Notify: WgaLogon - C:\windows\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT*****
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\windows\system32\sfrem02*****
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService*****
Prosiłbym o przejrzenie tego skanu. Z góry dziękuje :)
@Buszman
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9*****
Co to ma być za proces? Bo ja takowego nie znam, ale widząc foldery musi być to jakiś driver od czegoś, ale nie mam pojęcia od czego.
C:\Program Files\Winamp\winampa*****
Ten proces możesz wypieprzyć, bo agent winampa na nic sie nie przydaje.
C:\WINDOWS\system32\CTsvcCDA*****
Też nie wiem co to za proces, ale zostaw go
C:\Program Files\Gadu-Gadu\gg*****
Ten proces możesz usunąć jeżeli przeszkadza Ci na starcie gg.
Teraz to co masz wywalić
Te procesy wywal z pod trybu awaryjnego:
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
C:\hosted*****
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk570YYPL UWAGA
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
Reszta jest ok
@Eco
C:\windows\system32\wuauclt*****
To możesz wywalić jeżeli nie update'ujesz systemu bo to się włącza przy starcie. Oczywiście możesz zostawić.
Wpisy zalecane do usunięcia z trybu awaryjnego:
O4 - HKCU\..\Run: [system] c:\windows\system\system*****
to chyba wirus z tego co dogooglowałem. Ręcznie usuwasz wpis system*****
O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
to też od messengera
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
to jest od messengera, zupełnie nie potrzebne, jeżeli korzystasz nie usuwaj.
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\MatiZ\Menu Start\Programy\>IMVU\Run IMVU.lnk (file missing)
To może być usunięte.
@SpAyKeR
Wielkie dzięki ;), a teraz zobaczmy straty...;/
Kondyk91
12-10-2007, 23:35
Witam, ostatnio zauwazylem ze pojawia mi sie male okienko przy starcie systemu..
(mianowicie - > http://img105.imageshack.us/my.php?image=beztytuuxt9.jpg )
Mysle ze to jest jakis key~czy cos..
A teraz skan Hjack This'a :
Logfile of HijackThis v1.99.1
Scan saved at 14:24:14, on 2007-10-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Skype\Phone\Skype*****
C:\Program Files\Ares\Ares*****
C:\Program Files\Common Files\System\smss*****
C:\Program Files\Skype\Plugin Manager\SkypePM*****
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****
C:\WINDOWS\system32\PnkBstrA*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\WINDOWS\system32\wuauclt*****
C:\Documents and Settings\user\Pulpit\Programy\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****"
O4 - HKLM\..\Run: [Interner Exploler] C:\WINDOWS\Protocol*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares*****" -h
O4 - Startup: autostart*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT*****
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA*****
Jesli mozecie to pomozcie ;)
aa i P.s. zauwazylem dopiero jeszcze jedna rzecz gdy czytalem o Lord of Tibia .. a mianowicie ( --> http://img443.imageshack.us/my.php?image=shittten6.jpg )
Wychodzi na to ze chyba mam Lord of Tibia Keylogger?
p.s. 2
W trybie awaryjnym usunelem ten plik z katalogu windows potem uruchomilem ponownie komputer (okienko juz sie nie pojawilo ) usunelem ten plik z rejestry i znow uruchomilem ponownie kompa i okienka dalej nie ma ;)
Ale dla pewnosci to prosze o sprawdzenie scana Hjack Thisa poprzedniego i tego co teraz zapodam :
Logfile of HijackThis v1.99.1
Scan saved at 22:52:44, on 2007-10-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Common Files\System\smss*****
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****
C:\WINDOWS\system32\PnkBstrA*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Winamp\winamp*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\user\Pulpit\Programy\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares*****" -h
O4 - Startup: autostart*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT*****
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA*****
Logfile of HijackThis v1.99.1
Scan saved at 23:09:41, on 2007-10-13
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\ATI Technologies\ATI.ACE\cli*****
C:\Program Files\Analog Devices\SoundMAX\SMTray*****
C:\Programy\Kaspersky\avp*****
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 3*****
C:\WINDOWS\system32\ctfmon*****
C:\Programy\Vidalia Bundle\Vidalia\vidalia*****
C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
C:\Programy\Vidalia Bundle\Privoxy\privoxy*****
C:\Program Files\Xfire\xfire*****
C:\Programy\Kaspersky\avp*****
C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
C:\WINDOWS\system32\svchost*****
C:\Programy\Vidalia Bundle\Tor\tor*****
C:\Program Files\Messenger\msmsgs*****
C:\Programy\Gadu-Gadu\gg*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Adrian\Pulpit\HijackThis*****
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli*****" runtime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray*****
O4 - HKLM\..\Run: [AVP] "C:\Programy\Kaspersky\avp*****"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 3*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Vidalia] "C:\Programy\Vidalia Bundle\Vidalia\vidalia*****"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire*****
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: ATI CATALYST – pasek zadań.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA*****
O4 - Global Startup: Privoxy.lnk = C:\Programy\Vidalia Bundle\Privoxy\privoxy*****
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programy\Kaspersky\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programy\Kaspersky\avp*****
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService*****
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService*****
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
eh, gdzie tu owntibia jest?
@Kondyk91
Running processes:
C:\Program Files\Gadu-Gadu\gg*****
Jeżeli męczy Cie gg na starcie to ten powyższy proces możesz wywalić.
C:\Program Files\Winamp\winamp*****
jeżeli męczy Cie agent winampa możesz też go wywalić
C:\WINDOWS\system32\wuauclt*****
Jeżeli nie chcesz automatycznych update'ów systemu możesz to wywalić też(oczywiście te procesy wywal pod trybem normalnym, jak chcesz, możesz to zrobić z awaryjnego).
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
To też wywal
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
Wywal
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onet.pl/
To też wywal
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
{37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
To też wywal
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
To wywal.
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
proces gg, jeżeli chcesz żeby na starcie systemu Ci sie nie włączał wywal go
O4 - Startup: autostart*****
To wywal z trybu awaryjnego.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
Proces Messengera możesz wywalić jeżeli nie korzystasz z niego.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
Proces Messengera możesz wywalić jeżeli nie korzystasz z niego.
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1}
(GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab
To wywal
Log takto czysty.
------------------------------------------------------------------------------------------------------------
@Rosus
1.C:\Program Files\Messenger\msmsgs*****
2.C:\Programy\Gadu-Gadu\gg*****
3.C:\WINDOWS\system32\wuauclt*****
Te procesy możesz wywalić, ale nie musisz. Jeżeli chcesz by Ci sie włączały na starcie systemu i spowolniały jego włączanie.
1.to od messengera
2.od gg
3.od automatycznych aktualizacji (oczywiście te procesy na starcie się załączają, możesz je wywalić, ale nie musisz)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
To możesz wywalić, proces od messengera
Oczywiście log jest czysty
@Kondyk
Jeżeli nadal go masz, podeślij mi na PW plik C:/windows/protocol*****
@Edit
Chyba masz W32/Mirsa-B
Opis usuwania:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-012109-3656-99&tabid=3
Kondyk91
14-10-2007, 13:49
a gdzie pisze w jakim folderze sa te pliki ktore mam usunac ?
p.s - nie, nie mam juz tego pliku protocol..
p.s.2 - co do usuwania tego czegos co mi podales linka to ja tam nie mam tego w co oni kaza wejsc : btw - > http://img130.imageshack.us/my.php?image=grrzn4.jpg
p.s. 3 - mam jedynie ten ostatni wpis -> http://img87.imageshack.us/my.php?image=ahdi3.png
Niech ktos napisze co mam pokolei zrobic by juz nie miec tego "czegos" na kompie..
pozdro
Przejzalby ktos? bardzo bym prosil xd
C:\WINDOWS\system32\wuauclt*****
D:\Misiek\HijackThis*****
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5*****
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService*****
C:\Program Files\Common Files\Symantec Shared\ccApp*****
C:\WINDOWS\ATKKBService*****
C:\Program Files\QuickTime\QTTask*****
C:\Program Files\Norton AntiVirus\navapsvc*****
C:\WINDOWS\system32\rundll32*****
C:\Program Files\Corel\Graphics9\Register\Remind32*****
C:\WINDOWS\system32\nvsvc32*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\wuauclt*****
C:\Program Files\Opera\Opera*****
C:\Program Files\Internet Explorer\iexplore*****
C:\Program Files\BearShare\BearShare*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Opera\Opera*****
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY*****
C:\WINDOWS\system32\wuauclt*****
D:\Misiek\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = <nieistotne napewno czyste>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.zicom.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize***** -boot
O4 - HKLM\..\Run: [diagnostic] C:\Windows\system32\diagnostic*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp*****"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy*****"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask*****" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Startup: Rejestrowanie produktów Corela.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32*****
O4 - Global Startup: Adobe Gamma Loader*****.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://kamera.sleza.net/activex/AxisCamControl.cab
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - <to tesh>
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c18.cab?b5964381c558ea6f0d133544c840f5e36a562ef023 4619a381919f760f4a1688882a12f3ce52bd78e00e28869eeb 0d35ad87026cf59de47a77204abbc3722a:5659d87acdcea62 8dfc7b2974d5ba4f0
O17 - HKLM\System\CCS\Services\Tcpip\..\{25E5F11E-F303-4DF3-9516-200FA5671935}: NameServer = 217.70.48.6,217.70.48.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{370693F0-D07F-4062-9B33-AA272AED390F}: NameServer = 217.70.48.6,217.70.48.20
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService*****
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService*****
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr*****
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT*****
O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ*****
Logfile of HijackThis v1.99.1
Scan saved at 13:47:48, on 2007-10-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Windows Defender\MsMpEng*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Windows Defender\MSASCui*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Analog Devices\SoundMAX\Smtray*****
C:\Program Files\Java\jre1.6.0_02\bin\jusched*****
C:\WINDOWS\system32\rundll32*****
C:\Program Files\Eset\nod32kui*****
C:\WINDOWS\system32\ctfmon*****
C:\PROGRA~1\WapSter\AQQ\AQQ*****
C:\Program Files\Cisco Systems\VPN Client\cvpnd*****
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
C:\Program Files\Eset\nod32krn*****
E:\AutoConnect\AutoConnect*****
C:\WINDOWS\system32\nvsvc32*****
C:\Program Files\Common Files\System\smss*****
C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\Explorer*****
E:\hijackthis\HijackThis*****
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui*****" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched*****"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32***** bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui*****" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Messenger] MSMSGS
O4 - HKCU\..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ*****
O4 - Startup: Skrót do AutoConnect*****.lnk = E:\AutoConnect\AutoConnect*****
O4 - Startup: autostart*****
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag***** (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186923321906
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd*****
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService*****
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
......
jak łatwo zauwazyć na pewno jest niepotrzebne
C:\Program Files\Common Files\System\smss*****
i teraz... tam tak samo jest plik start.bat
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
smss"="C:\\Program Files\\Common Files\\System\\smss*****"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
smss"="C:\\Program Files\\Common Files\\System\\smss*****"
i teraz weź pomyśl...
usuwam i to i to i co jeszcze może i skąd wywoływać tego `smss'a`
za każdym razem?? -,^
ja w logu się doszukać nie mogę niczego ...
tak jak myślałem...
sam zdążyłem się z tym już uporać ;]
polecam jeszcze raz BoostSpeed
zablokuje się w nim to co ma się uruchamiać przy starcie komputera
za pomocą ProceXP wyłączy a potem usunie i wszystko gra :)
bez formata.
Logfile of HijackThis v1.99.1
Scan saved at 18:35:14, on 2007-10-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Common Files\Symantec Shared\ccSvcHst*****
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\G DATA\InternetSecurity 2007\AVK\AVKService*****
C:\Program Files\G DATA\InternetSecurity 2007\AVK\AVKWCtl*****
C:\WINDOWS\System32\CTsvcCDA*****
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc*****
C:\WINDOWS\Explorer*****
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT*****
C:\WINDOWS\system32\nvsvc32*****
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB*****
C:\WINDOWS\System32\MsPMSPSv*****
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy*****
C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP*****
C:\Program Files\G DATA\InternetSecurity 2007\AVKTray\AVKTray*****
C:\Program Files\Common Files\Symantec Shared\ccApp*****
C:\WINDOWS\system32\RunDLL32*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\G DATA\InternetSecurity 2007\Firewall\GDFwSvc*****
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
C:\Program Files\G DATA\InternetSecurity 2007\Firewall\GDFirewallTray*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\System32\imapi*****
C:\Program Files\Opera\Opera*****
C:\DOCUME~1\Dawid.CB\USTAWI~1\Temp\Rar$EX00.000\Hi jackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: G DATA WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G DATA\InternetSecurity 2007\Webfilter\AvkWebIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo Demo\integr\ih-iexplorer\IH_iexplorer.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: G DATA WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Program Files\G DATA\InternetSecurity 2007\Webfilter\AvkWebIE.dll
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo Demo\integr\ih-iexplorer\IH_iexplorer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Program Files\Common Files\G DATA\AVKMail\AVKPOP*****"
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA\InternetSecurity 2007\AVKTray\AVKTray*****"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp*****"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32***** NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon*****
O4 - Global Startup: G DATA Firewall Tray.lnk = C:\Program Files\G DATA\InternetSecurity 2007\Firewall\GDFirewallTray*****
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O17 - HKLM\System\CCS\Services\Tcpip\..\{4731B621-71BF-4D5C-8264-51307D5FC49A}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy*****
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA\InternetSecurity 2007\AVK\AVKService*****
O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\G DATA\InternetSecurity 2007\AVK\AVKWCtl*****
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst*****" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst*****" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst*****" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA*****
O23 - Service: G DATA Personal Firewall (GDFwSvc) - Unknown owner - C:\Program Files\G DATA\InternetSecurity 2007\Firewall\GDFwSvc*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc*****
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Bogdan\USTAWI~1\Temp\hpdj***** (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1*****
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst*****" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc*****" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: PnkBstrA - Unknown owner - 1 (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss***** (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB*****
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc*****
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32*****
Czyste??
Cerien1968
18-10-2007, 11:28
Ja mam Problem bo nie mam pliku Hosts....(mam jakis plik Imhosts.sam).
Help
Kondyk91
19-10-2007, 14:41
Skorzystalem z tego programiku.. i usunelem te wpisy co kazano ;) :<
i teraz log z hjack this :
Logfile of HijackThis v1.99.1
Scan saved at 13:37:33, on 2007-10-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\AusLogics BoostSpeed\BoostSpeed*****
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****
C:\WINDOWS\system32\PnkBstrA*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\iPod\bin\iPodService*****
C:\Documents and Settings\user\Pulpit\Programy\HijackThis*****
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares*****" -h
O4 - HKCU\..\Run: [BoostSpeed] "C:\Program Files\AusLogics BoostSpeed\BoostSpeed*****" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_30.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp*****" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT*****
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService*****
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA*****
czysty? odp. fast bo zachcialo mi sie grac ;s juz z okolo miecha sie nie logowalem ;d
Przydatny poradnik plus dla tego Pana.
@Kondyk91 i Dawidx
Czysto :)
Ale obu radziłbym przeczyścić rejestr z niepotrzebnych wpisów i pousuwać pliki tymczasowe ;)
Kondyk91
19-10-2007, 17:09
oo to spox :D
A co do tych wpisow.. Mozesz to bardziej rozwinac ?
@Kondyk91 i Dawidx
Czysto :)
Ale obu radziłbym przeczyścić rejestr z niepotrzebnych wpisów i pousuwać pliki tymczasowe ;)
przejzalbys moje, plz xd
Masz my global search ;)
A tu opis usuwania:
http://www.spywareremove.com/removeMyGlobalSearch.html
Xsardas'Phee
24-10-2007, 17:35
mogl bys rzucic okiem na to ?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:25, on 2007-10-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM*****
C:\Program Files\Webroot\Spy Sweeper\SpySweeper*****
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget*****
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget*****
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper*****
--
End of file - 4618 bytes
Riten_lum
25-10-2007, 00:27
UP:
Nie zauważyłem wpisów owntibii.
A druga sprawa zastanawia mnie kilka faktów. Skoro OwnTibia czyta passy z procesu tibia.e xe to czy jeżeli się zmieni plik docelowy np. na
gra.e xe (taki też będzie widoczny po uruchomieniu w menadżerze zadań) to hasło będzie wykradzione. Oraz skoro to wrzuca wpisy do pozycji aoutostartu (ładuje klucz rejestru) oraz robi niezły burdel w plikach z hostami to czy programy monitujące auotstart i wcześniej wspomniane hosty (np. WinPatrol) mogą nas w pewnym sensie zabezpieczyć. I po trzecie, do wysyłania ukradzionego hasła wykorzystywany jest IE (przy aktywnej w systemie Owntibi lub LoT zawsze po uruchomieniu tibia***** odpala się proces IE). To czy jeżeli w ustawieniach firewalla całkowicie się zablokuje IE odniesie to jakiś skutek?
Inkwizytor
26-10-2007, 21:55
Logfile of HijackThis v1.99.1
Scan saved at 20:41:13, on 2007-10-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\Explorer*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Dawid\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa*****"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon*****" -lang 1033
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state***** (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE*****
CZy mój komp jest czysty proszę o szybką odpowiedź
@up
czysto.
P.S. Zmień antywirusa
VolterCelt
27-10-2007, 00:29
@down
Dzieki wielkie!
Usunalem zadnych bladow nie bylo, wiec wszystko udalo sie pomyslnie : ). Dzieki jeszcze raz!
~Volter
@2up
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
to wywal
O4 - HKLM\..\Run: [workflow] E:\installs\workflow****
Co to ? Jeżeli wiesz od czego to jest to zostaw to.
ogółem mówiąc czysto
P.s zmień antywira google.pl fraza "darmowe antywirusy"
Pozdrawiam
mi tak czy tak nie dziala -,-"
To znaczy ?
UP:
Skoro OwnTibia czyta passy z procesu tibia.e xe to czy jeżeli się zmieni plik docelowy np. na
gra.e xe (taki też będzie widoczny po uruchomieniu w menadżerze zadań) to hasło będzie wykradzione.
z tego co wiem, own znajdzie ci "tibia client" jako nazwe okna - nie polega wylacznie na procesach. musialbys edytowac caly plik tibia*****
raz skoro to wrzuca wpisy do pozycji aoutostartu (ładuje klucz rejestru) oraz robi niezły burdel w plikach z hostami to czy programy monitujące auotstart i wcześniej wspomniane hosty (np. WinPatrol) mogą nas w pewnym sensie zabezpieczyć.
oczywiscie, chocby kaspersky z właczona ochrona proaktywna - problem polega na tym ze wiekszosc nawet nie czyta komunikatów tylko klika i zezwala na to.
I po trzecie, do wysyłania ukradzionego hasła wykorzystywany jest IE (przy aktywnej w systemie Owntibi lub LoT zawsze po uruchomieniu tibia***** odpala się proces IE). To czy jeżeli w ustawieniach firewalla całkowicie się zablokuje IE odniesie to jakiś skutek?
Tez masz racje, passy nie zostana wyslane gdy zablokujesz iexplore*****, a i niektore fw wyswietla komunikat o zabiciu/zblokowaniu ie wiec juz mozna sie zorientowac, ze cos nie tak
A może ktoś sprawdzić mój skan ;] W ostatni piątek miałem hacka lost 1kk+. Zawsze starałem się być ostrożny ale cuż. Nadal nie wiem jak im to się udało ;( Cała sprawa jest w dziale Zdjęcia/Menera. Już sprawdziłem mój skan na http://www.hijackthis.de/#anl i jest wszystko ok, ale wolę się upewnić.
Logfile of HijackThis v1.99.1
Scan saved at 22:37:05, on 2007-11-03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****C:\WINDOWS\system32\w inlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Ahead\InCD\InCDsrv*****
C:\Program Files\Sygate\SPF\smc*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\SOUNDMAN*****
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ*****
C:\Program Files\Ahead\InCD\InCD*****
C:\Program Files\lg_fwupdate\fwupdate*****
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****
C:\Program Files\QuickTime\qttask*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Skype\Phone\Skype*****
C:\Program Files\Messenger\msmsgs*****
C:\WINDOWS\System32\FTRTSVC*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\Program Files\Common Files\Teleca Shared\Generic*****
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker*****
C:\Program Files\neostrada tp\neostradatp*****
C:\Program Files\neostrada tp\ComComp*****
C:\PROGRA~1\NEOSTR~1\Toaster*****
C:\PROGRA~1\NEOSTR~1\Inactivity*****
C:\PROGRA~1\NEOSTR~1\PollingModule*****
C:\WINDOWS\System32\ALERTM~1\ALERTM~1*****
C:\Program Files\neostrada tp\Watch*****
C:\WINDOWS\system32\wuauclt*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\WINDOWS\system32\NOTEPAD*****
C:\Program Files\Hijack This\hijackthis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN*****
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ*****"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate*****" blrun
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher*****" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc***** -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA*****
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL*****/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{82110F29-95FC-4AC7-9694-AC336B8EA63C}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC*****
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv*****
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc*****
Proszę o szybką odpowiedź
Ps. Wiem mam zmienić antywira ;P
Sam to ustawiłeś ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{82110F29-95FC-4AC7-9694-AC336B8EA63C}: NameServer = 194.204.159.1 217.98.63.164
Ryba_Firefox
05-11-2007, 22:12
wydaje się że mam jakiś syf na kompie - więc prosze o sprawdzenie loga.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:01:58, on 2007-11-05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss*****
D:\WINDOWS\system32\winlogon*****
D:\WINDOWS\system32\services*****
D:\WINDOWS\system32\lsass*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\PC Tools Firewall Plus\FWService*****
D:\WINDOWS\System32\svchost*****
D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
D:\Program Files\Alwil Software\Avast4\ashServ*****
D:\WINDOWS\system32\spoolsv*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
D:\WINDOWS\system32\CTsvcCDA*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\RealVNC\VNC4\WinVNC4*****
D:\WINDOWS\system32\MsPMSPSv*****
D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
D:\Program Files\Alwil Software\Avast4\ashWebSv*****
D:\WINDOWS\Explorer*****
D:\WINDOWS\System32\svchost*****
D:\WINDOWS\system32\CTHELPER*****
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE*****
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****
D:\Program Files\Winamp\winampa*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****
D:\PROGRA~1\NEOSTR~1\CnxMon*****
D:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
D:\Gadu-Gadu\gg*****
D:\Program Files\Spybot - Search & Destroy\TeaTimer*****
D:\PROGRA~1\NEOSTR~1\NeostradaTP*****
D:\PROGRA~1\NEOSTR~1\ComComp*****
D:\PROGRA~1\NEOSTR~1\Watch*****
D:\Program Files\Winamp\winamp*****
D:\Program Files\Opera\Opera*****
D:\Documents and Settings\Patryk\Pulpit\Ryba\Programy i inne\HiJackThis_v2*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER*****
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet*****"
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl***** /run
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE***** /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****" -s
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKLM\..\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\servces*****
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer*****
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS2\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS3\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - D:\Program Files\PC Tools Firewall Plus\FWService*****
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Program Files\RealVNC\VNC4\WinVNC4*****
--
End of file - 6853 bytes
Riten_lum
05-11-2007, 23:04
UP:
Niestety masz OwnTibia.
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\servces*****
Hmmm i po co uzywasz 2 antyvirusów naraz?
Ryba_Firefox
05-11-2007, 23:07
heh wiedziałem i temu nie wbijałem na rl tibie pare dni :)
Dobra, a poza tą owntibią nie ma innych świnstw?
Riten_lum
05-11-2007, 23:22
heh wiedziałem i temu nie wbijałem na rl tibie pare dni :)
Dobra, a poza tą owntibią nie ma innych świnstw?
Wydaje mi się, że masz jeszcze kilka zbędnych wpisów, ale lepiej poczekaj na Uthera. On się na tym zna dużo lepiej :)
Ryba_Firefox
06-11-2007, 18:30
aha, ale keyloggerów juz nie ma? bo strasznie mi sie chce grać - stres przez wywiadówkę...
Przezywacie z ta owntibia. :p Jest w ch** programow zabezpieczajacych jak nie pzred sama Owntibia to blokujace wysylanie logow :pB) Jak kogos boli wyszukiwanie to mam taki w podpisie lawl 8o
Ryba_Firefox
07-11-2007, 19:49
nie jestem pewnien znów czy coś mam na kompie złego..... sprawdzcie tego loga bo cos i nie gra z kompem :/
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:37:54, on 2007-11-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss*****
D:\WINDOWS\system32\winlogon*****
D:\WINDOWS\system32\services*****
D:\WINDOWS\system32\lsass*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\PC Tools Firewall Plus\FWService*****
D:\WINDOWS\System32\svchost*****
D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
D:\Program Files\Alwil Software\Avast4\ashServ*****
D:\WINDOWS\system32\spoolsv*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
D:\WINDOWS\system32\CTsvcCDA*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\RealVNC\VNC4\WinVNC4*****
D:\WINDOWS\system32\MsPMSPSv*****
D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
D:\Program Files\Alwil Software\Avast4\ashWebSv*****
D:\WINDOWS\System32\svchost*****
D:\WINDOWS\Explorer*****
D:\WINDOWS\system32\CTHELPER*****
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE*****
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****
D:\Program Files\Winamp\winampa*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****
D:\PROGRA~1\NEOSTR~1\CnxMon*****
D:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
D:\Program Files\Spybot - Search & Destroy\TeaTimer*****
D:\PROGRA~1\NEOSTR~1\NeostradaTP*****
D:\PROGRA~1\NEOSTR~1\ComComp*****
D:\PROGRA~1\NEOSTR~1\Watch*****
D:\Gadu-Gadu\gg*****
D:\Program Files\Microsoft Office\OFFICE11\WINWORD*****
D:\Program Files\Opera\Opera*****
D:\Documents and Settings\Patryk\Pulpit\Ryba\Programy i inne\HiJackThis_v2*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER*****
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet*****"
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl***** /run
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE***** /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****" -s
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKLM\..\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer*****
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS2\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - D:\Program Files\PC Tools Firewall Plus\FWService*****
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Program Files\RealVNC\VNC4\WinVNC4*****
--
End of file - 6699 bytes
Ryba_Firefox
07-11-2007, 19:52
DO USUNIĘCIA! sry za double post ale coś mi szwankuje opera
KapitanHajdukow
10-11-2007, 00:01
Wydaje mi się że jakieś świnstwo złapałem :baby:
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\SYSTEM32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv*****
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\Java\jre1.6.0_01\bin\jusched*****
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN*****
C:\PROGRA~1\NEOSTR~1\TaskBarIcon*****
C:\WINDOWS\System32\FTRTSVC*****
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr*****
C:\Program Files\VIA\RAID\raid_tool*****
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv*****
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc*****
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc*****
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE*****
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD*****
c:\program files\panda software\panda internet security 2007\WebProxy*****
C:\WINDOWS\system32\wuauclt*****
C:\WINDOWS\system32\wuauclt*****
C:\Documents and Settings\czoper\Pulpit\HIjack\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\GestMaj***** TaskBarIcon*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [dmlco*****] C:\WINDOWS\system32\dmlco*****
O4 - HKLM\..\Run: [dmuql*****] C:\WINDOWS\system32\dmuql*****
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN*****" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio*****"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan*****
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv*****"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon*****" -lang 1033
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool*****
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC*****
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr*****
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv*****
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51*****
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc*****
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV*****
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc*****
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv*****
KatsuKnight
11-11-2007, 22:14
Zeskanowałem i to muj log prosze przeglądniicie i informujcie czy jest Keylogger czy inny virek
Logfile of HijackThis v1.99.1
Scan saved at 20:47:18, on 2007-11-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\System32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\LEXBCES*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\LEXPPS*****
C:\WINDOWS\system32\Ati2evxx*****
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm*****
C:\WINDOWS\system32\PSIService*****
C:\Program Files\Common Files\Symantec Shared\SNDSrvc*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd*****
C:\WINDOWS\system32\LXSUPMON*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf*****
C:\WINDOWS\services*****
C:\WINDOWS\system32\ctfmon*****
D:\Program Files\AutoConnect\AutoConnect*****
D:\Tibia\Tibia*****
C:\Program Files\Internet Explorer\IEXPLORE*****
D:\gg 77\Gadu-Gadu\gg*****
D:\Opera\Opera*****
C:\Documents and Settings\Nanek\Pulpit\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck*****
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd*****
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON***** RUN
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN***** /logon
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall*****" -TRAY
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [UINotify] C:\Documents and Settings\RODZINA\Ustawienia lokalne\Dane aplikacji\UINotify*****
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\services*****
O4 - HKLM\..\Run: [services] C:\Documents and Settings\Nanek\Pulpit\ServisePack_4*****
O4 - HKLM\..\RunServices: [UINotify] C:\Documents and Settings\RODZINA\Ustawienia lokalne\Dane aplikacji\UINotify*****
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\gg 77\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [UINotify] C:\Documents and Settings\Nanek\Ustawienia lokalne\Dane aplikacji\UINotify*****
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares*****" -h
O4 - HKCU\..\Run: [AutoConnect] D:\Program Files\AutoConnect\AutoConnect*****
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA*****
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://slimak.onet.pl/_m/wirusy/ArcaOnline.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164261359416
O17 - HKLM\System\CCS\Services\Tcpip\..\{524BE7F1-2906-4CBB-8D8B-637B22679960}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc*****
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer*****
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES*****
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService*****
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc*****
Riten_lum
11-11-2007, 22:36
O4 - HKLM..Run: [Windows] C:WINDOWSservices*****
Wpis OwnTibi.
KatsuKnight
12-11-2007, 07:06
@Up
Czyli ten wpis O4 - HKLM..Run: [Windows] C:WINDOWSservices***** To jest OWNTIBIA;o Usunać?
Super powinno byc wiecej takich użytkowników forum 10/10 GZ 8o
Ryba_Firefox
12-11-2007, 15:56
@KatsuKnight
Wpis
C:\WINDOWS\system32\services*****
usuń jak najszyvciej, ponieważ to keylogger(program wykladający passy)
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****C:\WINDOWS\system3 2\spoolsv*****
C:\WINDOWS\System32\CTSvcCDA*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\WgaTray*****
C:\WINDOWS\Explorer*****
Czy któryś z tych plikow jest groźny?? Prosze o pomoc;(
@KatsuKnight
Wpis
C:\WINDOWS\system32\services*****
usuń jak najszyvciej, ponieważ to keylogger(program wykladający passy)
Ale to jest POPRAWNY plik services...NIE USUWAJ !
@Up
Wszystkie ok.
Napewno wielu osobom sie przyda :P
Ryba_Firefox
01-12-2007, 18:07
exp x2, a ja ciągle miałem problem z tym że ktoś mi wbijał na chara - miałem owntibie która juz jest usunięta.
W razie czegoś proszę o sprawdzenie loga.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:40:35, on 2007-12-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss*****
D:\WINDOWS\system32\winlogon*****
D:\WINDOWS\system32\services*****
D:\WINDOWS\system32\lsass*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\PC Tools Firewall Plus\FWService*****
D:\WINDOWS\System32\svchost*****
D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
D:\Program Files\Alwil Software\Avast4\ashServ*****
D:\WINDOWS\system32\spoolsv*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
D:\WINDOWS\system32\CTsvcCDA*****
D:\WINDOWS\Explorer*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\RealVNC\VNC4\WinVNC4*****
D:\WINDOWS\system32\MsPMSPSv*****
D:\WINDOWS\system32\CTHELPER*****
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE*****
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
D:\Program Files\Winamp\winampa*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****
D:\Gadu-Gadu\gg*****
D:\Program Files\Asprate\Tibia Multi IP Changer\Tibia MULTI-ip changer*****
D:\Mozilla Firefox\firefox*****
D:\WINDOWS\System32\svchost*****
D:\Program Files\Internet Explorer\iexplore*****
D:\Documents and Settings\Patryk\Pulpit\TBI GG 8.0*****
D:\Documents and Settings\Patryk\Pulpit\Ryba\Programy i inne\HiJackThis_v2*****
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER*****
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet*****"
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl***** /run
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE***** /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****" -s
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'Default user')
O4 - Startup: services*****
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CS1\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - D:\Program Files\PC Tools Firewall Plus\FWService*****
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Program Files\RealVNC\VNC4\WinVNC4*****
--
End of file - 5422 bytes
O4 - Startup: services*****
Jakaś resztka po owntibii.
Tbi GG, i multi ip changer...nie ładnie :P
Poza tym czysto :)
dnaPALLEK
02-12-2007, 13:02
nie no masakra :D wszystko idealnie opisane. dzieki Tobie usunalem to scierwo ;] pozdro i dzieki :D
Ryba_Firefox
04-12-2007, 23:50
Nowy scan.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:23:59, on 2007-12-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss*****
D:\WINDOWS\system32\winlogon*****
D:\WINDOWS\system32\services*****
D:\WINDOWS\system32\lsass*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\PC Tools Firewall Plus\FWService*****
D:\WINDOWS\System32\svchost*****
D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
D:\Program Files\Alwil Software\Avast4\ashServ*****
D:\WINDOWS\system32\spoolsv*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
D:\WINDOWS\Explorer*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
D:\WINDOWS\system32\CTsvcCDA*****
D:\WINDOWS\system32\svchost*****
D:\Program Files\RealVNC\VNC4\WinVNC4*****
D:\WINDOWS\system32\MsPMSPSv*****
D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
D:\Program Files\Alwil Software\Avast4\ashWebSv*****
D:\WINDOWS\system32\CTHELPER*****
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****
D:\Program Files\Winamp\winampa*****
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****
D:\Gadu-Gadu\gg*****
D:\WINDOWS\System32\svchost*****
D:\Mozilla Firefox\firefox*****
D:\Documents and Settings\Patryk\Pulpit\Ryba\Programy i inne\HiJackThis_v2*****
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER*****
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg*****
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet*****"
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl***** /run
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AE***** /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [00PCTFW] "D:\Program Files\PC Tools Firewall Plus\FirewallGUI*****" -s
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt*****" /min
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Gadu-Gadu\gg*****" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] D:\WINDOWS\system32\CTFMON***** (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CS1\Services\Tcpip\..\{01B07B1F-EFF8-4D9D-910D-73D893C18F10}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched*****
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard*****
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - D:\Program Files\PC Tools Firewall Plus\FWService*****
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - D:\Program Files\RealVNC\VNC4\WinVNC4*****
--
End of file - 5209 bytes
Wiem że wpis "D:\WINDOWS\system32\services*****" to own tibia, lecz nie mogę jej usunąć. Próbowałem usunąć ją HiJackThisem, Avastem, AviraAntivirem a także usunąć ręcznie plik z katalogu system32 - nie idzie jej usunąć :/
Ta owntibia nie jest wykrywalna przez "FindIt!" i "OwnTibia Deleter"
Nawet jak wezmę CTRL+ALT+DEL i Zakończ Proces services***** to wyświetla się komunikat o treści "To jest krytyczny proces systemu. Menedżer zadań nie może zakończyć tego procesu." więc nie wiem jak to ścierwo zwalczyć... Proszę o pomoć!
Riten_lum
04-12-2007, 23:56
Całe szczęście, że nie udało Ci się usunąć bo ten plik services siedzi w folderze system 32 i jest on niezbędny do funkcjonowania komputera.
Powtarzam NIE jest to owntibia.
DOWN:
<łapie się za głowę> Nie...
Ryba_Firefox
05-12-2007, 00:00
nie jest ;o?
Bardzo ładnie napisany poradnik. Mi już pomógł ^^ Wielkie GZ ;]
Salarigoth
14-12-2007, 12:13
Jak to sciagam to mi pisze " w ktorym z programow otworzyc ten plik" i gowno jest tam winrara notatnik i nne pierdoly co mam zrobic ?
sirpatrick
15-12-2007, 11:20
Logfile of HijackThis v1.99.1
Scan saved at 17:55:07, on 2007-12-14
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\savedump*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\System32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\htpatch*****
C:\WINDOWS\System32\RunDll32*****
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
C:\Program Files\HP\HP Software Update\HPWuSchd2*****
C:\Program Files\Winamp\winampa*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Java\jre1.6.0_03\bin\jusched*****
C:\Program Files\Common Files\Onet.pl\AutoUpdate*****
C:\WINDOWS\System32\ctfmon*****
C:\Program Files\Messenger\msmsgs*****
G:\Stefan\Stefan*****
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
C:\Program Files\Microsoft Office\Office\FINDFAST*****
C:\WINDOWS\system32\RaConfig*****
C:\Program Files\Microsoft Office\Office\OSA*****
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08*****
C:\WINDOWS\System32\wuauclt*****
C:\WINDOWS\System32\wuauclt*****
C:\PROGRA~1\Mozilla Firefox\firefox*****
C:\Documents and Settings\Patrick\Pulpit\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch*****
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg*****
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****"
O4 - HKLM\..\Run: [BearShare] "H:\BearSharePatryka\BearShare*****" /pause
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2*****
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa*****"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched*****"
O4 - HKLM\..\Run: [Onet.pl AutoUpdate] "C:\Program Files\Common Files\Onet.pl\AutoUpdate*****" /tsr
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\System32\ctfmon*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Stefan] G:\Stefan\Stefan*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl*****
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST*****
O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig*****
O4 - Global Startup: Uruchamianie pakietu Office.lnk = C:\Program Files\Microsoft Office\Office\OSA*****
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF92AA3-5A7A-4A0E-90ED-43838534283B}: NameServer = 193.110.120.5,193.110.121.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12*****
Może mi ktoś powiedzieć, który z tych wpisów to keylogger. Szukałem, ale nie dopatrzyłem się tych wpisów. A keyloggera mam gdyż niedawno schakowali mi konto ;(.
Pozdrawiam:).
@sirpatrick
W logu nic nie ma O.o
sirpatrick
15-12-2007, 16:29
Mam taki problem. Czytam poradniki jak tu usunąć keyloggera i probuje i probuje i nic. Wiem, że mam keyloggera gdyż pewnego dnia zalogowałem się swoją postacią i była w innym miejscu niż się wylogowałem. Zmieniłem passy, a tu du*a. I zostałem schakowany -.-. Wie ktoś może jak usunąć to plugastwo z mojego komputera?
Pozdrawiam.
weż silny magez i dotknij go do dysku, po paru minutach usuniesz go z całą resztą -,-
zeskanuj antywirusem, antyspyware, daj loga z hijackthisa
sirpatrick
15-12-2007, 18:16
Loga dałem bodajże 4 posty wyżej. Skanowałem już system anty virusem. A za dysk trochę zapłaciłem więc nie chce usuwać keyloggera magnesem:).
Logfile of HijackThis v1.99.1
Scan saved at 23:10:04, on 2007-12-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\csrss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\Program Files\G DATA AntiVirus\AVKTray\AVKTray*****
D:\Spyware Doctor\SDTrayApp*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\G DATA AntiVirus\AVK\AVKService*****
C:\Program Files\G DATA AntiVirus\AVK\AVKWCtl*****
D:\CDBurnerXP\NMSAccessU*****
D:\Spyware Doctor\svcntaux*****
D:\Spyware Doctor\swdsvc*****
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy*****
C:\WINDOWS\System32\alg*****
C:\Program Files\Mozilla Firefox\firefox*****
D:\Trend Micro\HijackThis\HijackThis*****
D:\WinRAR\WinRAR*****
C:\DOCUME~1\JUSER\USTAWI~1\Temp\Rar$EX02.665\Hijac kThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirus\AVKTray\AVKTray*****"
O4 - HKLM\..\Run: [WinampAgent] G:\Winamp\winampa*****
O4 - HKLM\..\Run: [Spik] D:\Spik\Spik***** -autostart
O4 - HKLM\..\Run: [SDTray] D:\Spyware Doctor\SDTrayApp*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy*****
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA AntiVirus\AVK\AVKService*****
O23 - Service: Strażnik AVK (AVKWCtl) - G DATA Software AG - C:\Program Files\G DATA AntiVirus\AVK\AVKWCtl*****
O23 - Service: NMSAccessU - Unknown owner - D:\CDBurnerXP\NMSAccessU*****
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\Spyware Doctor\svcntaux*****
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Spyware Doctor\swdsvc*****
^^^^^^^^^^^^^^^^^^^^
Prosze o pomoc ,bo wydaje mi sie ze keya zalapalem :/
@down
kliknolem jak najgorszy nub w link...
pierwszy raz mi sie to zdazylo :P
hacka narazie niema a to juz 3 dzien wiec chyba bedzie looz
Thx
@down
Haha dobre...
Co za ludzie :F
@Dymbik
w logu nic nie widać...zupełnie czysto. Skąd te podejrzenie, że masz key'a ?
Różne rzeczy w zyciu już widziałem, ale żeby aż tak przeinaczyć fakty O.o
http://img136.imageshack.us/img136/9206/loooolel8.jpg
To jest gówn............... ja mam najlepszy program do usuwania . usuwa automatycznie . OwnedtibiaDeleter ;p takom ma nazwe link na dole
To jest chyba najlepszy ze wszystkich . Plik jest czysty . Proszę o skana ;p . Gdy włączycie plik Keylogger autoamtycznie sie usuwa.
Download : hxxp://w w w.***********.com/329839822.html
Zamiast xx to tt < zamiast w w w > www> zamiast ********
to s p e e d y s h a r e. złączcie litery ;p
Pozdrawiam
@Up
Keyloger w temacie o usuwaniu keylogerow <omfg dobre
Czego sie juz nie robi xD
@Edit
Nawet dobrej nazwy nie dales :PPP
Kazimierzm
09-03-2008, 19:00
Skanowałem nod 32 kompa i wykryło mi owntibie, zrobiłem delete ale nie wiem czy nadal mam.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:44, on 2008-03-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\acs*****
C:\WINDOWS\Explorer*****
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice*****
C:\WINDOWS\system32\RunDll32*****
C:\WINDOWS\htpatch*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Java\jre1.6.0_05\bin\jusched*****
C:\Program Files\USB Disk Win98 Driver\Res*****
C:\Program Files\HP\HP Software Update\HPWuSchd2*****
C:\WINDOWS\update*****
C:\Program Files\Winamp\winampa*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Messenger\msmsgs*****
C:\Program Files\Winamp Remote\bin\OrbTray*****
C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
C:\Program Files\PLANET WL-8310\WLANPRO*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\nvsvc32*****
C:\Program Files\Spyware Terminator\sp_rsser*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08*****
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn*****
C:\Program Files\ESET\ESET NOD32 Antivirus\egui*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60327
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch*****
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg*****
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield*****"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched*****"
O4 - HKLM\..\Run: [system32NELM Agent] C:\WINDOWS\system32NELM*****
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res*****
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2*****
O4 - HKLM\..\Run: [CSmileys] "C:\PROGRA~1\Crawler\Smileys\CSmileysIM*****"
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\update*****
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa*****"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui*****" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006*****" -boot
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater*****
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [CSmileys] "C:\PROGRA~1\Crawler\Smileys\CSmileysIM*****"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray*****" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006*****" -firstboot (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-20\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006*****" -firstboot (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006*****" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SIA2006] "C:\Program Files\Steganos Internet Anonym 2006\SIA2006*****" -firstboot (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader*****
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl*****
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync*****
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08*****
O4 - Global Startup: PLANET WL-8310 Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Crawler Smileys - {16FE352D-F643-4A81-BC61-2C051F3A757D} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Crawler eCards - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O17 - HKLM\System\CCS\Services\Tcpip\..\{77DE5589-57BB-42DA-97FF-A00923F50F1E}: NameServer = 192.168.5.1,194.204.152.34
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice*****
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs*****
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv*****
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT*****
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser*****
--
End of file - 9021 bytes
Lord Evad
15-03-2008, 22:05
sory ze odswiezam ale mam problem tez ;d
bo mi ostatnio jakiegos trojana wykrylo o nazwie tibia.dd
usunelem recznie z c/windows/system32/drivers/services***** tam go mialem xd
daje loga bo zaniedlugo kupuje pacc i chce byc pewny :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:55:37, on 2008-03-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
D:\adawre\aawservice*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\RTHDCPL*****
C:\WINDOWS\system32\RUNDLL32*****
C:\Program Files\Java\jre1.6.0_02\bin\jusched*****
D:\Ashampoo FireWall\FireWall*****
C:\WINDOWS\system32\ctfmon*****
C:\Windows\alg*****
D:\DAEMON Tools\daemon*****
C:\WINDOWS\system32\spoolsv*****
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc*****
C:\Program Files\Common Files\LightScribe\LSSrvc*****
C:\WINDOWS\System32\nvsvc32*****
C:\WINDOWS\System32\PnkBstrA*****
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr*****
C:\WINDOWS\system32\wscntfy*****
D:\nod32\ekrn*****
D:\nod32\egui*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\Documents and Settings\Sylwia\Pulpit\HiJackThis_v2*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blackdtools.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel*****
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32***** C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare*****" /pause
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched*****"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa*****"
O4 - HKLM\..\Run: [Ashampoo FireWall] "D:\Ashampoo FireWall\FireWall*****" -TRAY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UVS11 Preload] D:\dooborkbi\uvPL*****
O4 - HKLM\..\Run: [egui] "D:\nod32\egui*****" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor*****"
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs*****" /background
O4 - HKCU\..\Run: [Alg] C:\Windows\alg*****
O4 - HKCU\..\Run: [DAEMON Tools] "D:\DAEMON Tools\daemon*****" -lang 1033
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype*****" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\System32\CTFMON***** (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Sylwia\Pulpit\BitComet*****/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Sylwia\Pulpit\BitComet*****/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Sylwia\Pulpit\BitComet*****/AddAllLink.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\adawre\aawservice*****
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc*****
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - D:\nod32\EHttpSrv*****
O23 - Service: Eset Service (ekrn) - ESET - D:\nod32\ekrn*****
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32*****
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA*****
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr*****
--
End of file - 5607 bytes
Nie chcę z tego robić logfilecheck threada, ale mógłby ktoś sprawdzić, czy wszystko jest OK?
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\SYSTEM32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service*****
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog*****
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\CTsvcCDA*****
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn*****
C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
C:\WINDOWS\System32\svchost*****
C:\WINDOWS\SYSTEM32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI*****
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
C:\Program Files\ESET\ESET NOD32 Antivirus\egui*****
C:\Program Files\Analog Devices\SoundMAX\SMTray*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Spybot - Search & Destroy\TeaTimer*****
C:\WINDOWS\system32\NOTEPAD*****
C:\Program Files\Blackd Tools\Blackd Proxy\****************
C:\Program Files\Mozilla Firefox\firefox*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = charon:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui*****" /hide /waitservice
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray*****
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall*****" -TRAY
O4 - HKCU\..\Run: [ctfmon*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer*****
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2***** /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2***** /NoDialog (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MSOFFI~1\OFFICE11\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag*****
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag*****
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{755128E5-2154-48E9-8D86-7CAC47CA6EE7}: NameServer = 10.2.16.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA*****
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv*****
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent*****
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service*****
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog*****
Vlad Dracula
20-03-2008, 13:31
Nie lepiej aby każdy sobie sam sprawdzał czy ma czysto czy nie? Szybciej, czyściej i wygodniej.
Niech jakiś mod to pousuwa po sie zrobiło jakieś 12 stron logów, które tylko forum zaśmiecają. Sprawdzajcie je sobie sami, a jak chcecie, żeby ktoś inny to zrobił to sa od tego fora specjalistyczne...ewentualnie PW do mnie.
Moglbys mi loga sprawdzic? Bede wdzieczny ;)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:50, on 2008-03-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Ahead\InCD\InCDsrv*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\drivers\CDAC11BA*****
C:\Program Files\Common Files\LightScribe\LSSrvc*****
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm*****
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\Program Files\ATI Technologies\ATI.ACE\cli*****
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ*****
C:\Program Files\Ahead\InCD\InCD*****
C:\Program Files\lg_fwupdate\fwupdate*****
C:\Program Files\Winamp\winampa*****
C:\Program Files\Java\jre1.6.0_01\bin\jusched*****
C:\Program Files\WinFast\WFTVFM\WFWIZ*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\Program Files\QuickTime\qttask*****
C:\WINDOWS\RTHDCPL*****
C:\Program Files\TrojanHunter 5.0\THGuard*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware*****
C:\Program Files\Microsoft ActiveSync\wcescomm*****
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun*****
C:\PROGRA~1\MICROS~4\rapimgr*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\ATI Technologies\ATI.ACE\cli*****
C:\Program Files\ATI Technologies\ATI.ACE\cli*****
C:\Program Files\internet explorer\iexplore*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli*****" runtime -Delay
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ*****"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD*****
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck*****
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate*****" blrun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched*****"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask*****" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard*****"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware*****
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm*****"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA*****
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL*****/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF8AE13C-004F-49D2-9082-CCE2C0C31FCB}: NameServer = 213.241.79.37 83.238.255.76
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv*****
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA*****
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService*****
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv*****
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc*****
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr*****
--
End of file - 7832 bytes
Z gory dzieki ;)
Saint Apocalypse
20-03-2008, 21:40
Według mnie wystarczy regedit do usunięcia... Wywalisz wpis z rejestru a potem usuniesz plik... Nic trudnego. Pozatym są takie programy jak Spybot SD, które blokują dostęp do rejestru. Musimy zezwolić na zmianę rejejstru więc żaden keyloger nie przejdzie. Radze autorowi dopisać to do tematu.
@down Taa i potem za chwile złap znowu owntibie i usuwaj sto razy. Nie prosciej jest zapobiec się dostaniu?
vBulletin® v3.7.0, Copyright ©2000-2025, Jelsoft Enterprises Ltd.