system
(system)
5 Czerwiec 2005 20:36
#1
Proszę o sprawdzenie loga znajomej.
Z góry dzięki
Logfile of HijackThis v1.99.1 Scan saved at 22:31:49, on 2005-06-05 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\eAcceleration\eanthology.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Tlen.pl\tlen.exe C:\Documents and Settings\Iwona\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {929FA593-D009-3CA4-BE39-513D1CAF56A8} - C:\WINDOWS\system32\sysiu32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe O4 - HKLM…\Run: [stopSignStatus] Rundll32.exe “C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll”,VerifyStatus O4 - HKLM…\Run: [EanthologyApp] “C:\Program Files\Common Files\eAcceleration\eanthology.exe” /b Startup O4 - HKLM…\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM…\RunOnce: [stopSignStatus] Rundll32.exe “C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll”,VerifyStatus /ro O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.05p.com (HKLM) O15 - Trusted Zone: *.awmdabest.com (HKLM) O15 - Trusted Zone: *.blazefind.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.flingstone.com (HKLM) O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.scoobidoo.com (HKLM) O15 - Trusted Zone: *.searchbarcash.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.slotch.com (HKLM) O15 - Trusted Zone: *.static.topconverting.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: 206.161.125.149 (HKLM) O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/hot … hotbar.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{7222395A-589D-4027-A2E4-8825C196CF48}: NameServer = 10.0.0.3 O23 - Service: Network Security Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\mfcup32.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: hpdj - HP - C:\DOCUME~1\Iwona\USTAWI~1\Temp\hpdj.exe O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Mcshield.exe (file missing) O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)
musg
(Musg)
5 Czerwiec 2005 20:45
#2
leci:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tfjyc.dll/sp.html#37049
trojan cws
dalej kosisz:
kolejne:
brakuje update i zabezpieczen --firewall
dodatkowo:
fiesta
(fiesta)
5 Czerwiec 2005 21:01
#3
Antywira też nie widze na pokładzie :o :o :o
kuz5
(Kuz5)
5 Czerwiec 2005 21:03
#4
Usuń jeszcze to:
O23 - Service: Network Security Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\ mfcup32.exe (file missing)
system
(system)
5 Czerwiec 2005 21:03
#5
Wszystko to będzie, jednak od czegoś trzeba było zacząć.
Log po czyszczeniu:
Logfile of HijackThis v1.99.1 Scan saved at 22:59:41, on 2005-06-05 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Common Files\eAcceleration\eanthology.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Gadu-Gadu\gg.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Tlen.pl\tlen.exe C:\Documents and Settings\Iwona\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [stopSignStatus] Rundll32.exe “C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll”,VerifyStatus O4 - HKLM…\Run: [EanthologyApp] “C:\Program Files\Common Files\eAcceleration\eanthology.exe” /b Startup O4 - HKLM…\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM…\RunOnce: [stopSignStatus] Rundll32.exe “C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll”,VerifyStatus /ro O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted Zone: *.static.topconverting.com (HKLM) O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj) - http://installs.hotbar.com/installs/hot … hotbar.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{7222395A-589D-4027-A2E4-8825C196CF48}: NameServer = 10.0.0.3 O23 - Service: Network Security Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\mfcup32.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: hpdj - HP - C:\DOCUME~1\Iwona\USTAWI~1\Temp\hpdj.exe O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Mcshield.exe (file missing) O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)
kuz5
(Kuz5)
5 Czerwiec 2005 21:41
#8
Log już prawie czysty ale zostało jeszcze to:
Pogrubiony plik spróbuj usunąć programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:
C:\WINDOWS* * mfcup32.exe**
następnie program będzie pytał o restart (oczywiście zgadzasz sie)
Jak tak nie pujdzie to spróbuj tak:
Odpalasz HijackThis Misc Tools => Delete NT service => wpisz mfcup32 => Ok i zresetuj komputer.
system
(system)
6 Czerwiec 2005 09:10
#9
Z tym plikiem ciągle jest problem.
Nie poradził z nim sobie ani Pocket Killbox ani HijackThis
Comend
(Comend@nte)
6 Czerwiec 2005 14:59
#10
Plik usuń spod konsoli odzyskiwania albo w trybie awaryjnym.
Sam wpis w Hijacku trzeba usunąć recznie.
Przewertu jw rejestrze klucze usług poczawszy od: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services