NST
(Dart10)
25 Sierpień 2009 10:26
#1
Witam.
Prosiłbym o sprawdzenie logu HiJack this. AVAST wykrył zakraplacza jednak nie dało radę go usunąć przez avasta. Usunąłem ręcznie plik i niby jest w porządku. Dodatkowo wyskakuje przy każdym uruchomieniu błąd svchost.exe jednak jest on w dobrym miejscu a mianowicie c:\windows\system32 zaś w c:\windows go nie ma czyli teoretycznie trojana nie ma. Jednak prosze o przejrzenie logów.
Logfile of HijackThis v1.99.1 Scan saved at 12:15:47, on 2009-08-25 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Running processes: C:\windows\System32\smss.exe C:\windows\system32\csrss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\svchost.exe C:\windows\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\windows\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\windows\system32\RUNDLL32.EXE C:\windows\system32\spoolsv.exe C:\windows\system32\svchost.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\windows\system32\lxctcoms.exe C:\windows\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\windows\system32\svchost.exe C:\windows\system32\wbem\wmiprvse.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\windows\System32\alg.exe C:\Documents and Settings\Administrator\Moje dokumenty\Skróty\hijackthis\HijackThis.exe C:\windows\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi … t=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi … t=&gc=1&q= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi … t=&gc=1&q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file) O2 - BHO: Lexmark Pasek narzędzi - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu_userdata\ggbho.1.dll O3 - Toolbar: Lexmark Pasek narzędzi - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O4 - HKLM…\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM…\Run: [iSTray] “C:\Program Files\Spyware Doctor\pctsTray.exe” O4 - HKLM…\Run: [iMJPMIG8.1] “C:\windows\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32 O4 - HKLM…\Run: [LXCTCATS] rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit O4 - Startup: ikowin32.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZNfox000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: lxct_device - - C:\windows\system32\lxctcoms.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Za wszelką pomoc dziękuje
deFco247
(deFco247)
25 Sierpień 2009 10:32
#2
Logi wklejasz na wklej.org lub wklej.to , a w poście dajesz link.
Fix w HiJackThis: ( Do a system scan only -> zaznaczasz pola przy podanych niżej wpisach -> Fix checked )
R3 - URLSearchHook: (no name) - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi … t=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi … t=&gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi … t=&gc=1&q=%s R3 - URLSearchHook: (no name) - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file) O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - Startup: ikowin32.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … p=ZNfox000
Pokaż logi OTL oraz GMER .
NST
(Dart10)
25 Sierpień 2009 11:27
#3
Sorrki nie miałem czasu na przeczytanie regulaminu.
Naprawiłem te wpisy co podałeś jednak: O4 - Startup: ikowin32.exe nie dało rady.
Oto logi z hijack, gmer i otl
hijack: http://wklej.org/id/139963/
gmer: http://wklej.org/id/139960/
otl: http://wklej.org/id/139966/