Poprosze o sprawdzenie loga

raaf · 15 Luty 2006 09:35

Logfile of HijackThis v1.99.1

Scan saved at 10:30:06, on 2006-02-15

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\TCAUDIAG.exe

C:\WINDOWS\system32\sstray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

F:\eMule\emule.exe

C:\Documents and Settings\raaf\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emsisoft.com/redir/?t=upd7&l=English&v=1.5

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.11.1:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice

O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: SATARaid.lnk = ?

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{D66E4803-77EB-40B7-BC4C-49B4663908B7}: NameServer = 192.168.11.1,213.134.128.19

O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe[\code]

detektyw · 15 Luty 2006 09:40

masz jakis klopot ?

raaf · 15 Luty 2006 21:20

zasadniczo to nie wiem

zrobiłem format C
zapodałem winde xp na nowo
zanim podłączyłem się do netu zainstalowałem avasta i outposta
i wtedy avast zapodal komunikat o wykryciu takiego robala:

C:\windows\System32\mswindtc.exe

i stąd moje pytanie czy jest czysto?

bo robala wywaliłem

Gutek · 15 Luty 2006 22:21

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Przeskanuj kompa EWIDO po zrobieniu update- http://www.searchengines.pl/phpbb203/lo … 16762.html

raaf · 16 Luty 2006 19:46

czy tak ma wyglądać?

WWDC?

ewido użyłem

wkleić logi ponownie?

kuz5 · 16 Luty 2006 20:53

Wszystki znaczki maja być na zielono Tutaj masz instrukcje tego narzędzia

Możesz wkleić, ale loga SilentRunners

raaf · 17 Luty 2006 10:07

tak jest Panie Kuz ze mną tak trzeba ŁOPATĄ ( mówie poważnie i jak najpoważniej DZIEKUJĘ za porade )

kłania się czytanie ze zrozumieniem zrobiłem dokładnie odwrotnie niż miałem mam nadzieje że mi komp nie wybuchnie ?

logi wkleje po przeskanowaniu

ewido
spy botem
a2
ad aware

chyba wystarczy?

Złączono Posta : 17.02.2006 (Pią) 11:50

chyba dobrze wkleiłem? skanowanie zakończoe wszystko powywalane.

log z SR wygląda tak :

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"Outpost Firewall" = "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice" ["Agnitum Ltd."]

"OutpostFeedBack" = "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup" ["Agnitum Ltd."]

"TCASUTIEXE" = "TCAUDIAG.exe -on" [empty string]

"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

kuz5 · 17 Luty 2006 12:55

To nie jest cały log, odczekaj ok 1min

raaf · 17 Luty 2006 19:15

a teraz? mam nadzieje że tak

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"Outpost Firewall" = "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice" ["Agnitum Ltd."]

"OutpostFeedBack" = "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup" ["Agnitum Ltd."]

"TCASUTIEXE" = "TCAUDIAG.exe -on" [empty string]

"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a˛ Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: "]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll" ["Agnitum Ltd."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data]

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\raaf\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "raaf" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

"SATARaid" -> shortcut to: "C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe" ["Silicon Image, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\ = "Outpost Firewall Pro Quick Tune"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll" ["Agnitum Ltd."]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{44627E97-789B-40D4-B5C2-58BD171129A1}\

"ButtonText" = "Outpost Firewall Pro Quick Tune"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]

ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]

Outpost Firewall Service, OutpostFirewall, "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 34 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 10 seconds.

---------- (total run time: 78 seconds)

kuz5 · 19 Luty 2006 19:03

Log jest ok