Prośba o sprawdzenie loga!

Dla specjalistów Bezpieczeństwo
#1

Logfile of HijackThis v1.99.0

Scan saved at 22:32:28, on 2005-02-10

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\soundman.exe

E:\Winamp\winampa.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

E:\Quick Time\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

F:\BearShare\BearShare.exe

C:\WINDOWS\System32\ctfmon.exe

F:\BearShare\BearShare.exe

C:\Program Files\Messenger\msmsgs.exe

E:\gadu-gadu\Gadu-Gadu\gg.exe

E:\tlen\tlen.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\WINDOWS\System32\wuauclt.exe

E:\Avant Browser 10.0\Avant Browser\avant.exe

F:\hijackthis1.99\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Us

#2

Czy aby na pewno to cały log :? :? :?

#3

jedno jest z tego pewne.Warto zainstalowac sp2 -bezpieczenstwo :slight_smile:

#4

…ano wlasnie…urwalo mi cos…teraz kopiuje w calosci.

Logfile of HijackThis v1.99.0

Scan saved at 22:32:28, on 2005-02-10

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\soundman.exe

E:\Winamp\winampa.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

E:\Quick Time\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

F:\BearShare\BearShare.exe

C:\WINDOWS\System32\ctfmon.exe

F:\BearShare\BearShare.exe

C:\Program Files\Messenger\msmsgs.exe

E:\gadu-gadu\Gadu-Gadu\gg.exe

E:\tlen\tlen.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\WINDOWS\System32\wuauclt.exe

E:\Avant Browser 10.0\Avant Browser\avant.exe

F:\hijackthis1.99\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Acrobat Reader 5.0.5 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {760E77A4-A8FD-4259-9AF5-BF7FAC2E18FC} - C:\WINDOWS\System32\afhfjca.dll (file missing)

O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: (no name) - {A818E3BA-FF13-4984-BB3F-D5D3359016EB} - (no file)

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O4 - HKLM…\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM…\Run: [soundMan] soundman.exe

O4 - HKLM…\Run: [WinampAgent] E:\Winamp\winampa.exe

O4 - HKLM…\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM…\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM…\Run: [stopSignStatus] Rundll32.exe “C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll”,VerifyStatus

O4 - HKLM…\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k

O4 - HKLM…\Run: [iTunesHelper] E:\Quick Time\iTunesHelper.exe

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [bearShare] “F:\BearShare\BearShare.exe” /pause

O4 - HKLM…\RunOnce: [stopSignStatus] Rundll32.exe “C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll”,VerifyStatus /ro

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - HKCU…\Run: [OEM32 Tools] sres32.exe

O4 - HKCU…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “E:\gadu-gadu\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [Komunikator] E:\tlen\tlen.exe

O4 - HKCU…\Run: [spyware Begone] E:\freescan\freescan.exe -FastScan

O4 - HKCU…\Run: [spyware Vanisher] E:\freescan\FreeScanner.exe -FastScan

O4 - HKCU…\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Add to AD Black List - e:\avant browser 10.0\avant browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - e:\avant browser 10.0\avant browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - E:\Avant Browser 10.0\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - E:\Avant Browser 10.0\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Highlight - e:\avant browser 10.0\avant browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page… - e:\avant browser 10.0\avant browser\OpenAllLinks.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - E:\Avant Browser 10.0\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - E:\Avant Browser 10.0\Avant Browser\Highlight.htm

O8 - Extra context menu item: Search - e:\avant browser 10.0\avant browser\Search.htm

O8 - Extra context menu item: Szukaj - E:\Avant Browser 10.0\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/c … dot8_x.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/se … loader.cab

O17 - HKLM\System\CCS\Services\Tcpip…{533C701F-5D22-4612-8AAA-97505176B2AB}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: FWService - Unknown - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)

O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Usługa Auto Protect programu Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5

:roll: wg mnie do usunięcia:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {760E77A4-A8FD-4259-9AF5-BF7FAC2E18FC} - C:\WINDOWS\System32\afhfjca.dll (file missing)

O2 - BHO: (no name) - {A818E3BA-FF13-4984-BB3F-D5D3359016EB} - (no file)

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKCU…\Run: [OEM32 Tools] sres32.exe

jeśli nie znasz to wywal to:

O23 - Service: FWService - Unknown - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)

Ponadto poprawki SP oraz gruntowny skan tutaj:

http://www.dobreprogramy.com/index.php?dz=2&id=657&t=55

http://download.nai.com/products/mcafee … tinger.exe

http://www.gdata.pl/kmdownload/download … etit&id=60

http://support.f-secure.com/enu/home/ols.shtml

http://www.download.com/ETD-Security-Sc … 29424.html

http://housecall.trendmicro.com/houseca … t_corp.asp

potem dla wszelkiej pewności ponownie loga.

#6

Jeszcze to do usunięcia w trybie awaryjnym:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

Jeżeli nie używasz Windows Messenger to go usuń:

Start=>Uruchom=>Wpisz polecenie

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

Wyłącz CTFMON.EXE: Panel sterowania => Opcje regionalne=> Języki => Szczegóły => Zaawansowane => zaznaczasz wyłącz zaawansowane usługi tekstowe

Start=>Uruchom=>Wpisz polecenie msconfig=>Zakładka Uruchamianie i odchacz:

winamp

#7

dzieki…myslalam ze bedzie tego wiecej…

#8

O4 - HKCU…\Run: [spyware Begone] E:\freescan\freescan.exe -FastScan

O4 - HKCU…\Run: [spyware Vanisher] E:\freescan\FreeScanner.exe -FastScan

Odnosnie tych dwoch programow to zalecalbym ich odinstalowanie poniewaz jak mowi goglarka: “false positives work as goad to purchase” (generowane sa falszywe alarmy zachecajace do zakupu programu)