Prośba o sprawdzenie loga

Jova · 18 Czerwiec 2005 13:48

Logfile of HijackThis v1.99.1

Scan saved at 15:45:31, on 2005-06-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\msnmsgr.exe

C:\WINDOWS\system32\rpcservice.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\JOWITA\Moje dokumenty\Gadu-Gadu\gg.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\JOWITA\Ustawienia lokalne\Temp\Katalog tymczasowy 10 dla hijackthis.zip\HijackThis.exe

C:\WINDOWS\System32\imapi.exe

C:\WINDOWS\System32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\vcmvy.dll

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)

O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)

O2 - BHO: Internet Explorer Hot Fix - {83AF4E9B-D421-4C85-9A21-F9509C94A012} - C:\WINDOWS\System32\ngjbe.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\vcmvy.dll

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM…\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe

O4 - HKLM…\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKLM…\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM…\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Documents and Settings\JOWITA\Moje dokumenty\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [spySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /1

O4 - HKCU…\Run: [ETD Security Scanner] “C:\Program Files\ETD Security Scanner\ETD Security Scanner.exe” /s

O4 - HKCU…\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{835D9941-C7BD-4EBB-A82F-F3E77E2BE66C}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\Tcpip…{ED580523-980B-4696-9140-F77A2EA9484A}: NameServer = 69.50.184.84,195.225.176.37

O20 - Winlogon Notify: style2 - C:\WINDOWS\q2734562_disk.dll

O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

O23 - Service: Logical Disk Manager Provider (apee) - Unknown owner - C:\WINDOWS\System32\msnmsgr.exe" -netsvcs (file missing)

O23 - Service: RpcService (Rpc) - Unknown owner - C:\WINDOWS\system32\rpcservice.exe

O23 - Service: Windows PnP Driver (winpnp) - Unknown owner - C:\WINDOWS\System32\winpnp.exe (file missing)

Proszę o pomoc. Cały czas wyskakuje mi raport o błędach.

Z góry dziękuje. Jowita

kuz5 · 18 Czerwiec 2005 14:14

W Dodaj/Usun odinstaluj MyWay, Media Pass i jeżeli bedzie RXToolBar i PayTime to także odinstaluj.

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\vcmvy.dll O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing) O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing O2 - BHO: Internet Explorer Hot Fix - {83AF4E9B-D421-4C85-9A21-F9509C94A012} - C:\WINDOWS\System32\ngjbe.dll O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\vcmvy.dll O4 - HKLM…\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe O4 - HKLM…\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM…\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O4 - HKCU…\Run: [PayTime] C:\WINDOWS\System32\paytime.exe O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O20 - Winlogon Notify: style2 - C:\WINDOWS\q2734562_disk.dll O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Pliki na czerwono usun ręcznie z dysku

Jeżeli chodzi o te wpisy to zrób tak Start => Uruchom => wpisz services.msc => zatrzymaj proces Windows PnP Driver nastepnie Odpalasz HijackThis Misc Tools => Delete NT service => wpisz winpnp => Ok i zresetuj komputer.

I to samo robisz z tymi wpisami:

Proponuje odinstalować Kazaa

musg · 18 Czerwiec 2005 14:19

wylacz przywracanie systemu i w trybie awaryjnym f8 na poczatek usuwasz za pomoca hijacka wciskajac fix nastepujace wpisy:

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\vcmvy.dll O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing) O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing) O2 - BHO: Internet Explorer Hot Fix - {83AF4E9B-D421-4C85-9A21-F9509C94A012} - C:\WINDOWS\System32\ngjbe.dll O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\vcmvy.dll O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O17 - HKLM\System\CCS\Services\Tcpip…{835D9941-C7BD-4EBB-A82F-F3E77E2BE66C}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip…{ED580523-980B-4696-9140-F77A2EA9484A}: NameServer = 69.50.184.84,195.225.176.37 O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

nastepnie sciagnij sobie ten program:

http://www.bleepingcomputer.com/files/killbox.php

sposob uzywania(Odpal LSP-Fix zaznacz “I know what I’m doing” następnie w okienku Keep zaznacz plik który chcesz usunac i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish)

wpisujesz w okienko kolejne wpisy a na restart zgadzasz sie na samym koncu:

C:\WINDOWS\q2734562_disk.dll

C:\WINDOWS\SYSTEM32\winrzf32.dll

C:\WINDOWS\System32\paytime.exe

i teraz restart

radze rowniez usunac kazze i zainstalowac np.emule(bezpiecznie)

teraz jeszcze media do wywalenia recznie z systemu:

to na wstepie ,usuwasz i dajesz kolejny log

pozniej zajmiemy sie jeszcze wpisami 023 file missing

tj:

Jova · 18 Czerwiec 2005 15:13

Wygląda to teraz tak:

Logfile of HijackThis v1.99.1

Scan saved at 17:12:34, on 2005-06-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\msnmsgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rpcservice.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\JOWITA\Moje dokumenty\Gadu-Gadu\gg.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\JOWITA\Ustawienia lokalne\Temp\Katalog tymczasowy 14 dla hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Documents and Settings\JOWITA\Moje dokumenty\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [spySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe” /1

O4 - HKCU…\Run: [ETD Security Scanner] “C:\Program Files\ETD Security Scanner\ETD Security Scanner.exe” /s

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{92724E4C-5D8C-467D-B302-8F96171CD47F}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: style2 - C:\WINDOWS\q2734562_disk.dll (file missing)

O23 - Service: Logical Disk Manager Provider (apee) - Unknown owner - C:\WINDOWS\System32\msnmsgr.exe" -netsvcs (file missing)

O23 - Service: RpcService (Rpc) - Unknown owner - C:\WINDOWS\system32\rpcservice.exe

O23 - Service: Windows PnP Driver (winpnp) - Unknown owner - C:\WINDOWS\System32\winpnp.exe (file missing)

System już prawie normalnie się zachwouje. Zamiast tapety mam co prawda białe tło z napisem odzyskiwanie pulpitu active desktop.

musg · 18 Czerwiec 2005 15:19

jeszcze te wpisy 023:

oraz wpisz w killboxa jeszcze:

C:\WINDOWS\q2734562_disk.dll

i restart kompa

po akcji skasuj wpis 020 za pomocą hijacka

ps

podczas wpisywania do hijacka :

Odpalasz HijackThis Misc Tools => Delete NT service => wpisz kolejno:

Logical Disk Manager Provider

RpcService

Windows PnP Driver

i wtedy zresetuj komputer.

pozniej usun wpisy 023 za pomoca fix w hijacku