Prośba o sprawdzenie log'a


(zciwo) #1
Logfile of HijackThis v1.99.1

Scan saved at 22:06:30, on 2005-06-29

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\PWN\Definicje\Bin\Starter.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Firewall\Spam\spampal.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\COMMON~1\Logitech\WebColct\WebColct.exe

C:\Documents and Settings\Kollassa\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.toya.net.pl:6060

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.100.1;localhost;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll (file missing)

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [AntyDialerTP] "c:\firewall\antydialer\antydialer tp\antydialertp.exe" tray

O4 - HKLM\..\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\temp532.exe -N

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehhr32.exe

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehhr32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: SpamPal.lnk = C:\Firewall\Spam\spampal.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/3bCzRVKbOWznjPD8JWk_.chm::/on-line.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112023057155

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\System32\textwareilluminatorbaseProtocol.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

Nie mój log więc nie wiem nic o objawach, ale może pomożecie :slight_smile:


(boczi) #2

Jaasne :?

Kolega syfu ma co niemara :evil:

Loga dziś już nie będę sprawdzał, na początek lepiej przeskanuj system programami:

Ad-Aware :arrow: http://dobreprogramy.pl/index.php?dz=2&t=82&id=107

Spybot S&D :arrow: http://dobreprogramy.pl/index.php?dz=2&t=82&id=188

CWShredder :arrow: http://dobreprogramy.pl/index.php?dz=2&t=82&id=657

Poskanuj, na pewno coś wykryje, szczególnie w CWShredder i daj nowy log.


(lazikar) #3

Dlatego też post poleciał.


(zciwo) #4

Ten log jest już po skanowaniu Ad-Adware i Spybotem :?


(Qbek50) #5

przeskanuj jeszcze tym, ubij syf i wrzuc ponownie loga:

CWShredder

PestPatrol

http://download.zonelabs.com/bin/free/p ... olHome.exe

oraz skanery:

http://skaner.mks.com.pl/

http://www.pandasoftware.com/activescan ... ncipal.htm


(zciwo) #6

Tu mam loga po potraktowaniu systemu CWShredderem.Nie wiem czy coś znalazł

Logfile of HijackThis v1.99.1

Scan saved at 20:22:48, on 2005-06-30

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\PWN\Definicje\Bin\Starter.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Firewall\Spam\spampal.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Kollassa\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.toya.net.pl:6060

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.100.1;localhost;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: MailTo Class - {FDE3577A-6254-181C-4E11-339E4F746BD3} - C:\WINDOWS\System32\wins32t.dll (file missing)

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [AntyDialerTP] "c:\firewall\antydialer\antydialer tp\antydialertp.exe" tray

O4 - HKLM\..\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\temp532.exe -N

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitehhr32.exe

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitehhr32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: SpamPal.lnk = C:\Firewall\Spam\spampal.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/3bCzRVKbOWznjPD8JWk_.chm::/on-line.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112023057155

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\System32\textwareilluminatorbaseProtocol.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

Napiszcie co wywalić


(boczi) #7

Wszystkie czynności wykonujesz w trybie awaryjnym [F8] w czasie bootowania komputera z wyłączonym przywracaniem systemu.

Wywal cały program:

C:\Program Files\Logitech\ *Desktop Messenger* - Uprzednio sprawdź, czy może jest w Panelu Sterowania / Dodaj/Usuń Programy. Stamtąd go wtedy usuń.

Właśnie od tss.exe powinieneś mieć te pliki na dysku: (tss.exe na razie zostaw):

C:\WINDOWS\system32\ msaps.dll

C:\WINDOWS\system32\ wins32t.dll

Następnie wpisy pochodne od w/w wpisów kasujesz z Hijacka:

Kasacja ręczna (jeśli znajdziesz)

C:\WINDOWS\System32\ temp532.exe

C:\windows\system32\ elitehhr32.exe

Szukaj też w plikach ukrytych.

Kasacja z Hijacka kontrolek ActiveX:

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/3bCzRVKbOWznjPD8JWk_.chm::/o n-line.exe

 	O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

   	O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Następnie pytanie:

Jakich P2P używasz?

Po czynnościach nowy log.


(zciwo) #8

Żadnych p2p nie używam więc to chyba też trzeba skasować. Jak będzie pokasowane to wrzuce loga


(boczi) #9

Więc kasujesz także:

C:\WINDOWS\System32\ *P2P Networking*