Prosze o pomoc w sprawdzeniu loga


(Agata Mar1) #1
Logfile of HijackThis v1.99.1

Scan saved at 16:01:10, on 2005-10-16

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe

C:\Program Files\BearShare\BearShare.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE

C:\Program Files\Media Gateway\MediaGateway.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\paytime.exe

C:\WINDOWS\System32\paytime.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\System32\mswind32.pif

C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe

C:\WINDOWS\etb\pokapoka76.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\uzutkownik\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchwebzone.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0

O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [System service67] C:\WINDOWS\\etb\pokapoka67.exe

O4 - HKLM\..\Run: [System service68] C:\WINDOWS\\etb\pokapoka68.exe

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KKO1l] C:\WINDOWS\hmpuvxgm.exe

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKLM\..\Run: [AtiPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKLM\..\Run: [combop.exe] combop.exe

O4 - HKLM\..\Run: [combo.exe] combo.exe

O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe

O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe

O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe

O4 - HKLM\..\RunServices: [OS Security] mswind32.pif

O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [Windows Update System Shell] svhostcs32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] drwatson32.exe -run C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\System32\winupd.exe

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

O4 - HKCU\..\Run: [OS Security] mswind32.pif

O4 - HKCU\..\RunServices: [OS Security] mswind32.pif

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk766YYPL

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.popuppers.com

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/180solutions/ie/bridge-c18.cab

O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/d016/mailcfg.ocx

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_23.cab

O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)

O20 - Winlogon Notify: style32 - C:\WINDOWS\q2089724.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: KLBLMain - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe

O23 - Service: plugin - Unknown owner - C:\WINDOWS\plugin.exe (file missing)

O23 - Service: SCSMS32 (SCSMS) - Unknown owner - C:\WINDOWS\scmsm32.exe (file missing)

O23 - Service: service - Unknown owner - C:\WINDOWS\service.exe (file missing)

(Kuz5) #2

W Dodaj/Usuń odinstaluj Media Gateway

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz proces plugin, SCSMS32 i service nastepnie odpalasz HijackThis Misc Tools => Delete NT service => wpisz SCSMS => Ok i zresetuj komputer.

Pliki na czerwono usun ręcznie z dysku

Pliki q2089724.dll , ibm00003.exe oraz svhostcs32.exe usuń programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:

C:\Program Files\Common Files\Microsoft Shared\Web Folders**** ibm00003.exe

następnie program będzie pytał o restart (oczywiście zgadzasz sie)

I to samo robisz ze ścieżkami:

C:\WINDOWS**** q2089724.dll

C:\WINDOWS\system32**** svhostcs32.exe

Jeżeli wpisy 015 będą stawiać opór to usuń je narzędziem KillTrusted 0.7

Proponuje odinstalowac BearShare

Masz jeszcze na kompie FlashGet?


(Agata Mar1) #3

Zrobilam to co kazales i komputer chodzi juz lepiej ale jak wlaczam przegladrke to wyswietla sie niebieska strona:

Detected SPYware! System error #384

__________________________________________________________________________

Your IP address is 62.21.89.231. Using this address a remote computer has gained anaccess to your computer and probably is collecting the information about the sites you've visited and the files contained in the folder Temporary Internet Files. Attention! Ask for help or install the software for deleting secret information about the sites you visited.

__________________________________________________________________________

Your computer is full of evidences!

ISP of transmission: ICPNET

Your IP address: 62.21.89.231

They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iebar; acc=kimochiz; FunWebProducts)

Your computer is: Windows XP

Risk status for further investigation: VERY HIGH RISK

Tego procesu SCSMS nie moge wylaczyc bo jak wchadze w services.msc to nie moge wylaczyc(jedyna dostepna opcja to uruchom!!)a typ uruchomiania jest automatyczny!A plugin i service byly juz wylaczone.

wklejam nowego loga;

Prosze o pomoc bo nie wiem co zrobic z ta niebieska tapeta??????


(Kuz5) #4

Po pierwsze to ty weź wkoncu oczysc loga a dopiro zabiezemy sie za inne rzeczy.

Przeczytaj jeszcze raz (dokładnie) mojego posta

Wiec tak wyłącz przywracanie systemu nastepnie wystartuj do trybu awartyjnego, usuń pliki zaznaczone na czerwono a nastepnie skasuj wpisy w HijackThis poprzez zaznaczenie wymienionych wpisów i klikniecie fix checked


(Agata Mar1) #5

Jest juz chyba OK, niebieska tapeta juz sie nie pojawia jak odpalam internet. Usunęlam to zaznaczone na czerwono w Hijact i z dysku to co mi sie udalo :smiley: Jedyny problem jest taki ze jak robilam skanowanie Kasperskim to wykrylo jakies wirusy ale pojawil sie komunikat Odmowa dostepu-obiekt zabezpieczony haslem!Wiec zrobilam POMIN zeby dalej kontynuowac skanowanie!A co to jest Flash Get bo chyba to mam.

Wklejam nowego loga,tylko nie pisz prosze ze znowu sa jakies smieci tam bo juz dam sobie spokoj chyba :stuck_out_tongue:

Logfile of HijackThis v1.99.1

Scan saved at 10:29:38, on 2005-10-19

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ftp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe

C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\uzutkownik\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.the818search-co.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.the818search-co.com/sp2.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.konin.lm.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.the818search-co.com/sp2.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [System service67] C:\WINDOWS\\etb\pokapoka67.exe

O4 - HKLM\..\Run: [System service68] C:\WINDOWS\\etb\pokapoka68.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [ML1HelperStartUp] C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AtiPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe

O4 - HKLM\..\RunServices: [msoft-updater23] slssystem.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk766YYPL

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/180solutions/ie/bridge-c18.cab

O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) - http://poczta.wp.pl/d016/mailcfg.ocx

O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_19.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_23.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: KLBLMain - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe

O23 - Service: SCSMS32 (SCSMS) - Unknown owner - C:\WINDOWS\scmsm32.exe (file missing)

Złączono Posta : 21.10.2005 (Pią) 11:09

Wszystko jest w porzadku z tym logiem,bo nie odpisujesz? :frowning: