Prosze o spr. logów

Mateo93 · 9 Maj 2006 14:59

Brosze bardzo o sprawdzenie logów. Podejrzewam ze mam viusa (chyba trojana) którego avast nie wykrył

Logfile of HijackThis v1.99.1

Scan saved at 16:48:56, on 2006-05-09

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\cFosSpeed\spd.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Mateusz\Pulpit\hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll

O2 - BHO: CACABHO Object - {93C69D87-A11D-4FFC-BC56-BE7EE0D235BA} - C:\Program Files\ACASystems\ACACapture\scap003s.dll

O2 - BHO: AlxTB BHO Class - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll

O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [ChrisTV Agent] "C:\Program Files\ChrisTV Lite\ChrisTV_Agent.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [KamikazeKat] C:\Program Files\ScreenMates\Gato2.exe

O4 - HKCU\..\Run: [EdHTML] C:\Program Files\Binboy\EdHTMLv5.0\EdHTML.exe /none

O4 - HKCU\..\Run: [SpeedX] C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [pro] C:\WINDOWS\tool2.exe

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: &Podświetl - C:\RAKS\Web\highlight.htm

O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm

O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm

O8 - Extra context menu item: O do&kumencie... - C:\RAKS\Web\aboutdoc.htm

O8 - Extra context menu item: Otwórz ramkę w &nowym oknie - C:\RAKS\Web\frm2new.htm

O8 - Extra context menu item: Po&mniejsz - C:\RAKS\Web\zoomout.htm

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O8 - Extra context menu item: Pow&iększ - C:\RAKS\Web\zoomin.htm

O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm

O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm

O8 - Extra context menu item: Wyszukiwanie w sieci &Web - C:\RAKS\Web\selsearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: (no name) - {84EB2634-7EEA-4f1b-B05C-51E41C68B11A} - C:\Program Files\ACASystems\ACACapture\SCap.exe (file missing)

O9 - Extra 'Tools' menuitem: Launch ACA Capture - {84EB2634-7EEA-4f1b-B05C-51E41C68B11A} - C:\Program Files\ACASystems\ACACapture\SCap.exe (file missing)

O9 - Extra button: Launch ACA Capture - {8EC68426-5943-4cf6-8778-222F9B428076} - C:\Program Files\ACASystems\ACACapture\SCap.exe (file missing)

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)

InfinityToJa · 9 Maj 2006 15:09

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F2 - REG:system.ini: Shell=explorer.ex “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O2 - BHO: AlxTB BHO Class - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL O4 - HKCU…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe” O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [pro] C:\WINDOWS\tool2.exe O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - Startup: PowerReg Scheduler.exe O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/ … search.htm O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/ … tedata.htm O8 - Extra context menu item: Mail to a Friend… - http://client.alexa.com/holiday/script/ … mailto.htm O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/ … elated.htm O8 - Extra context menu item: Write a Review… - http://client.alexa.com/holiday/script/ … review.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Odinstaluj w dodaj/usuń newdotnet,

Ściągnij LSP-Fix>>>uruchom>>>zaznacz “I know what im doing” , przenieś newdotnet7_22.dll do okienka “REMOVE” i kliknij Finish

Kasujesz dalej:

1.Startujesz do trybu awaryjnego

2.Wyłanczasz przywracanie systemu (tylko Me/Xp)

3.Kasujesz wpisy w HijackThis

4.Kasujesz pogrubione pliki/foldery

5.Przeskanuj http://www.ewido.net

6.Dajesz nowy log z hjt + log z Silent Runners

Mateo93 · 9 Maj 2006 15:22

Wielkie dzięki ;). Mam jeszcze jedno pytanie.

http://img158.imageshack.us/img158/5374/beztytuu7xy.jpg

Podczas gdy system się ładuje wyskakuje mi takie okienko. Pisze żeby wyszukać obiekt lecz kiedy skończe wyszukiwanie mówi mi że tego ni znalezniono.

Czy ta operacja co mi podałeś upora się też z tym?

Bieniol · 9 Maj 2006 15:24

Tak

InfinityToJa · 9 Maj 2006 15:26

Start>>>uruchom>>>system.ini>>>skasuj doczepionego do explorera "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

Tak, po zabiegach nowy log z hijacka + silent runners (opisw linku)

Mateo93 · 9 Maj 2006 15:33

Niestety nie było czegoś takiego

InfinityToJa · 9 Maj 2006 15:34

Po skasowaniu wpisu:

Nie będzie się pojawiać.

Zrobiłeś w ogóle to co napisałem ?

Mateo93 · 9 Maj 2006 15:37

Połowe, tz usunęłem loga te co mi wskazałeś a teraz zabieram sie za reszte

Wyłancza się go w Panelu Sterowania?
Wszystkie?
Te pliki są w HijackThis ?

Wybaczcie że tak się pytam lecz chce się czegoś nauczyć i zrobić tak żeby nie utracić danych