Proszę o sprawdzenie loga


(Piotrek 444) #1

Logfile of HijackThis v1.99.0

Scan saved at 09:52:53, on 2005-01-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\htpatch.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Programy\Gadu-Gadu\gg.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Opera 8 Beta\Opera.exe

C:\WINDOWS\SYSTEM32\cidaemon.exe

C:\Documents and Settings\Dacewicz\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: - {534DC8F0-A733-4929-868F-5B1B44621F4F} - C:\WINDOWS\lbbho.dll (file missing)

O2 - BHO: - {65EBA930-7B75-4BCF-9841-8FE8F6A58BF2} - C:\WINDOWS\lbbho.dll (file missing)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O4 - HKLM..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM..\Run: [nwiz] nwiz.exe /install

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM..\Run: [®Windows Update] svchosts.exe

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [®Windows Update] svchosts.exe

O4 - HKCU..\Run: [Gadu-Gadu] "D:\Programy\Gadu-Gadu\gg.exe" /tray

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm

O8 - Extra context menu item: Wyślij obraz na &Telefon - res://C:\Program Files\MTPlugin\MTSend.dll/Plugin

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip..{24C7E572-4D2A-410F-9E65-AE0B49618314}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CCS\Services\Tcpip..{FE1886AF-BB42-4BC2-9C41-11DAA7C68019}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip..{24C7E572-4D2A-410F-9E65-AE0B49618314}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS2\Services\Tcpip..{24C7E572-4D2A-410F-9E65-AE0B49618314}: NameServer = 194.204.159.1,194.204.152.34

O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


(3dm Racek) #2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: - {534DC8F0-A733-4929-868F-5B1B44621F4F} - C:\WINDOWS\lbbho.dll (file missing)

O2 - BHO: - {65EBA930-7B75-4BCF-9841-8FE8F6A58BF2} - C:\WINDOWS\lbbho.dll (file missing)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

To do KOSZ'a.


(Piotrek 444) #3

dzięki


(3dm Racek) #4

Ale to nie wszystko :smiley:

Ja powiedziałem to co wiedziałem, resztę sprawdzi Ci np. phylby :smiley:


(adpawl) #5

W trybie awaryjnym z wyłączonym przywracaniem systemu...

Potem napraw ciąg LSP tym programem (NewDotNet się tam dopisał...): http://www.cexx.org/lspfix.zip

Tu jest instrukcja: LINK

Jeżeli jest, usuń za pomocą tego programu plik NEWDOT~1.DLL lub podobny... z łańcucha.

Tylko pozostaw prawidłowe wpisy:

lsp4ru.jpg

Potem jeszcze koniecznie skan cwshredder'em, pestpatrolem i spybotem i innymi programami (oczywiście po zrobieniu update'a !!

linki: http://download.zonelabs.com/bin/free/p ... olHome.exe

http://download.softpedia.ro/software/A ... sd14b2.exe

http://cwshredder.net/bin/CWShredder.exe

BTW

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  • to jest plugin Acrobata do IE, umożliwia wyświetlanie pdf'ów...

    O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)

-Natomiast to ... wpis StyleXP


(Xiao19) #6

to zostawiasz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[prawidlowe]

kasujesz jeszcze w /tryb awaryjny/

O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)

[FRUCTA TROJAN!]

O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

[pusty dubel]

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

sciagasz PestPatrol i ETD Security Scanner 3.0

INFO:

UPDATE i skan partycji systemowej

http://download.zonelabs.com/bin/free/p ... olHome.exe

http://www.download.com/ETD-Security-Sc ... 29424.html

dalej skan skanerami AV

--GFI Trojan--

http://www.windowsecurity.com/trojanscan/

--F-Secure--

http://support.f-secure.com/enu/home/ols.shtml

--GeCAD (RAV)--

http://www.ravantivirus.com/scan/

lub

--Softwin (BitDefender)--

http://www.bitdefender.com/scan/licence.php

INFO:

[FRUCTA TROJAN!]

http://www.mks.com.pl/baza.html?show=de ... on&id=3078

DELETE

wylaczasz przywracanie systemu (Disable System Restore)

kasujesz z dysku pliki

kernell32.dll, avmtapi.tsp, system.dll.

oraz _RarExt.exe, _textpad.exe, svchosts.exe

wywalasz z rejestru wpisy

Click Start > Run.

Type regedit

Then click OK.

Navigate to the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, deletes the value:

"@Windows Update" = "svchosts.exe"

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers

In the right pane, deletes the values:

"ProviderID5" = "0x00000006"

"ProviderFileName5" = "avmtapi.tsp"

"AllProviders" = "true"

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open

In the right pane, reset the value:

"command(Default)" = "%System%_textpad.exe %1"

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document\shell\open

In the right pane, reset the value:

"command(Default)" = "_Reader32.exe" "%1"

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell\open

In the right pane, reset the value:

"command(Default)" = "_RarExt.exe" "%1"

Exit the Registry Editor.

na koniec przeskanuj dysk tym a² Free

http://www.emsisoft.com/en/