Prosze o sprawdzenie loga


(Bob) #1
Logfile of HijackThis v1.99.1

Scan saved at 10:37:18, on 2005-09-16

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\SYSTEM32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\hijackthis.com


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =  

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =  

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [MSControl31] winnsyst.exe

O4 - HKLM\..\Run: [WindowsUpdate] "C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\winnnint.exe"

O4 - HKLM\..\Run: [MSControl3d1] isasse.exe

O4 - HKLM\..\RunServices: [MSControl31] winnsyst.exe

O4 - HKLM\..\RunServices: [MSControl3d1] isasse.exe

O4 - HKCU\..\Run: [internat.exe] debug32.exe -run internat.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: 22M WLAN Adapter.lnk = C:\Program Files\22M WLAN Adapter\WLANMON.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:osuch.mht!http://195.95.218.173/dl/adv611/x.chm::/load.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - AppInit_DLLs: msnethlp32.dll,----------------------------------------------------kernel32.dll

O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} - (no file)

O21 - SSODL: Gadu-Gadu - {CBE3897A-D131-5EA1-B35E-ADF454F49369} - c:\program files\gadu-gadu\wzjlvis32.dll (file missing)

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINNT\System32\Kngpoeap.dll (file missing)

O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINNT\System32\fcdfokbo.dll (file missing)

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Unknown owner - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe (file missing)

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

(Kuz5) #2

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Pliki na czerwono usun ręcznie z dysku

Jak bedziesz miał problem z usunieciem jakiegos pliku to napisz


(Bob) #3

po sprawdzeniu loga i usunieciu zlych wpisow oraz plikow ktore zreszta wczesniej usunal jakis skaner on line dalej wystepuje przyczyna kiedy chce otworzyc program n.p. outlook (a dzieje sie tak ze wszystkimi) wyskakuje komunikat nie mozna odnalezc pliku C… (lub jednego z jego skladnikow) upewnij sie …

oczywiscie plik istnieje

dzieki za pomoc


(Gutek) #4

Nie rozumię? Jaki plik C? Szczegóły :stuck_out_tongue:


(Bob) #5

Problem lezy w otwieraniu programow, nie potrafie otworzyc zadnego programu bo wyskakuje komunikat j.w. jedynie do explorera wchodze przez plik html zapisany na dysku a nie przez ikone. i tak z kazdym programem nawet nie moge uzyc regedit bo wyskakuje to samo czyli

"Nie mozna odnalezc pliku “regedit” (lub jednego z jego skladnikow), upewnij sie, ze podana sciezka i nazwa pliku sa poprawne i ze wszystkie wymagane biblioteki sa dostepne


(Gutek) #6

winnsyst.exe więc daj log z Silent Runners


(Bob) #7

“Silent Runners.vbs”, revision 40.1, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“Synchronization Manager” = “mobsync.exe /logon” [MS]

“APVXDWIN” = ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE” /s” [file not found]

“NeroCheck” = “C:\WINNT\System32\NeroCheck.exe” [“Ahead Software Gmbh”]

“PestPatrol Control Center” = “C:\PROGRA~1\PESTPA~1\PPControl.exe” [null data]

“CookiePatrol” = “C:\PROGRA~1\PESTPA~1\CookiePatrol.exe” [“Computer Associates International”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}(Default) = “Yahoo! Companion BHO” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll” [“Yahoo! Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{5E2121EE-0300-11D4-8D3B-444553540000}” = “st”

-> {CLSID}\InProcServer32(Default) = “C:\winnt\system32\winacpi.dll” [file not found]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

sysacpildap(Default) = “{5E2121EE-0300-11D4-8D3B-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\winnt\system32\winacpi.dll” [file not found]

Default executables:


.EXE: HKLM\SOFTWARE\Classes\exefile\shell\open\command\

INFECTION WARNING! “Default” = ““C:\WINNT\system32\debug32.exe” -run “%1” %*”

Active Desktop and Wallpaper:


Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “D:\Zdjęcia z HP\hoh2\IM000184.JPG”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

“SCRNSAVE.EXE” = “(BRAK)” [file not found]

Startup items in “Administrator” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“22M WLAN Adapter” -> shortcut to: “C:\Program Files\22M WLAN Adapter\WLANMON.exe” [empty string]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = “Yahoo! Companion” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll” [“Yahoo! Inc.”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = “Yahoo! Companion” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll” [“Yahoo! Inc.”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{85D1F590-48F4-11D9-9669-0800200C9A66}\

“MenuText” = “Uninstall BitDefender Online Scanner v8”

“Exec” = “%windir%\bdoscandel.exe” [null data]

Miscellaneous IE Hijack Points


C:\WINNT\INF\IERESET.INF (used to “Reset Web Settings”)

Missing lines (compared with English-language version):

[DeleteAutosearch.reg]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):


Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”]

System zdarzeń COM+, EventSystem, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\WINNT\System32\es.dll” [null data]}


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 20 seconds, including 2 seconds for message boxes)


(Gutek) #8

do wywalenia debug32.exe

Zobacz na klucz: HKLM\SOFTWARE\Classes\exefile\shell\open\command\


(Bob) #9

Ale tego co opisujesz nie ma w logu hijack wiec jak mam to usunac bo ten silent robi tylko log i sie zamyka

dzieki


(Gutek) #10

Widzisz lokalizację! W C:\WINNT\system32\debug32.exe tylko nie pomyl.

Ale najpierw przejdź star\uruchom\regedit: i znajdź klucz *HKLM\SOFTWARE\Classes\exefile\shell\open\command* powiedź co jest?


(Bob) #11

regedit nie dzialal zgodnie z tym co napisalem wczesniej ale jest sukces, to byl backdoor ktorego usunalem szczepionka symanteca, i wszystko dziala pliku o ktorym piszesz nie ma prawdopodobnie usunal go jakis antyvir, a w regedit sciezka ktora podales zawiera nazwa domyslna typ REG_SZ dane "%1%*

dzieki za pomoc

robert


(Gutek) #12

To dobrze Ok

Edit masz PW jak usunąć: winacpi.dll