Prosze o sprawdzenie loga

Szymek · 2005-10-02 14:34:27 UTC

Logfile of HijackThis v1.99.1 Scan saved at 16:34:21, on 2005-10-02 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\spool.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\System32\CTHELPER.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\System32\msupdate32.exe C:\Program Files\SurfAccuracy\SAcc.exe C:\WINDOWS\System32\9p5oa5fl.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Opera\Opera.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\PowerArchiver\POWERARC.EXE C:\DOCUME~1\Internet\USTAWI~1\Temp_PA954\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.neostrada.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM..\Run: [microsft Updates] msupdate32.exe O4 - HKLM..\Run: [mouse] mouse.exe O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM..\Run: [REfACwv8] C:\WINDOWS\kfnijdgg.exe O4 - HKLM..\Run: [surfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM..\Run: [9p5oa5fl] C:\WINDOWS\System32\9p5oa5fl.exe O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM..\Run: [REfACwvůőšÂ˛u*ßú C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\kfnijdgg.exe O4 - HKLM..\Run: [Compaq Service Drivers] winsvc32.exe O4 - HKLM..\RunServices: [microsft Updates] msupdate32.exe O4 - HKLM..\RunServices: [mouse] mouse.exe O4 - HKLM..\RunServices: [Compaq Service Drivers] winsvc32.exe O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU..\Run: [Compaq Service Drivers] winsvc32.exe O4 - HKCU..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU..\RunServices: [Compaq Service Drivers] winsvc32.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip..{7BE9EDC0-7002-459F-BDE8-2E5776B23F9D}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Windows Spooler (winspool32) - Unknown owner - C:\WINDOWS\spool.exe

kuz5 · 2005-10-02 15:40:12 UTC

Ale załapałeś syfu, jak ci ten koputer chodzi :o

W Dodaj/Usun odinstaluj Internet Optimizer

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll O4 - HKLM..\Run: [microsft Updates] msupdate32.exe O4 - HKLM..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM..\Run: [REfACwv8] C:\WINDOWS\kfnijdgg.exe O4 - HKLM..\Run: [surfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM..\Run: [9p5oa5fl] C:\WINDOWS\System32\9p5oa5fl.exe O4 - HKLM..\Run: [REfACwvùõšÂ²u*ßú C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\kfnijdgg.exe O4 - HKLM..\Run: [Compaq Service Drivers] winsvc32.exe O4 - HKLM..\RunServices: [microsft Updates] msupdate32.exe O4 - HKLM..\RunServices: [Compaq Service Drivers] winsvc32.exe O4 - HKCU..\Run: [Compaq Service Drivers] winsvc32.exe O4 - HKCU..\RunServices: [Compaq Service Drivers] winsvc32.exe O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

Ten wpis z kreseczką "_" usuniesz edytorem rejestru Registrar Lite

Uruchom edytor w pole Address wklej ścieżke

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy.

Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz proces Windows Spooler nastepnie odpalasz HijackThis Misc Tools => Delete NT service => wpisz winspool32 => Ok i zresetuj komputer.

Pliki i foldery na czerwono usun ręcznie z dysku

Ciężkie do usunięcia pliki usuń programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:

C:\WINDOWS**** nem220.dll

następnie program będzie pytał o restart (oczywiście zgadzasz sie)

I to samo robisz ze ścieżkami:

C:\WINDOWS\System32**** msupdate32.exe

C:\WINDOWS**** kfnijdgg.exe

C:\WINDOWS\System32**** 9p5oa5fl.exe

C:\WINDOWS\System32**** winsvc32.exe

C:\WINDOWS**** spool.exe

Jeżeli wpis 015 będzie stawiać opór to usuń go narzędziem KillTrusted 0.7

Szymek · 2005-10-02 17:14:52 UTC

Chyba zrobiłem wszytko tak jak chciales..

dla pewności:

Logfile of HijackThis v1.99.1 Scan saved at 19:14:31, on 2005-10-02 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\System32\CTHELPER.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\System32\mouse.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\msupdate32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\AutoConnect\AutoConnect.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Preview AdService\PrevAdServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Preview AdService\PrevAdKeep.exe C:\WINDOWS\System32\msgame32.exe C:\WINDOWS\System32\MDM.EXE C:\Program Files\180searchassistant\salm.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\explorer.exe C:\Program Files\Opera\Opera.exe C:\Program Files\PowerArchiver\POWERARC.EXE C:\DOCUME~1\Internet\USTAWI~1\Temp_PA965\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.neostrada.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - Default URLSearchHook is missing O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll O2 - BHO: EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O3 - Toolbar: EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM..\Run: [mouse] mouse.exe O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM..\Run: [microsft Updates] msupdate32.exe O4 - HKLM..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe O4 - HKLM..\Run: [Microsoft Windows Game Updater] msgame32.exe O4 - HKLM..\Run: [etbrun] c:\windows\system32\elitetiv32.exe O4 - HKLM..\Run: [salm] c:\program files\180searchassistant\salm.exe O4 - HKLM..\Run: [ngp] C:\WINDOWS\ngp.exe O4 - HKLM..\RunServices: [mouse] mouse.exe O4 - HKLM..\RunServices: [microsft Updates] msupdate32.exe O4 - HKLM..\RunServices: [Microsoft Windows Game Updater] msgame32.exe O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall 1.0\Plugins\BrowserBar\ie_bar.dll (file missing) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab O17 - HKLM\System\CCS\Services\Tcpip..{7BE9EDC0-7002-459F-BDE8-2E5776B23F9D}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Gutek · 2005-10-02 21:19:50 UTC

3 - Default URLSearchHook is missing O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll O4 - HKLM..\Run: [mouse] mouse.exe O4 - HKLM..\Run: [microsft Updates] msupdate32.exe O4 - HKLM..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe O4 - HKLM..\Run: [Microsoft Windows Game Updater]msgame32.exe O4 - HKLM..\Run: [etbrun] c:\windows\system32\elitetiv32.exe O4 - HKLM..\Run: [salm] c:\program files\180searchassistant\salm.exe O4 - HKLM..\Run: [ngp] C:\WINDOWS\ngp.exe O4 - HKLM..\RunServices: [mouse] mouse.exe O4 - HKLM..\RunServices: [microsft Updates] msupdate32.exe O4 - HKLM..\RunServices: [Microsoft Windows Game Updater] msgame32.exe O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte. Dodatkowo O15 może będzie stawiać opór więc ściągnij KillTrusted 0.7
Skasować z dysku pliki i foldery, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log

Elite Toolbar Remover Program uruchamiamy w trybie awaryjnym i klikamy Kill Elite Toolbar

Usuwanie msupdate32.exe / msnethlp32.exe - http://www.searchengines.pl/phpbb203/in ... ntry204512

Sp2 koniecznie!