Logfile of HijackThis v1.99.1 Scan saved at 09:30:14, on 2006-08-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\crypserv.exe C:\Program Files\Network Monitor\netmon.exe c:\fotowin\RTETPISv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\dfndrfg_7.exe C:\kybrdff_7.exe C:\Program Files\ipwins\ipwins.exe D:\Program Files\BearShare\BearShare.exe C:\nwnmfg_7.exe D:\Program Files\cfos\cFosDNT.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Gadu-Gadu\gg.exe D:\Program Files\K-litePro\K-litePro.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\NoAds\NoAds.exe C:\Program Files\TClock\TClock.exe D:\Install.prg\winzip801\WZQKPICK.EXE C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\GI\USTAWI~1\Temp\Rar$EX00.003\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing) O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing) O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM…\Run: [updReg] C:\WINDOWS\Updreg.exe O4 - HKLM…\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM…\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM…\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\Winampa.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [RavTimeXP] C:\WINDOWS\Mstray.exe O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM…\Run: [defender] C:\dfndrfg_7.exe O4 - HKLM…\Run: [keyboard] C:\kybrdff_7.exe O4 - HKLM…\Run: [ipWins] C:\Program Files\ipwins\ipwins.exe O4 - HKLM…\Run: [bearShare] “d:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [gkk5885a] RUNDLL32.EXE w0037d5a.dll,n 002588580000000a0037d5a O4 - HKLM…\Run: [newname] C:\nwnmfg_7.exe O4 - HKLM…\Run: [cFosDNT] D:\Program Files\cfos\cFosDNT.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [NBJ] “C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe” O4 - HKCU…\Run: [NC Scheduler] E:\Norton dobry iso\Norton Utilities Pack 2K6 V3 - CNC\Support\NC\Nc_sched.exe /Hide O4 - HKCU…\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe O4 - HKCU…\Run: [shareaza] “d:\Program Files\K-litePro\K-litePro.exe” -tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [NoAds] “C:\Program Files\NoAds\NoAds.exe” O4 - Global Startup: WinZip Quick Pick.lnk = D:\Install.prg\winzip801\WZQKPICK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O17 - HKLM\System\CCS\Services\Tcpip…{5308D23E-9A7E-48F4-AC72-9CAA47CEDFC8}: NameServer = 194.204.152.34 217.98.63.164 O17 - HKLM\System\CCS\Services\Tcpip…{98A26C57-DFE8-4AAE-93A0-8E8F165D8CCF}: NameServer = 194.204.152.34,194.204.159.1 O17 - HKLM\System\CS2\Services\Tcpip…{5308D23E-9A7E-48F4-AC72-9CAA47CEDFC8}: NameServer = 194.204.152.34 217.98.63.164 O20 - AppInit_DLLs: pushow66.dll O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\j44o0eh3eh4.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R0k\command.exe (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - mksmonsv.exe\mksmonsv.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing) O23 - Service: RTE : TAPI (RTETAPIService) - RTE Software - c:\fotowin\RTETPISv.exe
Pojawia mi sie coraz wiecej denerwujących reklam. W Panelu sterowania–> dodaj lub usuń programy mam cos takiego jak “advertisment” nie moge się tego pozbyc. Proszę o pomoc
Pokazać raporty i wkleić logi hjt + silent runners + l2mfix
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{2D6A1601-050F-1045-0116-020724010030}” = ““C:\Program Files\Common Files{2D6A1601-050F-1045-0116-020724010030}\Update.exe” mc-110-12-0000140” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “NBJ” = ““C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe”” [“Ahead Software AG”] “NC Scheduler” = “E:\Norton dobry iso\Norton Utilities Pack 2K6 V3 - CNC\Support\NC\Nc_sched.exe /Hide” [file not found] “MSKAGENTEXE” = “C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe” [file not found] “Gadu-Gadu” = ““D:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [file not found] “TClock.exe” = “C:\Program Files\TClock\tclock_install.exe” [null data] “Shareaza” = ““d:\Program Files\K-litePro\K-litePro.exe” -tray” [“K-litePro Development Team”] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “NoAds” = ““C:\Program Files\NoAds\NoAds.exe”” [“South Bay Software”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Disc Detector” = “C:\Program Files\Creative\ShareDLL\CtNotify.exe” [“Creative Technology Ltd.”] “UpdReg” = “C:\WINDOWS\Updreg.exe” [“Creative Technology Ltd.”] “AHQInit” = “C:\Program Files\Creative\SBLive\Program\AHQInit.exe” [“Creative Technology Ltd”] “AudioHQ” = “C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE” [“Creative Technology Ltd.”] “CTAvTray” = “C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE” [“Creative Technology Ltd.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe” [“HP”] “WinampAgent” = ““C:\Program Files\Winamp\Winampa.exe”” [null data] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “NWEReboot” = (empty string) “RavTimeXP” = “C:\WINDOWS\Mstray.exe” [file not found] “autoclk” = “autoclk.exe” [file not found] “adiras” = “adiras.exe” [file not found] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [file not found] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “outlook” = “C:\Program Files\outlook\outlook.exe /auto” [file not found] “defender” = “C:\dfndrfg_7.exe” ["&%&%&%&%%&%&%%&%"] “keyboard” = “C:\kybrdff_7.exe” ["(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)"] “IpWins” = “C:\Program Files\ipwins\ipwins.exe” [null data] “BearShare” = ““d:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “gkk5885a” = “RUNDLL32.EXE w0037d5a.dll,n 002588580000000a0037d5a” [MS] “newname” = “C:\nwnmfg_7.exe” ["&*&$*#&*$&*#&$*&*&$***"] “cFosDNT” = “D:\Program Files\cfos\cFosDNT.exe” [“cFos Software GmbH”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “CTAVTray” = (empty string) HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{00020000-0000-1011-8004-0000C06B5161}” = “WIBU-SYSTEMS Shell Extension” -> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension” \InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”] “{8e9d6600-f84a-11ce-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Objects” \InProcServer32(Default) = “nwprovau.dll” [MS] “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] “{52c68510-09a0-11cf-8daa-00aa004a5691}” = “Shell extensions for NetWare” -> {HKLM…CLSID} = “NetWare Hood Verbs” \InProcServer32(Default) = “nwprovau.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “d:\Program Files\Real\RealPlayer\rpshell.dll” [file not found] “{5AD3FB6C-E0AA-4413-8CC5-284481F05164}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\daskperf.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “AppInit_DLLs” = “pushow66.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! ShellScrap\DLLName = “C:\WINDOWS\system32\j44o0eh3eh4.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {00020000-0000-1011-8004-0000C06B5161}(Default) = (no title provided) -> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension” \InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NetWareUNCMenu(Default) = “{e3f2bac0-099f-11cf-8daa-00aa004a5691}” -> {HKLM…CLSID} = “NetWare UNC Folder Menu” \InProcServer32(Default) = “nwprovau.dll” [MS] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” -> {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “D:\INSTALL.PRG\WINZIP~1\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\GI\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “GI” & “All Users” startup folders: ---------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “WinZip Quick Pick” -> shortcut to: “D:\Install.prg\winzip801\WZQKPICK.EXE” [“WinZip Computing, Inc.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “44BE0690-5429-47f0-85BB-3FFD8020233E” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{2D51D869-C36B-42BD-AE68-0A81BC771FA5}” -> {HKLM…CLSID} = “Starware” \InProcServer32(Default) = “C:\Program Files\Starware\bin\Starware.dll” [file not found] “{86227D9C-0EFE-4F8A-AA55-30386A3F5686}” -> {HKLM…CLSID} = “YourSiteBar” \InProcServer32(Default) = “C:\Program Files\YourSiteBar\ysb.dll” [file not found] “{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}” -> {HKLM…CLSID} = “ToolBar888” \InProcServer32(Default) = “C:\Program Files\ToolBar888\MyToolBar.dll” [file not found] “{44BE0690-5429-47F0-85BB-3FFD8020233E}” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{86227D9C-0EFE-4F8A-AA55-30386A3F5686}” = (no title provided) -> {HKLM…CLSID} = “YourSiteBar” \InProcServer32(Default) = “C:\Program Files\YourSiteBar\ysb.dll” [file not found] “{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}” = (no title provided) -> {HKLM…CLSID} = “ToolBar888” \InProcServer32(Default) = “C:\Program Files\ToolBar888\MyToolBar.dll” [file not found] “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “UCmore - The Search Accelerator” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [file not found] “{37B85A29-692B-4205-9CAD-2626E4993404}” = (no title provided) -> {HKLM…CLSID} = “My Global Search Bar” \InProcServer32(Default) = “C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”] Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{2D51D869-C36B-42BD-AE68-0A81BC771FA5}(Default) = “Starware” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\Program Files\Starware\bin\Starware.dll” [file not found] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{7BED0340-176B-44BC-915E-C21C1DD6F617}(Default) = “Starware” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Starware\bin\Starware.dll” [file not found] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Agent SAP, NwSapAgent, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.EXE” [“Creative Technology Ltd”] Crypkey License, Crypkey License, “crypserv.exe” [“Kenonic Controls Ltd.”] InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] Network Monitor, Network Monitor, “C:\Program Files\Network Monitor\netmon.exe service” [null data] RTE : TAPI, RTETAPIService, ““c:\fotowin\RTETPISv.exe”” [“RTE Software”] Usługa klienta dla systemu NetWare, NWCWorkstation, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\nwwks.dll” [MS]} WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”]
Logfile of HijackThis v1.99.1 Scan saved at 09:30:14, on 2006-08-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\crypserv.exe C:\Program Files\Network Monitor\netmon.exe c:\fotowin\RTETPISv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\dfndrfg_7.exe C:\kybrdff_7.exe C:\Program Files\ipwins\ipwins.exe D:\Program Files\BearShare\BearShare.exe C:\nwnmfg_7.exe D:\Program Files\cfos\cFosDNT.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Gadu-Gadu\gg.exe D:\Program Files\K-litePro\K-litePro.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\NoAds\NoAds.exe C:\Program Files\TClock\TClock.exe D:\Install.prg\winzip801\WZQKPICK.EXE C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\GI\USTAWI~1\Temp\Rar$EX00.003\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing) O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing) O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM…\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM…\Run: [updReg] C:\WINDOWS\Updreg.exe O4 - HKLM…\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM…\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM…\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\Winampa.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [RavTimeXP] C:\WINDOWS\Mstray.exe O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM…\Run: [defender] C:\dfndrfg_7.exe O4 - HKLM…\Run: [keyboard] C:\kybrdff_7.exe O4 - HKLM…\Run: [ipWins] C:\Program Files\ipwins\ipwins.exe O4 - HKLM…\Run: [bearShare] “d:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [gkk5885a] RUNDLL32.EXE w0037d5a.dll,n 002588580000000a0037d5a O4 - HKLM…\Run: [newname] C:\nwnmfg_7.exe O4 - HKLM…\Run: [cFosDNT] D:\Program Files\cfos\cFosDNT.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [NBJ] “C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe” O4 - HKCU…\Run: [NC Scheduler] E:\Norton dobry iso\Norton Utilities Pack 2K6 V3 - CNC\Support\NC\Nc_sched.exe /Hide O4 - HKCU…\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe O4 - HKCU…\Run: [shareaza] “d:\Program Files\K-litePro\K-litePro.exe” -tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [NoAds] “C:\Program Files\NoAds\NoAds.exe” O4 - Global Startup: WinZip Quick Pick.lnk = D:\Install.prg\winzip801\WZQKPICK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O17 - HKLM\System\CCS\Services\Tcpip…{5308D23E-9A7E-48F4-AC72-9CAA47CEDFC8}: NameServer = 194.204.152.34 217.98.63.164 O17 - HKLM\System\CCS\Services\Tcpip…{98A26C57-DFE8-4AAE-93A0-8E8F165D8CCF}: NameServer = 194.204.152.34,194.204.159.1 O17 - HKLM\System\CS2\Services\Tcpip…{5308D23E-9A7E-48F4-AC72-9CAA47CEDFC8}: NameServer = 194.204.152.34 217.98.63.164 O20 - AppInit_DLLs: pushow66.dll O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\j44o0eh3eh4.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R0k\command.exe (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - mksmonsv.exe\mksmonsv.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing) O23 - Service: RTE : TAPI (RTETAPIService) - RTE Software - c:\fotowin\RTETPISv.exe
niestety smitfraudfix mi nie chce dzialac:/
Myszak
(Myszonus)
15 Sierpień 2006 21:15
#4
a czemu ? odpalałeś w trybie awaryjnym ?
mastah przestań głosić herezje :x
sdar
(sdar)
15 Sierpień 2006 21:25
#5
mastah - Poćwicz sobie na własnym komputerze zanim zaczniesz dawać tutaj “rady”
sdar
(sdar)
15 Sierpień 2006 21:37
#6
Jak masz wątpliwości to proszę na PW. KOlejny “bezproduktywny” post zakończy się pamiątką pod avatarem.
Zmień lub usuń podpis. Nie wszystkie słowa są dopuszczalne na tym forum.
system
(system)
15 Sierpień 2006 21:46
#7
j.w.
jeśli słowo /cenzura/ uważasz za obrazoburcze lub ubliżające tobie to sorki
Myszak
(Myszonus)
15 Sierpień 2006 21:46
#8
smigacz666 :
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługę : Network Monitor.
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll (file missing) O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing) O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing) O4 - HKLM…\Run: [RavTimeXP] C:\WINDOWS\Mstray.exe O4 - HKLM…\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM…\Run: [defender] C:\dfndrfg_7.exe O4 - HKLM…\Run: [keyboard] C:\kybrdff_7.exe O4 - HKLM…\Run: [ipWins] C:\Program Files\ipwins\ipwins.exe O4 - HKLM…\Run: [gkk5885a] RUNDLL32.EXE w0037d5a.dll,n 002588580000000a0037d5a O4 - HKLM…\Run: [newname] C:\nwnmfg_7.exe O20 - AppInit_DLLs: pushow66.dll O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
Startujesz do trybu awaryjnego i wyłączasz przywracanie systemu.
Pliki/foldery na czerwono skasuj z dysku.
Wpisy skasuj Hijackiem.
Użyj SmitFraudFix – tu masz opis. --> przeczytaj dokładnie jak użyć opcji numer 2.
Daj log z Silent’a.
start --> uruchom --> cmd :
Zastosuj narzędzie Look2Me-Destroyer (ściągnij i włącz w trybie awaryjnym), po użyciu tego narzędzia daj log z L2MFix (instalujesz --> odpalasz --> wybierasz opcje tworzenia loga (nr 1).
smigacz666
(Smigacz666)
17 Sierpień 2006 21:25
#10
SmitFraudFix u mnie nie chce odpalic, wyrzucilem te pliki/foldery za pomoca hijacka uzylem Look2Me-Destroyer teraz jest wszystko w porzadku dzieki. boje sie jeszcze czy nie mam jakiegos trojana, wyzej wrzucilem swoje loga z silenta , hijacka i Look2Me-Destroyer
smigacz666
(Smigacz666)
17 Sierpień 2006 21:48
#12
a te loga ktore dalem wyzej sa zle? sa jedno pod drugim
Myszak
(Myszonus)
17 Sierpień 2006 21:50
#13
smigacz666 masz dać logi po usunięciu tego o co byłeś proszony.