Prosze o sprawdzenie loga.

Logfile of HijackThis v1.98.2
Scan saved at 15:13:22, on 2004–12–14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesNetropaMultimedia Keyboard hksrv.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesNorton SystemWorksNorton AntiVirus avapsvc.exe
C:Program FilesNorton SystemWorksNorton UtilitiesNPROTECT.EXE
C:WINDOWSsystem32 vsvc32.exe
C:PROGRA~1NORTON~1SPEEDD~1 opdb.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe
C:WINDOWSExplorer.EXE
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:WINDOWSAGRSMMSG.exe
C:Program FilesHewlett–PackardHP Software UpdateHPWuSchd.exe
C:WINDOWSSystem32spooldriversw32x863hpztsb08.exe
C:Program FilesHewlett–PackardDigital Imaginginhpotdd01.exe
C:Program FilesJavaj2re1.4.2_05injusched.exe
C:program fileskonektortpkonektortp.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesGadu–Gadugg.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSSystem32WISPTIS.EXE
C:WINDOWSExplorer.EXE
C:Moje dokumentyHijack ThisHijackThis.exe

R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0 CEReaderActiveXAcroIEHelper.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:PROGRA~1SPYBOT~1SDHelper.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:program filesgooglegoogletoolbar1.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:Program FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:program filesgooglegoogletoolbar1.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:Program FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
O4 – HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 – HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"
O4 – HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 – HKLM..Run: [HP Software Update] C:Program FilesHewlett–PackardHP Software UpdateHPWuSchd.exe
O4 – HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSSystem32spooldriversw32x863hpztsb08.exe
O4 – HKLM..Run: [DeviceDiscovery] C:Program FilesHewlett–PackardDigital Imaginginhpotdd01.exe
O4 – HKLM..Run: [InteliSys] C:WINDOWSsmss.exe
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_05injusched.exe
O4 – HKLM..Run: [KonektorTP] "c:program fileskonektortpkonektortp.exe" tray
O4 – HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [ccRegVfy] "C:Program FilesCommon FilesSymantec SharedccRegVfy.exe"
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [nwiz] nwiz.exe /install
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 – Extra context menu item: &Google Search – res://C:Program FilesGoogleGoogleToolbar1.dll/cmsearch.html
O8 – Extra context menu item: Backward &Links – res://C:Program FilesGoogleGoogleToolbar1.dll/cmbacklinks.html
O8 – Extra context menu item: Cac&hed Snapshot of Page – res://C:Program FilesGoogleGoogleToolbar1.dll/cmcache.html
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 – Extra context menu item: Pobierz uźywając Download &Express'a – C:Program FilesDownload ExpressAdd_Url.htm
O8 – Extra context menu item: Si&milar Pages – res://C:Program FilesGoogleGoogleToolbar1.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://C:Program FilesGoogleGoogleToolbar1.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O17 – HKLMSystemCCSServicesTcpip..{BB669067–A88D–478B–A714–E5C66EE2B045}: NameServer = 217.30.137.200 217.30.129.149

rejestr odlokujesz poprzez gpedit.msc lub usuwajac odpowiednia wartosc z klucza przy pomocy HJT
czyli:

O7 – HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

Wylacz przywracanie

Zakoncz procesy:
xcrviz.exe
WinCtlAd.exe
systime.exe
msrexe.exe
WinCtlAdAlt.exe
systime.exe
wkssvc.exe
rdgPL10.exe

Pozbadz sie plikow/katalogow oraz wpisow:

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4222
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://searchcentral.cc/index.php?v=4&aff=4222
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://213.159.117.134/index.php
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://213.159.117.134/index.php
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = http://213.159.117.134/index.php
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = http://213.159.117.134/index.php
O1 – Hosts file is located at: C:WINDOWS sdbhosts
O2 – BHO: MultiMPPObj Class – {002EB272–2590–4693–B166–FBD5D9B6FEA6} – C:WINDOWSmultimpp.dll
O2 – BHO: UrlCatcher Class – {CE31A1F7–3D90–4874–8FBE–A5D97F8BC8F1} – C:PROGRA~1BARGAI~1in2apuc.dll (file missing)
O4 – HKLM..Run: [qsecfuetjutf] C:WINDOWSSystem32xcrviz.exe
O4 – HKLM..Run: [conscorr] C:WINDOWSconscorr.exe
O4 – HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkinargains.exe
O4 – HKLM..Run: [Windows ControlAd] C:Program FilesWindows ControlAdWinCtlAd.exe
O4 – HKLM..Run: [OSS] c:windowssystem32ossproxy.exe –boot
O4 – HKLM..Run: [SysTime] C:WINDOWSSystem32systime.exe
O4 – HKLM..Run: [yemarvd] C:WINDOWSSystem32yemarvdsysmon.exe
O4 – HKLM..Run: [System Service] C:WINDOWSSystem32msrexe.exe
O4 – HKLM..Run: [BolSrv32] C:WINDOWSolsrv.exe
O4 – HKLM..RunOnce: [tlc] C:WINDOWSupdate13.js
O4 – HKCU..Run: [wkssvc] C:WINDOWSSystem32wkssvc.exe
O4 – HKCU..Run: [SysTime] C:WINDOWSSystem32systime.exe
O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O16 – DPF: {0191ABF4–9421–435E–9FFD–CD827A2A82D8} (SBITAX7Ctrl Class) – http://download.tibsystems.com/tl7000.dll
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MusicUnlimited/ie/Bridge–c106.cab
O16 – DPF: {1D0D9077–3798–49BB–9058–393499174D5D} – file://c:counter.cab
O16 – DPF: {35CC5CB4–3220–34C7–0D37–177E0EB59A8E} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {3CC7614D–9BC9–3B63–7CD7–3A0D413DA533} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {3E339D3C–4B12–4E8C–A529–9CC4BEEAFD4F} (VacPro.russia_ver3) – http://www.globalphon.com/dialer/russia.CAB
O16 – DPF: {444CFBDC–DE43–4D46–6E3D–088D6916C78F} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {56BE6CD6–0364–10B7–4782–069B342852F9} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {620708F8–79E0–26AB–4931–01753F154129} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {62AA8E16–6085–7156–C4E4–3F95583E89F1} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx
O18 – Filter: text/html – {4F7681E5–6CAF–478D–9CB8–4CA593BEE7FB} – C:WINDOWSSystem32xplugin.dll
O21 – SSODL: Web Event Logger – {7EFBAEFF–EE02–1333–ABDF–416572E5D639} – C:WINDOWSSystem32Iieljl32.dll

Wlacz przwracanie

Bobi

Dodano: 15.12.2004 16:09:56

Ja teź proszę o sprawdzenie loga :wink:

Logfile of HijackThis v1.98.2
Scan saved at 14:23:52, on 2004–12–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32logonui.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesWinamp3winampa.exe
C:Program FilesCloneCDCloneCDTray.exe
C:Program FilesMedia Player ClassicRealPlay.exe
C:WINDOWSSystem32xcrviz.exe
C:Program FilesJavajre1.5.0injusched.exe
C:Program FilesWindows ControlAdWinCtlAd.exe
C:WINDOWSSystem32systime.exe
C:WINDOWSSystem32msrexe.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesWindows ControlAdWinCtlAdAlt.exe
C:WINDOWSSystem32systime.exe
C:Program FilesD–Link AirPlusAirPlus.exe
C:Program FilesGigabyteGigabyte Windows Utility Managergwum.exe
C:WINDOWSSystem32devldr32.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSexplorer.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSSystem32wuauclt.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSSystem32wkssvc.exe
C:WINDOWSDownloaded Program FilesCONFLICT.10 dgPL10.exe
D:DownloadProgsyHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4222
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://searchcentral.cc/index.php?v=4&aff=4222
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://213.159.117.134/index.php
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://213.159.117.134/index.php
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = http://213.159.117.134/index.php
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = http://213.159.117.134/index.php
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts file is located at: C:WINDOWS sdbhosts
O2 – BHO: MultiMPPObj Class – {002EB272–2590–4693–B166–FBD5D9B6FEA6} – C:WINDOWSmultimpp.dll
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:PROGRA~1FLASHGETjccatch.dll
O2 – BHO: UrlCatcher Class – {CE31A1F7–3D90–4874–8FBE–A5D97F8BC8F1} – C:PROGRA~1BARGAI~1in2apuc.dll (file missing)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:PROGRA~1FLASHGETfgiebar.dll
O4 – HKLM..Run: [WinampAgent] "C:Program FilesWinamp3winampa.exe"
O4 – HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [CloneCDTray] "C:Program FilesCloneCDCloneCDTray.exe" /s
O4 – HKLM..Run: [RealTray] C:Program FilesMedia Player ClassicRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 – HKLM..Run: [qsecfuetjutf] C:WINDOWSSystem32xcrviz.exe
O4 – HKLM..Run: [conscorr] C:WINDOWSconscorr.exe
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0injusched.exe
O4 – HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkinargains.exe
O4 – HKLM..Run: [Windows ControlAd] C:Program FilesWindows ControlAdWinCtlAd.exe
O4 – HKLM..Run: [OSS] c:windowssystem32ossproxy.exe –boot
O4 – HKLM..Run: [SysTime] C:WINDOWSSystem32systime.exe
O4 – HKLM..Run: [yemarvd] C:WINDOWSSystem32yemarvdsysmon.exe
O4 – HKLM..Run: [System Service] C:WINDOWSSystem32msrexe.exe
O4 – HKLM..Run: [BolSrv32] C:WINDOWSolsrv.exe
O4 – HKLM..RunOnce: [tlc] C:WINDOWSupdate13.js
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [wkssvc] C:WINDOWSSystem32wkssvc.exe
O4 – HKCU..Run: [SysTime] C:WINDOWSSystem32systime.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: gwum.lnk = C:Program FilesGigabyteGigabyte Windows Utility Managergwum.exe
O4 – Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O7 – HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 – Extra context menu item: Ściągnij przy pomocy FlashGet'a – C:Program FilesFlashGetjc_link.htm
O8 – Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a – C:Program FilesFlashGetjc_all.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0in pjpi150.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0in pjpi150.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 – Extra button: Real.com – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – C:WINDOWSSystem32Shdocvw.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:PROGRA~1FLASHGETflashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:PROGRA~1FLASHGETflashget.exe
O16 – DPF: ING Bank Online – https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab
O16 – DPF: {0191ABF4–9421–435E–9FFD–CD827A2A82D8} (SBITAX7Ctrl Class) – http://download.tibsystems.com/tl7000.dll
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MusicUnlimited/ie/Bridge–c106.cab
O16 – DPF: {1D0D9077–3798–49BB–9058–393499174D5D} – file://c:counter.cab
O16 – DPF: {35CC5CB4–3220–34C7–0D37–177E0EB59A8E} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {3CC7614D–9BC9–3B63–7CD7–3A0D413DA533} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {3E339D3C–4B12–4E8C–A529–9CC4BEEAFD4F} (VacPro.russia_ver3) – http://www.globalphon.com/dialer/russia.CAB
O16 – DPF: {444CFBDC–DE43–4D46–6E3D–088D6916C78F} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {56BE6CD6–0364–10B7–4782–069B342852F9} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {620708F8–79E0–26AB–4931–01753F154129} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {62AA8E16–6085–7156–C4E4–3F95583E89F1} – http://213.159.117.150/1/rdgPL10.exe
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://static.topconverting.com/activex/loader2.ocx
O17 – HKLMSystemCCSServicesTcpip..{064E0050–0907–4782–9919–336AE5592738}: NameServer = 192.168.0.1
O17 – HKLMSystemCCSServicesTcpip..{6DAD1CED–9015–4CF9–A649–74669D8A23E3}: NameServer = 192.168.12.254
O17 – HKLMSystemCS1ServicesTcpip..{064E0050–0907–4782–9919–336AE5592738}: NameServer = 192.168.0.1
O17 – HKLMSystemCS2ServicesTcpip..{064E0050–0907–4782–9919–336AE5592738}: NameServer = 192.168.0.1
O18 – Filter: text/html – {4F7681E5–6CAF–478D–9CB8–4CA593BEE7FB} – C:WINDOWSSystem32xplugin.dll
O21 – SSODL: Web Event Logger – {7EFBAEFF–EE02–1333–ABDF–416572E5D639} – C:WINDOWSSystem32Iieljl32.dll

Dzięki!!! :D

Chciałem usunąć niektóre pozycje, ale wyskakiwał mi komunikat źe: Ebycja rejestru została wyłączona przez administratora. Gdzie moźna go odblokować??

petro

Dodano: 15.12.2004 15:27:28

Z poczatku to dla czego piszesz w dziale XP skoro masz Bezpieczenstwo bezposrednio powiazane z analizami logow z HJT ??

Wylacz przywracanie

O6 – HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – (no file)

O4 – HKLM..Run: [InteliSys] C:WINDOWSsmss.exe

>> systemowy jest w system32, tego sie pozbadz zarowno z loga jak i dysku

Bobi

Dodano: 14.12.2004 16:31:31

Prosze o sprawdzenie loga.

Odpowiedzi: 3