proszę rzucić okiem –mój log
Logfile of HijackThis v1.97.7
Scan saved at 11:04:06, on 2005–08–23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PWN\Definicje\Bin\Starter.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\??rvices.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ldua\peti.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\AdTools Service\AdToolsKeep.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Documents and Settings\puupa\Pulpit\Nowy folder\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Popup Free – {2EF37A01–884F–11d5–AC99–B112050ECB4F} – C:\Program Files\Popup Free\htmledit.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 – HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 – HKLM\..\Run: [CleanUp] C:\DOCUME~1\puupa\USTAWI~1\Temp\200582310156_mcappins.exe /v=3 /cleanup
O4 – HKLM\..\Run: [msci] C:\DOCUME~1\puupa\USTAWI~1\Temp\200582310154_mcinfo.exe /insfin
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 – HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 – HKCU\..\Run: [Zmx] C:\WINDOWS\System32\??rvices.exe
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Tadu] C:\Program Files\ldua\peti.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Startup: PowerReg Scheduler.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/lca.chm::/Bridge–c139.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/mta.chm::/MediaTicketsInstaller.cab
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Scan saved at 11:04:06, on 2005–08–23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PWN\Definicje\Bin\Starter.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\??rvices.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ldua\peti.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\AdTools Service\AdToolsKeep.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Documents and Settings\puupa\Pulpit\Nowy folder\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Popup Free – {2EF37A01–884F–11d5–AC99–B112050ECB4F} – C:\Program Files\Popup Free\htmledit.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 – HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 – HKLM\..\Run: [CleanUp] C:\DOCUME~1\puupa\USTAWI~1\Temp\200582310156_mcappins.exe /v=3 /cleanup
O4 – HKLM\..\Run: [msci] C:\DOCUME~1\puupa\USTAWI~1\Temp\200582310154_mcinfo.exe /insfin
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 – HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 – HKCU\..\Run: [Zmx] C:\WINDOWS\System32\??rvices.exe
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Tadu] C:\Program Files\ldua\peti.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Startup: PowerReg Scheduler.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/lca.chm::/Bridge–c139.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/mta.chm::/MediaTicketsInstaller.cab
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Odpowiedzi: 3
Wyłącz przywracanie
Zakoncz procesy:
??rvices.exe (w tasku prawdopodobnie bedzie widoczny podwójny services.exe, wyłacz tego który uruchomiony jest przez uzytkownika, nie system)
peti.exe
AdTools.exe
AdToolsKeep.exe
Opróznij Temp
Usun, wyboldowane pliki, katalogi usuń z dysku:
Fałszywy plik services rozpoznasz po własciwscach, prawdziwy jest oznaczony przez M$.
Zakoncz procesy:
??rvices.exe (w tasku prawdopodobnie bedzie widoczny podwójny services.exe, wyłacz tego który uruchomiony jest przez uzytkownika, nie system)
peti.exe
AdTools.exe
AdToolsKeep.exe
Opróznij Temp
Usun, wyboldowane pliki, katalogi usuń z dysku:
O4 – HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 – HKLM\..\Run: [CleanUp] C:\DOCUME~1\puupa\USTAWI~1\Temp\200582310156_mcappins.exe /v=3 /cleanup
O4 – HKLM\..\Run: [msci] C:\DOCUME~1\puupa\USTAWI~1\Temp\200582310154_mcinfo.exe /insfin
O4 – HKCU\..\Run: [Zmx] C:\WINDOWS\System32\??rvices.exe
O4 – HKCU\..\Run: [Tadu] C:\Program Files\ldua\peti.exe
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/lca.chm::/Bridge–c139.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/mta.chm::/MediaTicketsInstaller.cab
Fałszywy plik services rozpoznasz po własciwscach, prawdziwy jest oznaczony przez M$.
ok, sorry
Nie widzisz przyklejonego? :?
Strona 1 / 1