problem z otwieraniem programow i wolna praca

**Posty:** 45 · przez **bieniok** 29 Wrz 2006, 13:27

Prosze o sprawdzenie loga komputer dziala bardzo wolno i nie otwieraja sie programy na dodatek w prawym rogu pojawia sie komunikat komputer zainfekowany na czerwonym tle krzyzyk

Logfile of HijackThis v1.99.1
Scan saved at 12:39:06, on 29-09-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINNT\system32\8haoeobf.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\gytocuv.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINNT\yeail.exe
C:\WINNT\logon.exe
C:\WINNT\system32\cmd32.exe
C:\WINNT\system32\internat.exe
C:\winstall.exe
C:\WINNT\system32\taskdir.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\wojtek\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem303.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [8haoeobf] C:\WINNT\system32\8haoeobf.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IaGGs] C:\WINNT\gytocuv.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINNT\yeail.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINNT\logon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SysTime] C:\WINNT\system32\systime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c4.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.11:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8C7BB9-9ECD-4A6E-B85E-01980D57CEE9}: NameServer = 192.168.1.11,194.204.159.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.53 85.255.112.95
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = alan.pl
O18 - Filter: text/html - {668A905F-9EC3-4642-B713-5AF6FB5B180B} - C:\WINNT\system32\popemeb.dll
O18 - Filter: text/plain - {668A905F-9EC3-4642-B713-5AF6FB5B180B} - C:\WINNT\system32\popemeb.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINNT\system32\2236_32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe[/code][code][/code]

**Posty:** 8694 · przez **Red** 29 Wrz 2006, 13:36

prosze umiescic log w tagach

**Posty:** 45 · przez **bieniok** 29 Wrz 2006, 13:44

**Posty:** 935 · przez **Aqui** 29 Wrz 2006, 13:47

Jest duzo syfu,zastosuj smitfraudfix z opcjii numer 2 i wroc z 3 logami-
hijackthis,silentrunners,i raport ze smitfraudfix.

**Posty:** 8694 · przez **Red** 29 Wrz 2006, 13:49

wejdz w tryb awaryjny windowsa f8 i usuwasz

C:\WINNT\system32\8haoeobf.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\gytocuv.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINNT\yeail.exe
C:\WINNT\logon.exe
C:\WINNT\system32\cmd32.exe
C:\winstall.exe
C:\WINNT\system32\taskdir.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem303.dll (file missing)
O4 - HKCU\..\Run: [SysTime] C:\WINNT\system32\systime.exe
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c4.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.53 85.255.112.95
O18 - Filter: text/html - {668A905F-9EC3-4642-B713-5AF6FB5B180B} - C:\WINNT\system32\popemeb.dll
O18 - Filter: text/plain - {668A905F-9EC3-4642-B713-5AF6FB5B180B} - C:\WINNT\system32\popemeb.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINNT\system32\2236_32.dll

generalnie masakra i komp zasyfiony na maxa.......

usun recznie to co ci pogrubiłem ,zastosuj:
http://www.ewido.net/en/

i po restarcie daj log do kontroli raz jeszcze

**Posty:** 45 · przez **bieniok** 29 Wrz 2006, 14:00

niemoge go wprowadzic w tryb serwisowy miga kursor i tyle

**Posty:** 935 · przez **Aqui** 29 Wrz 2006, 14:09

http://www.ewido.net/en/ tak jak kazal Red i wracasz z logami.

**Posty:** 45 · przez **bieniok** 02 Paź 2006, 10:32

Witam wlasnie udalo mi sie wywalic smieci i zrobile scan do sprawdzenia

Logfile of HijackThis v1.99.1
Scan saved at 10:12:53, on 02-10-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\TEMP\OU4C7C.EXE
C:\WINNT\explorer.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINNT\system32\internat.exe
C:\InfoCom\Manager\manager.exe
C:\InfoCom\Magazyn\magazyn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\wojtek\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem303.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [8haoeobf] C:\WINNT\system32\8haoeobf.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IaGGs] C:\WINNT\gytocuv.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINNT\yeail.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINNT\logon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c4.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.11:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8C7BB9-9ECD-4A6E-B85E-01980D57CEE9}: NameServer = 192.168.1.11,194.204.159.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.53 85.255.112.95
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = alan.pl
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi29679.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

[code][/code]

**Posty:** 8694 · przez **Red** 02 Paź 2006, 10:35

prosze zastosowac:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
z opcji 2 uruchamiasz

rowniez prosze zastosowac;

http://downloads.subratam.org/Fixwareout.exe

Odpal je w trybie awaryjnym i postepuj tak jak bedzie cie kierował
wklej wynik na forum

oraz zastosuj:
http://www.ewido.net/en/

usun wszystko co znajdzie

po restarcie dajesz log z hijacka oraz jeszcze jeden log z :

otwierasz link>>> http://www.silentrunners.org/Silent%20Runners.vbs >>zapisujesz jako na pulpicie>>klikasz dwa razy >>masz wybor i wybierasz no>>i czekasz troszke az wygeneruje sie cały log do konca
wrzucasz na forum

**Posty:** 45 · przez **bieniok** 02 Paź 2006, 11:37

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"shell" = ""C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"8haoeobf" = "C:\WINNT\system32\8haoeobf.exe" [file not found]
"Internet Optimizer" = ""C:\Program Files\Internet Optimizer\optimize.exe"" [file not found]
"IaGGs" = "C:\WINNT\gytocuv.exe" [file not found]
"SurfAccuracy" = "C:\Program Files\SurfAccuracy\SAcc.exe" [file not found]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
"ReJf5vH" = "C:\WINNT\yeail.exe" [file not found]
"WinLogon" = "C:\WINNT\logon.exe" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"WatchDog" = "C:\Program Files\mobile PhoneTools\WatchDog.exe" [null data]
"dmlpw.exe" = "C:\WINNT\system32\dmlpw.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00000010-6F7D-442C-93E3-4A4827C2E4C8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "BHObj Class"
\InProcServer32\(Default) = "C:\WINNT\nem220.dll" [file not found]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "BHObj Class"
\InProcServer32\(Default) = "C:\WINNT\wsem303.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
Kod: Zaznacz wszystko

[ Dodano: Dzisiaj o 11:38 ]
hijack

Logfile of HijackThis v1.99.1
Scan saved at 11:21:05, on 02-10-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\TEMP\GG430B.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\WScript.exe
C:\Documents and Settings\wojtek\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem303.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [8haoeobf] C:\WINNT\system32\8haoeobf.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IaGGs] C:\WINNT\gytocuv.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINNT\yeail.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINNT\logon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c4.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.11:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8C7BB9-9ECD-4A6E-B85E-01980D57CEE9}: NameServer = 192.168.1.11,194.204.159.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.53 85.255.112.95
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = alan.pl
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi29679.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Kod: Zaznacz wszystko

**Posty:** 8694 · przez **Red** 02 Paź 2006, 11:45

popraw log silent runners, bo jest urwany ,poczekaj do konca skanowania

**Posty:** 45 · przez **bieniok** 02 Paź 2006, 12:00

poprawiony log

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"shell" = ""C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"8haoeobf" = "C:\WINNT\system32\8haoeobf.exe" [file not found]
"Internet Optimizer" = ""C:\Program Files\Internet Optimizer\optimize.exe"" [file not found]
"IaGGs" = "C:\WINNT\gytocuv.exe" [file not found]
"SurfAccuracy" = "C:\Program Files\SurfAccuracy\SAcc.exe" [file not found]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
"ReJf5vH" = "C:\WINNT\yeail.exe" [file not found]
"WinLogon" = "C:\WINNT\logon.exe" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"WatchDog" = "C:\Program Files\mobile PhoneTools\WatchDog.exe" [null data]
"dmlpw.exe" = "C:\WINNT\system32\dmlpw.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00000010-6F7D-442C-93E3-4A4827C2E4C8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "BHObj Class"
\InProcServer32\(Default) = "C:\WINNT\nem220.dll" [file not found]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "BHObj Class"
\InProcServer32\(Default) = "C:\WINNT\wsem303.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00023.exe"" [MS], [file not found], [file not found], [file not found], [file not found], [file not found]
INFECTION WARNING! "System" = "csyiy.exe" [null data]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\
"Logon" -> launches: "\\alan.pl\sysvol\alan.pl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\Scripts\Logon\checkPC.vbs" [** WMI GetObject error **]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in "wojtek" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

DameWare Mini Remote Control, DWMRCS, "C:\WINNT\SYSTEM32\DWRCS.EXE -service" ["DameWare Development LLC"]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" ["Trend Micro Inc."]
OfficeScanNT Personal Firewall, OfcPfwSvc, "C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe" ["Trend Micro Inc."]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 58 seconds, including 4 seconds for message boxes)
[code][/code]

**Posty:** 8694 · przez **Red** 02 Paź 2006, 12:16

otwierasz notatnik windowsa i wklejasz w nim to co ponizej:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"shell"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8haoeobf"=-
"Internet Optimizer"=-
"IaGGs"=-
"SurfAccuracy"=-
"ReJf5vH"=-
"WinLogon"=-
"dmlpw.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe"
"System"=-

Plik >> Zapisz jako, zapisz jako typ: wszystkie pliki, nazwa pliku: Fix.reg
Klikasz dwa razy na powstały plik i potwierdzasz.

w hijacku zafixuj:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem303.dll (file missing)
O4 - HKLM\..\Run: [IaGGs] C:\WINNT\gytocuv.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {00000000-0000-0000-0000-000020050660} - http://207.234.185.217/ABoxInst_int15.exe
O16 - DPF: {00000000-0000-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int20.exe
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c4.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.53 85.255.112.95

**Posty:** 45 · przez **bieniok** 02 Paź 2006, 12:28

Dziekuje zrobilem tak ja mowiles

Podaje jeszcze raz logo:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:57, on 02-10-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\TEMP\GG430B.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wuauclt.exe
C:\InfoCom\Manager\manager.exe
C:\InfoCom\Magazyn\magazyn.exe
C:\Documents and Settings\wojtek\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.1.11:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.1.11:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8C7BB9-9ECD-4A6E-B85E-01980D57CEE9}: NameServer = 192.168.1.11,194.204.159.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alan.pl
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = alan.pl
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\system32\aspi29679.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

[code][/code]

**Posty:** 8694 · przez **Red** 02 Paź 2006, 12:34

zastosuj jeszcze:

FIX

recznie usuniesz:

C:\WINNT\TEMP\GG430B.EXE

pojawiły sie nowe wpisy :

C:\InfoCom\Manager\manager.exe
C:\InfoCom\Magazyn\magazyn.exe

>>>znasz je???

problem z otwieraniem programow i wolna praca

problem z otwieraniem programow i wolna praca

2 scan

Kto jest na forum