kaczor0
(M Kupczynas)
3 Marzec 2006 21:25
#1
Hijack:
Logfile of HijackThis v1.99.1 Scan saved at 22:17:49, on 2006-03-03 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Konnekt\konnekt.exe C:\WINDOWS\explorer.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\Program Files\Peer2Mail\P2M.exe C:\Documents and Settings\Maciek\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimus.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optimus.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: FiltrateIE Class - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\System32\safeie.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O8 - Extra context menu item: &Ściągnij wszystko za pomocą WellGeta - E:\Program Files\WellGet\nxall.htm O8 - Extra context menu item: Ściągnij za pomocą &WellGeta - E:\Program Files\WellGet\nxcatch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - E:\Program Files\WellGet\WellGet.exe O14 - IERESET.INF: START_PAGE_URL=http://www.optimus.pl O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Silent:
“Silent Runners.vbs”, revision 43, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = “SSVHelper Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {B5D4581D-ED6A-4905-A267-25BAF7BE79C1}(Default) = “FiltrateIE Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\safeie.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\dfshim.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{A4D78B20-6E05-1069-8758-4E73FD83DEAD}” = “QCopy” -> {CLSID}\InProcServer32(Default) = “dropcpyr.dll” [null data] “{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Unlocker\UnlockerCOM.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{9EF34FF2-3396-4527-9D27-04C8C1C67806}” = “Microsoft AntiSpyware Service Hook” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Microsoft AntiSpyware\shellextension.dll” [MS] INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “AppInit_DLLs” = “C:\WINDOWS\System32\wmfhotfix.dll” [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! “BootExecute” = “autocheck autochk * SsiEfr.exe e” [file not found], [MS], [file not found], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] INFECTION WARNING! WRNotifier\DLLName = “WRLogonNTF.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] XPTools(Default) = “{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\context.dll” [“SuperLogix”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Unlocker\UnlockerCOM.dll” [null data] XPTools(Default) = “{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\context.dll” [“SuperLogix”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Maciek\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {CLSID}\InProcServer32(Default) = “E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {35980F6E-A258-4E50-953D-813BB8556899}\ “ButtonText” = “WellGet” “Exec” = “E:\Program Files\WellGet\WellGet.exe” [empty string] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.optimus.pl Missing lines (compared with English-language version): [strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzlnt12\Driver = “hpzlnt12.dll” [“HP”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 242 seconds, including 3 seconds for message boxes)
Komp muli co trochę przeszkadza.Długo się uruchamia i wyłącza.Mało dało dołożenie 512 RAM’u.Skanowałem kompa programem Ewido i usunął coś z rejestru i trochę cookies.
Skasuj w HijackThis to:
HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! “BootExecute” = “autocheck autochk * SsiEfr.exe e” [file not found], [MS], [file not found], [file not found], [file not found][/ Przejdź do klucza] autocheck autochk *
Optymalizacja XP
Zainstaluj SP2 i jakiegoś antyvira (np. darmowy Avast)
Gutek
(Gutek)
3 Marzec 2006 22:42
#3
jak odinsatlowałes SpySweeper ten wpis też usuń
Proszę otworzyć edytor rejestru Start >>> Uruchom >>> regedit i przejść do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Tam kliknij podwójnie na wartość BootExecute i z okienka usuń wszystko z wyjątkiem autocheck autochk *.
kaczor0
(M Kupczynas)
3 Marzec 2006 22:45
#4
Dziękuję za sprawdzenie :!:
A tak w ogóle:
czy to ma jakiś związek wirusem :?:
Gutek
(Gutek)
3 Marzec 2006 22:54
#5
nazwijmy to kosmetyką -może coś się zawieruszyć w BootExecute - nie powinno