wezyr
(Wezyr Hiphop)
#1
Logfile of HijackThis v1.99.1
Scan saved at 16:17:22, on 06-03-08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMAN.EXE
D:\PROGRAMY\ARCAVIR\BIN\ABMENU.EXE
D:\PROGRAMY\GADU-GADU\GG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
D:\PROGRAMY\ARCAVIR\BIN\AVMON.EXE
D:\PROGRAMY\ARCAVIR\BIN\ARCASCAN.EXE
D:\PROGRAMY\ARCAVIR\BIN\NETMONSV.EXE
E:\GRY\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idg.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = HaIPe - HaOPe.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMY\ACROBAT\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM\HDBHO.DLL
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVMON] D:\Programy\ArcaVir\Bin\AVMon.exe
O4 - HKLM\..\Run: [ABREGMON] D:\PROGRAMY\ARCAVIR\BIN\ABregmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [IDMan] D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot
O4 - HKCU\..\Run: [ABmenu] "D:\Programy\ArcaVir\Bin\ABmenu.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\GADU-GADU\GG.EXE" /tray
O8 - Extra context menu item: Download All Links with IDM - D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IEExt.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - E:\GRY\BITSPIRIT\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.idg.pl
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O20 - Winlogon Notify: ldr64 - ldr64.dll (file missing)
Dzięki
W trybie awaryjnym z wyłączonym przywracaniem systemu usuń wpis i pogrubiony plik:
Przeskanuj Ewido http://www.ewido.net/en/
wezyr
(Wezyr Hiphop)
#3
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IDMan" = "D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot" ["Internet Download Manager Corp., Tonec Inc. "]
"ABmenu" = ""D:\Programy\ArcaVir\Bin\ABmenu.exe"" ["ArcaBit"]
"Gadu-Gadu" = ""D:\PROGRAMY\GADU-GADU\GG.EXE" /tray" ["sms-express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"internat.exe" = "internat.exe" [MS]
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb04.exe" ["HP"]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"AVMON" = "D:\Programy\ArcaVir\Bin\AVMon.exe" ["ArcaBit"]
"ABREGMON" = "D:\PROGRAMY\ARCAVIR\BIN\ABregmon.exe" ["ArcaBit"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\ACROBAT\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{02DCA195-602B-4B1F-83FF-381B7E804BDB}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\HDBHO.DLL" [null data]
{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default) = "IDM Helper"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL" ["Internet Download Manager Corp., Tonec Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {CLSID}\InProcServer32\(Default) = ""D:\Programy\TuneUp\sdshelex.dll"" ["TuneUp Software GmbH"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXSHLEX.DLL" ["Alcohol Soft Development Team"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVCPL.DLL" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {CLSID}\InProcServer32\(Default) = ""D:\Programy\TuneUp\sdshelex.dll"" ["TuneUp Software GmbH"]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\WINACE\arcext.dll" ["e-merge GmbH"]
ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"
-> {CLSID}\InProcServer32\(Default) = "D:\Programy\ArcaVir\Bin\ArcaShl.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {CLSID}\InProcServer32\(Default) = ""D:\Programy\TuneUp\sdshelex.dll"" ["TuneUp Software GmbH"]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\WINACE\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"
-> {CLSID}\InProcServer32\(Default) = "D:\Programy\ArcaVir\Bin\ArcaShl.dll" [null data]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\SPYSWE~1\SSCTXMNU.DLL" ["Webroot Software, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\XP1.BMP"
WINSTART.BAT contents:
----------------------
@ECHO OFF
Enabled Scheduled Tasks:
------------------------
"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]
"ArcaUpdate" -> launches: "D:\Programy\ArcaVir\bin\arcaupdm.exe Task" ["ArcaBit Sp. z o. o."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\idmmbc.dll [null data], 01 - 04, 11
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 05
C:\WINDOWS\SYSTEM\msafd.dll [MS], 06 - 08
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 09 - 10
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{E3ADBD6D-F5CF-C4AE-3B3A-CF2B795733B6}\ = "Pasek wyszukiwania"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL" ["Sun Microsystems, Inc."]
Miscellaneous IE Hijack Points
------------------------------
HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
The Internet Explorer version cannot be found!
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
The contents of IERESET.INF cannot be reliably checked!
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.idg.pl
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/WINDOWS/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
TH179175F1SX\Driver = "hpzpom04.dll" ["Hewlett Packard"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 22 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 58 seconds)
kuz5
(Kuz5)
#6
Z tego co mi wiadomo HiDownload zawiera spyware, więc usuń:
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i odpal go w trybie awaryjnym