LOG - prosiłbym o sprawdzenie


(Wezyr Hiphop) #1
Logfile of HijackThis v1.99.1

Scan saved at 16:17:22, on 06-03-08

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\SYSTEM\HPZTSB04.EXE

D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMAN.EXE

D:\PROGRAMY\ARCAVIR\BIN\ABMENU.EXE

D:\PROGRAMY\GADU-GADU\GG.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\WINAMP\WINAMP.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

D:\PROGRAMY\ARCAVIR\BIN\AVMON.EXE

D:\PROGRAMY\ARCAVIR\BIN\ARCASCAN.EXE

D:\PROGRAMY\ARCAVIR\BIN\NETMONSV.EXE

E:\GRY\HIJACKTHIS\HIJACKTHIS.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idg.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = HaIPe - HaOPe.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMY\ACROBAT\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM\HDBHO.DLL

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [AVMON] D:\Programy\ArcaVir\Bin\AVMon.exe

O4 - HKLM\..\Run: [ABREGMON] D:\PROGRAMY\ARCAVIR\BIN\ABregmon.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKCU\..\Run: [IDMan] D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot

O4 - HKCU\..\Run: [ABmenu] "D:\Programy\ArcaVir\Bin\ABmenu.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\PROGRAMY\GADU-GADU\GG.EXE" /tray

O8 - Extra context menu item: Download All Links with IDM - D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IEExt.htm

O8 - Extra context menu item: Pobierz z &BitSpirit - E:\GRY\BITSPIRIT\bsurl.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll

O10 - Unknown file in Winsock LSP: c:\windows\system\idmmbc.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.idg.pl

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O20 - Winlogon Notify: ldr64 - ldr64.dll (file missing)

Dzięki


(Gblade) #2

W trybie awaryjnym z wyłączonym przywracaniem systemu usuń wpis i pogrubiony plik:

Przeskanuj Ewido http://www.ewido.net/en/


(Wezyr Hiphop) #3
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/

Operating System: Windows 98

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"IDMan" = "D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMAN.EXE /onboot" ["Internet Download Manager Corp., Tonec Inc. "]

"ABmenu" = ""D:\Programy\ArcaVir\Bin\ABmenu.exe"" ["ArcaBit"]

"Gadu-Gadu" = ""D:\PROGRAMY\GADU-GADU\GG.EXE" /tray" ["sms-express.com"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]

"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]

"internat.exe" = "internat.exe" [MS]

"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]

"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb04.exe" ["HP"]

"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]

"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]

"AVMON" = "D:\Programy\ArcaVir\Bin\AVMon.exe" ["ArcaBit"]

"ABREGMON" = "D:\PROGRAMY\ARCAVIR\BIN\ABregmon.exe" ["ArcaBit"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}

"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

"SchedulingAgent" = "mstask.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\ACROBAT\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{02DCA195-602B-4B1F-83FF-381B7E804BDB}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\HDBHO.DLL" [null data]

{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default) = "IDM Helper"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL" ["Internet Download Manager Corp., Tonec Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]

"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"

  -> {CLSID}\InProcServer32\(Default) = ""D:\Programy\TuneUp\sdshelex.dll"" ["TuneUp Software GmbH"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXSHLEX.DLL" ["Alcohol Soft Development Team"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVCPL.DLL" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"

  -> {CLSID}\InProcServer32\(Default) = ""D:\Programy\TuneUp\sdshelex.dll"" ["TuneUp Software GmbH"]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\WINACE\arcext.dll" ["e-merge GmbH"]

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Programy\ArcaVir\Bin\ArcaShl.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"

  -> {CLSID}\InProcServer32\(Default) = ""D:\Programy\TuneUp\sdshelex.dll"" ["TuneUp Software GmbH"]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\WINACE\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Programy\ArcaVir\Bin\ArcaShl.dll" [null data]

SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRAMY\SPYSWE~1\SSCTXMNU.DLL" ["Webroot Software, Inc."]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\XP1.BMP"



WINSTART.BAT contents:

----------------------


@ECHO OFF



Enabled Scheduled Tasks:

------------------------


"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]

"ArcaUpdate" -> launches: "D:\Programy\ArcaVir\bin\arcaupdm.exe Task" ["ArcaBit Sp. z o. o."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\SYSTEM\idmmbc.dll [null data], 01 - 04, 11

C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 05

C:\WINDOWS\SYSTEM\msafd.dll [MS], 06 - 08

C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{E3ADBD6D-F5CF-C4AE-3B3A-CF2B795733B6}\ = "Pasek wyszukiwania"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL" ["Sun Microsystems, Inc."]



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)

The Internet Explorer version cannot be found!


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

The contents of IERESET.INF cannot be reliably checked!


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://www.idg.pl

[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"


Missing lines (compared with English-language version):

[Strings]: 2 lines


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "TuneUp" = "file://C|/WINDOWS/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

TH179175F1SX\Driver = "hpzpom04.dll" ["Hewlett Packard"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 22 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 18 seconds.

---------- (total run time: 58 seconds)

(Gblade) #4

Jest ok :wink:


(Wezyr Hiphop) #5

Dzięki Ci bardzo :slight_smile:


(Kuz5) #6

Z tego co mi wiadomo HiDownload zawiera spyware, więc usuń:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i odpal go w trybie awaryjnym