andrzej.s
(Andrzej S)
27 Grudzień 2005 14:30
#1
Logfile of HijackThis v1.99.1 Scan saved at 15:20:01, on 2005-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\paytime.exe C:\Program Files\Gadu-Gadu\gg.exe C:\winstall.exe C:\WINDOWS\system32\paytime.exe C:\Program Files\Common Files\VCClient\VCClient.exe C:\Program Files\Common Files\VCClient\VCMain.exe C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\IncrediMail\bin\IncMail.exe D:\instalacyjne\hijackthis1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - HKLM…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM…\Run: [timessquare] C:\windows\timessquare.exe O4 - HKLM…\Run: [NI.UWFX5_0001_N57M2112] “C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\3.tmp” -nag O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU…\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU…\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU…\Run: [qzmm] C:\PROGRA~1\COMMON~1\qzmm\qzmmm.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Shared … vSniff.cab O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) - http://www.lemontv.pl/lmctrls.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 … scan53.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.113.232.40/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Shell” = ““C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [null data] “Windows installer” = “C:\winstall.exe” [null data] “PayTime” = “C:\WINDOWS\system32\paytime.exe” [MS] “CU1” = “C:\Program Files\Common Files\VCClient\VCClient.exe” [null data] “CU2” = “C:\Program Files\Common Files\VCClient\VCMain.exe” [null data] “qzmm” = “C:\PROGRA~1\COMMON~1\qzmm\qzmmm.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “PayTime” = “C:\WINDOWS\system32\paytime.exe” [MS] “timessquare” = “C:\windows\timessquare.exe” ["."] “NI.UWFX5_0001_N57M2112” = "“C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\3.tmp” -nag " [“WinSoftware Ltd.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}” = “WebCheck” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\xp2767612.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [file not found] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido\security suite\shellhook.dll” ["TODO: "] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WebCheck” = “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\xp2767612.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “Shell” = “explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [MS], [file not found], [file not found], [file not found], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! ssldr\DLLName = “ssldr32.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido\security suite\context.dll” [“ewido networks”] IMMenuShellExt(Default) = “{F8984111-38B6-11D5-8725-0050DA2761C4}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\IncrediMail\bin\IMShExt.dll” [“IncrediMail, Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido\security suite\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “ForceActiveDesktopOn”=dword:00000001 [enables Active Desktop and prevents disabling it] {User Configuration|Administrative Templates|Desktop|Active Desktop| Enable Active Desktop} HIJACK WARNING! “Wallpaper” = “C:\WINDOWS\desktop.html” [disables the Display Properties|Desktop (tab) (except the “Customize Desktop…” button); selects wallpaper and enables Active Desktop] {User Configuration|Administrative Templates|Desktop|Active Desktop| Active Desktop Wallpaper|Wallpaper Name:} Active Desktop and Wallpaper: ----------------------------- Active Desktop enabled via Group Policy. Wallpaper selected via Group Policy. Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ CA License Client, CA_LIC_CLNT, ““C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe”” [“Computer Associates International Inc.”] Event Log Watch, LogWatch, ““C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe”” [“Computer Associates”] ewido security suite control, ewido security suite control, “C:\Program Files\ewido\security suite\ewidoctrl.exe” [“ewido networks”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 123 seconds, including 18 seconds for message boxes)
Złączono Posta : 27.12.2005 (Wto) 16:31
Witam. Jednak poddaje sie bez walki i poloze nowego windowsa bo ten i tak strasznie zamulal. W kazdym badz radzie dziekuje za zainteresowanie. Przepraszam za klopot i “Do siego roku”.
Gutek
(Gutek)
27 Grudzień 2005 16:29
#2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - HKLM…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM…\Run: [timessquare] C:\windows\timessquare.exe O4 - HKLM…\Run: [NI.UWFX5_0001_N57M2112] “C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\3.tmp” -nag O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU…\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU…\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU…\Run: [qzmm] C:\PROGRA~1\COMMON~1\qzmm\qzmmm.exe O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku pliki i foldery, które podkreśliłem na czerwono oraz znajdz jeszcze plik doser.exe-i usuń.
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
Po wszystkim nmowe log-i z Silenta hijacka
andrzej.s
(Andrzej S)
4 Styczeń 2006 10:37
#3
Przeczyscilem system ale wyszlo cos nowego
Logfile of HijackThis v1.99.1 Scan saved at 11:36:02, on 2006-01-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\windows\adtech2006a.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\INCRED~1\bin\IncMail.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\instalacyjne\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pajacyk.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [adtech2006] C:\windows\adtech2006a.exe O4 - HKLM…\Run: [winsync] C:\WINDOWS\system32\yyyrqw.exe reg_run O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Zastanawiaja mnie 2 wpisy:
O4 - HKLM…\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM…\Run: [winsync] C:\WINDOWS\system32\yyyrqw.exe reg_run - tego wpisu nie moge znalezc
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “IncrediMail” = “C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c” [“IncrediMail, Ltd.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe” [“Sun Microsystems, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “adtech2006” = “C:\windows\adtech2006a.exe” [“ÄÂAIA”] “winsync” = “C:\WINDOWS\system32\yyyrqw.exe reg_run” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{3F6E816B-6A82-488A-B9CC-53BBE655C6FC}” = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\wT2time.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ gggtsffq(Default) = “{c38375f0-47a1-4b92-bcf3-e7b9a6d5fd5f}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\gggrq.dll” [null data] IMMenuShellExt(Default) = “{F8984111-38B6-11D5-8725-0050DA2761C4}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\IncrediMail\bin\IMShExt.dll” [“IncrediMail, Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\andrzejs.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\BUTTER~1.SCR” [file not found] Startup items in “andrzejs” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Kalendarz XP” -> shortcut to: “C:\Program Files\Kalendarz XP\Kalendarz.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 47 seconds, including 6 seconds for message boxes)
Dziekuje za okazana pomoc
jacolok
(Jacolok)
4 Styczeń 2006 18:25
#4
Odznacz hijackiem i usuń plik ręcznie w awaryjnym.
Poczekaj jednak na Gutka2222 bo nie wiem co to za plik yyyrqw.
Gutek
(Gutek)
4 Styczeń 2006 21:28
#5
Użyj Pocket Killbox . Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki
CC:\windows\adtech2006a.exe
C:\WINDOWS\System32\yyyrqw.exe
i naciskasz X czerwony . Program poprosi o reset kompa … czyli resetujesz.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
andrzej.s
(Andrzej S)
5 Styczeń 2006 07:11
#6
Zastosowałem si ę do powyższych rad wklejam loga kontrolnego.
Logfile of HijackThis v1.99.1 Scan saved at 08:12:17, on 2006-01-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\INCRED~1\bin\IncMail.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe D:\instalacyjne\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pajacyk.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c … hcImpl.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
Gutek
(Gutek)
5 Styczeń 2006 16:04
#8
Panel sterowania >>> Java Plug-in >>> Update >>> odznaczyć Check for updates automatically
Start >>> Uruchom >>> msconfig >>> w zakładce Uruchamianie wyłącz ten wpis.
Panel sterowania >>> Ustawienia regionalne >>> Języki >>> Detale >>> Zaawansowane >>> odznaczyć usługi tekstowe, zrób tak jeżeli nie używasz innych języków przy pisaniu.
XP-Antispy odinstaluj messengera, zaznacz opcję w ustawieniach.
oczyść rejestr programem z vortalu jv16 PowerTools
andrzej.s
(Andrzej S)
10 Styczeń 2006 18:55
#9
Dostanę szału z tym netem
Proszę o sprawdzenie loga.
Logfile of HijackThis v1.99.1 Scan saved at 19:42:25, on 2006-01-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Tlen.pl\tlen.exe C:\Program Files\VoipStunt.com \VoipStunt\VoipStunt.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\DC++\DCPlusPlus.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\tysiek\USTAWI~1\Temp\Rar$EX00.851\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pajacyk.pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU…\Run: [VoipStunt] “C:\Program Files\VoipStunt.com \VoipStunt\VoipStunt.exe” -nosplash -minimized O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: ATI CATALYST – pasek zadań.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … xmk513YYPL O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu … 0.0.15.cab O17 - HKLM\System\CCS\Services\Tcpip…{ECE1B0C2-6C10-4642-955F-BB08049B7358}: NameServer = 212.191.170.2,212.51.192.2 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe