Proszę o sprawdzenie loga, mam trojany

mery · 8 Styczeń 2006 19:40

Mks vir wykrył na moim kompie kilka trojanów usunęłam chyba wszystkie poza trojan.downloader.agent którego nie mogę się pozbyć.

A norton dodatkowo pokazuje że mam bloodhound.w32.ep

Nie wiem co jeszcz zainstalował mi sie na kompie, prosze o sprawdzenie loga i pomoc w sprawie wyżej wymienionych trojanów.

Logfile of HijackThis v1.99.1 Scan saved at 20:43:53, on 2006-01-08 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\inet20001\winlogon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\MMTray.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\sachostx.exe C:\Program Files\RICOlmer\RICOlmer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\alt.exe C:\WINDOWS\inet20001\mm4.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\WINDOWS\System32\sachostw.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\sachostc.exe C:\WINDOWS\System32\sachosts.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Documents and Settings\agata\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20001\3.00.13.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [MMTray] MMTray.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\ANTYWIRUSOWE\Trojan Remover\Trjscan.exe O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM…\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [systemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM…\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKLM…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKLM…\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s O4 - HKLM…\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM…\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O4 - HKLM…\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe O4 - HKCU…\Run: [RICOlmer] C:\Program Files\RICOlmer\RICOlmer.exe O4 - HKCU…\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\Powergg.exe” O4 - HKCU…\Run: [sIDEBAR] “C:\Program Files\Desktop Sidebar\dsidebar.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - HKCU…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKCU…\Run: [AlexaToolbar] C:\WINDOWS\alt.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Gutek · 8 Styczeń 2006 20:25

F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20001\3.00.13.dll O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll O4 - HKLM…\Run: [systemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM…\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKLM…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKLM…\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s O4 - HKLM…\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM…\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O4 - HKLM…\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - HKCU…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKCU…\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku pliki i foldery, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log

Zastosuj Usuwanie tapety SpySheriff

Usuwanie VX2.BetterInternet i daj log nr 1 z narzędzia L2Mfix

mery · 8 Styczeń 2006 20:46

Mam problem z linkami które podałeś, pokazuje mi się błąd i operacja przerwana

Gutek · 8 Styczeń 2006 20:52

Usuń pliki ręcznie w trybie awaryjnym. Przywracanie nie wiesz jak wyłaczyć i udac sie do awaryjnego?

Ściągnij L2Mfix i daj log nr 1 z narzędzia L2Mfix

Jak masz

wybierasz opcję 1. Run Find Log = odpowiednik tworzenia loga w FindIt. Patrz dalej na LOG NUMER 1. ZAWSZE tego loga macie utworzyć by mi pokazać

na razie wykonaj to co mówie

mery · 8 Styczeń 2006 21:20

L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\browsela] “DLLName”=“C:\WINDOWS\system32\browsela.dll” “logoff”=“WACLEventLogoff” “lock”=“WACLEventLock” “logon”=“WACLEventLogon” “startup”=“WACLEventStartup” “shutdown”=“WACLEventShutdown” “startshell”=“WACLEventStartShell” “unlock”=“WACLEventUnlock” “startscreensaver”=“WACLEventStartScreenSaver” “stopscreensaver”=“WACLEventStopScreenSaver” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll] “DllName”=“msctl32.dll” “Startup”=“Startup” “Asynchronous”=dword:00000001 “Impersonate”=dword:00000000 “ExtParam”=hex:14,6a,af,92,64,d3,36,fb,54,99,5b,e6,ce,01,f6,bc [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] “DLLName”=“wlnotify.dll” “Logon”=“SCardStartCertProp” “Logoff”=“SCardStopCertProp” “Lock”=“SCardSuspendCertProp” “Unlock”=“SCardResumeCertProp” “Enabled”=dword:00000001 “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] “Asynchronous”=dword:00000000 “DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Impersonate”=dword:00000000 “StartShell”=“SchedStartShell” “Logoff”=“SchedEventLogOff” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “PostShell”=“SensPostShellEvent” “Disconnect”=“SensDisconnectEvent” “Reconnect”=“SensReconnectEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] “Asynchronous”=dword:00000000 “DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Impersonate”=dword:00000000 “Logoff”=“TSEventLogoff” “Logon”=“TSEventLogon” “PostShell”=“TSEventPostShell” “Shutdown”=“TSEventShutdown” “StartShell”=“TSEventStartShell” “Startup”=“TSEventStartup” “MaxWait”=dword:00000258 “Reconnect”=“TSEventReconnect” “Disconnect”=“TSEventDisconnect” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] “DLLName”=“wlnotify.dll” “Logon”=“RegisterTicketExpiredNotificationEvent” “Logoff”=“UnregisterTicketExpiredNotificationEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta waciwoci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona waciwoci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“PlusPack CPL Extension” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wywietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wywietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usugi DS” “{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}”=“Strona zgodnoci” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsugi danych wycinkowych powoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoĄczenia sieciowe” “{992CFFA0-F557-101A-88EC-00DD010CCC48}”=“PoĄczenia sieciowe” “{E211B736-43FD-11D1-9EFB-0000F8757FCD}”="&Skanery i aparaty fotograficzne" “{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}”="&Skanery i aparaty fotograficzne" “{905667aa-acd6-11d2-8080-00805f6596d2}”="&Skanery i aparaty fotograficzne" “{3F953603-1008-4f6e-A73A-04AAC7A992F1}”="&Skanery i aparaty fotograficzne" “{83bbcbf3-b28a-4919-a5aa-73027445d672}”="&Skanery i aparaty fotograficzne" “{F0152790-D56E-4445-850E-4F3117DB740C}”=“Remote Sessions CPL Extension” “{5F327514-6C5E-4d60-8F16-D07FA08A78ED}”=“Auto Update Property Sheet Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenia powoki dla hosta skrypt˘w systemu Windows” “{2206CDB2-19C1-11D1-89E0-00C04FD7A829}”=“Microsoft Data Link” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{0DF44EAA-FF21-4412-828E-260A8728E7F1}”=“Pasek zadaä i menu Start” “{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}”=“Wyszukaj” “{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}”=“Pomoc i obsuga techniczna” “{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}”=“Pomoc i obsuga techniczna” “{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}”=“Uruchom…” “{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}”=“Internet” “{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}”=“E-mail” “{D20EA4E1-3957-11d2-A40B-0C5020524152}”=“Czcionki” “{D20EA4E1-3957-11d2-A40B-0C5020524153}”=“Narz©dzia administracyjne” “{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}”=“Audio Media Properties Handler” “{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}”=“Video Media Properties Handler” “{E4B29F9D-D390-480b-92FD-7DDB47101D71}”=“Wav Properties Handler” “{87D62D94-71B3-4b9a-9489-5FE6850DC73E}”=“Avi Properties Handler” “{A6FD9E45-6E44-43f9-8644-08598F5A74D9}”=“Midi Properties Handler” “{c5a40261-cd64-4ccf-84cb-c394da41d590}”=“Video Thumbnail Extractor” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Pasek narz©dzi programu Microsoft Internet” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Stan pobierania” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Folder powoki zwi©kszonej” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Folder powoki zwi©kszonej 2” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Pasek przeglĄdarki Microsoft” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Pasek wyszukiwania” “{32683183-48a0-441b-a342-7c2a440a9478}”=“Pasek multimedi˘w” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“Wyszukiwanie w okienku” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Wyszukiwanie w sieci Web” “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Narz©dzie opcji drzewa rejestru” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Adres" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Pole edycji adresu” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Autouzupenianie Microsoft” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“Wyodr©bnianie obraz˘w Trident” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“Lista autouzupeniania MRU” “{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}”=“Niestandardowa lista autouzupeniania MRU” “{7e653215-fa25-46bd-a339-34a2790f3cb7}”=“Dost©pny” “{acf35015-526e-4230-9596-becbe19f0ac9}”=“Pasek podr©czny ledzenia” “{E0E11A09-5CB8-4B6C-8332-E00720A168F2}”=“Analizator paska adresu” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Lista autouzupeniania historii Microsoft” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Lista autouzupeniania folderu powoki Microsoft” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Kontener wielu list autouzupeniania Microsoft” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Menu witryny paska powoki” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu powoki” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“Pomoc dla uľytkownika” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Globalne ustawienia folder˘w” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}”=“Microsoft Browser Architecture” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{7BD29E01-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{EFA24E64-B078-11d0-89E4-00C04FC9E26E}”=“Pasek eksploratora” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Folder subskrypcji” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powoki” “{0B124F8F-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Publikator aplikacji Darwin” “{e84fda7c-1d6a-45f6-b725-cb260c236066}”=“Shell Image Verbs” “{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}”=“Shell Image Data Factory” “{3F30C968-480A-4C6C-862D-EFC0897BB84B}”=“GDI+program wyodr©bniajĄcy miniatury plik˘w” “{9DBD2C50-62AD-11d0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsugi miniatur (DOCFILES)” “{EAB841A0-9550-11cf-8C16-00805F1408F3}”=“Wyodr©bnianie miniatur HTML” “{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}”=“Shell Image Property Handler” “{CC6EEFFB-43F6-46c5-9619-51D571967F7D}”=“Kreator publikacji w sieci Web” “{add36aa8-751a-4579-a266-d66f5202ccbb}”=“Zamawianie odbitek w sieci Web” “{6b33163c-76a5-4b6c-bf21-45de9cd503a1}”=“Obiekt powoki kreatora publikacji” “{58f1f272-9240-4f51-b6d4-fd63d1618591}”=“Kreator uzyskiwania profilu usugi Passport” “{7A9D77BD-5403-11d2-8785-2E0420524153}”=“Konta uľytkownik˘w” “{BD472F60-27FA-11cf-B8B4-444553540000}”=“Compressed (zipped) Folder Right Drag Handler” “{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}”=“Compressed (zipped) Folder SendTo Target” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanau” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanau” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsugi kanau” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” “{63da6ec0-2e98-11cf-8d82-444553540000}”=“FTP Folders Webview” “{883373C3-BF89-11D1-BE35-080036B11A03}”=“Microsoft DocProp Shell Ext” “{A9CF0EAE-901A-4739-A481-E35B73E47F6D}”=“Microsoft DocProp Inplace Edit Box Control” “{8EE97210-FD1F-4B19-91DA-67914005F020}”=“Microsoft DocProp Inplace ML Edit Box Control” “{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}”=“Microsoft DocProp Inplace Droplist Combo Control” “{6A205B57-2567-4A2C-B881-F787FAB579A3}”=“Microsoft DocProp Inplace Calendar Control” “{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}”=“Microsoft DocProp Inplace Time Control” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Offline Files Menu” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Offline Files Folder Options” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{143A62C8-C33B-11D1-84FE-00C04FA34A14}”=“Microsoft Agent Character Property Sheet Handler” “{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}”=“DfsShell” “{60fd46de-f830-4894-a628-6fa81bc0190d}”="%DESC_PublishDropTarget%" “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{32714800-2E5F-11d0-8B85-00AA0044F941}”="&Do os˘b…" “{8DD448E6-C188-4aed-AF92-44956194EB1F}”=“Windows Media Player Play as Playlist Context Menu Handler” “{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}”=“Windows Media Player Burn Audio CD Context Menu Handler” “{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}”=“Windows Media Player Add to Playlist Context Menu Handler” “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”=“WinRAR shell extension” “{BDEADF00-C265-11D0-BCED-00A0C90AB50F}”=“Foldery w sieci Web” “{42042206-2D85-11D3-8CFF-005004838597}”=“Microsoft Office HTML Icon Handler” “{1CDB2949-8F65-4355-8456-263E7C208A5D}”=“Desktop Explorer” “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}”=“Desktop Explorer Menu” “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}”=“Shell Extensions for RealOne Player” “{AB77609F-2178-4E6F-9C4B-44AC179D937A}”=“aň Context Menu Shell Extension” “{52B87208-9CCF-42C9-B88E-069281105805}”=“Trojan Remover Shell Extension” ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: Locate .tmp files: ********************************************************************************** Directory Listing of system files: Wolumin w stacji C to SYSTEM Numer seryjny woluminu: 40BE-5083 Katalog: C:\WINDOWS\System32 2005-10-07 14:10 10˙856 KGyGaAvL.sys 2005-01-09 18:04 56 D765C90787.sys 2004-06-02 22:56 2004-06-02 22:22 2 plik(˘w) 10˙912 bajt˘w 2 katalog(˘w) 19˙299˙778˙560 bajt˘w wolnych

Gutek · 8 Styczeń 2006 21:29

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\System32\browsela.dll

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz. Przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG.

a hijackiem usuń jeszcze:

mery · 8 Styczeń 2006 21:54

zrobione, ale przy ponownym uruchomieniu systemu pojawia sie informacja że nie można znaleźć

C:\WINDOWS\inet20001\winlogon.exe

który usunęłam zgodnie z powyższym poleceniem , co mam z tym zrobić?

Gutek · 8 Styczeń 2006 21:58

Daj mi log z hijacka i silenta- Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989

mery · 8 Styczeń 2006 22:01

Logfile of HijackThis v1.99.1 Scan saved at 23:04:47, on 2006-01-08 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\MMTray.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\RICOlmer\RICOlmer.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\alt.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\agata\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20001\3.00.13.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [MMTray] MMTray.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\ANTYWIRUSOWE\Trojan Remover\Trjscan.exe O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [systemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKLM…\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s O4 - HKLM…\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKCU…\Run: [RICOlmer] C:\Program Files\RICOlmer\RICOlmer.exe O4 - HKCU…\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\Powergg.exe” O4 - HKCU…\Run: [sIDEBAR] “C:\Program Files\Desktop Sidebar\dsidebar.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKCU…\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - HKCU…\Run: [AlexaToolbar] C:\WINDOWS\alt.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Złączono Posta : 08.01.2006 (Nie) 23:04

opisu z silenta nie dam bo nie wiem co to i na dodatek nie moge otworzyć tego linku - pokazuje się błąd i operacja przerwana.

a dodatkowo teraz pokazał mi przy uruchomieniu infirmację że jest kolejny błąd : cyuje nieznany watek programowy (0x0eedfade) pod adresem 0x77e738b2

Gutek · 8 Styczeń 2006 22:13

usuwanie jak wyzej w trybie awaryjnym

mery · 8 Styczeń 2006 22:36

ostatnie pytanie: usuwam zaznaczone przez Ciebie pliki w trybie awaryjnym, ale po ponownym uruchomieniu one znowu są - co robię źle???

Gutek · 8 Styczeń 2006 22:43

Ty mi powiedź jak to usuwasz?

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\adsldpbf.dll

C:\WINDOWS\sysldr32.exe

C:\WINDOWS\System\svchost.exe

C:\WINDOWS\System\svwhost.exe

C:\WINDOWS\alt.exe

C:\WINDOWS\system32\browsela.dll

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

mery · 8 Styczeń 2006 23:08

usuwam je normalnie zaznaczając w hijacku kwadrat i daję usuń, a co do killboxa to po naciśnięciu czerwonego x pojawia mi się informacja PendingFileRenameOperations Registry Data has bee Removed by External Process! o ak za każdym razem, a pliki jak byly tak są

Gutek · 9 Styczeń 2006 00:21

A Pocket Killbox używasz w trybie awaryjnym?

mery · 11 Styczeń 2006 21:08

Przepraszam za przerwę w pisanie ale wirusy dopadły nie tylko mój komputer, ale tez mnie.

Pocket Killboxa używałam w trybie awaryjnym i normalnym.

Dziś zainstalwałam Kasperskiego i po kilku skanach już nie pokazuje mi że mam cos na kompie ale jak sprawdzam loga to nadal mam same pozycje które wczesniej pokazywałeś mi do usunięcia.

Wklejam loga jeszcze raz i mam pytanie czy nie da się tego usunąc jakoś ręcznie z rejestru bez użycia programów?

Logfile of HijackThis v1.99.1 Scan saved at 22:06:23, on 2006-01-11 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\MMTray.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\RICOlmer\RICOlmer.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\a-squared\a2guard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Documents and Settings\agata\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20001\3.00.13.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [MMTray] MMTray.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [systemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM…\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize O4 - HKCU…\Run: [RICOlmer] C:\Program Files\RICOlmer\RICOlmer.exe O4 - HKCU…\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\Powergg.exe” O4 - HKCU…\Run: [sIDEBAR] “C:\Program Files\Desktop Sidebar\dsidebar.exe” O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe O4 - HKCU…\Run: [AlexaToolbar] C:\WINDOWS\alt.exe O4 - HKCU…\Run: [a-squared] “C:\Program Files\a-squared\a2guard.exe” O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing) O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Gutek · 11 Styczeń 2006 21:41

Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku pliki i folder, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log

Daj log z Silenta - Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989

mery · 11 Styczeń 2006 22:07

“Silent Runners.vbs”, revision 43, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “RICOlmer” = “C:\Program Files\RICOlmer\RICOlmer.exe” [“Robert Wieckowicz”] “Dzieńdobry!” = “C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto” [“VSD Software”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\Powergg.exe”” [null data] “SIDEBAR” = ““C:\Program Files\Desktop Sidebar\dsidebar.exe”” [file not found] “ctfmon.exe” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “xp_system” = “C:\WINDOWS\inet20001\winlogon.exe” [file not found] “a-squared” = ““C:\Program Files\a-squared\a2guard.exe”” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “MMTray” = “MMTray.exe” [“Morgan Multimedia”] “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe” [“HP”] “Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe” [file not found] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “KAVPersonal50” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe” /minimize” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = “Google Toolbar Helper” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Real Alternative\rpshell.dll” [file not found] “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a˛ Context Menu Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL” [null data] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! “{31EE3286-D785-4E3F-95FC-51D00FDABC01}” = “Master Browseui” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\browsela.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ EasyZip(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\EasyZip\EZSHLEXT.DLL” [null data] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [file not found] VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\shared\Versions\CVersion.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL” [null data] EasyZip(Default) = “{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\EasyZip\EZSHLEXT.DLL” [null data] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll” [“Kaspersky Lab”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [file not found] VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\shared\Versions\CVersion.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! “ForceActiveDesktopOn”=dword:00000001 [enables Active Desktop and prevents disabling it] {User Configuration|Administrative Templates|Desktop|Active Desktop| Enable Active Desktop} Active Desktop and Wallpaper: ----------------------------- Active Desktop enabled via Group Policy. HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\agata\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssstars.scr” [MS] Startup items in “agata” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ kavsvc, kavsvc, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe”” [“Kaspersky Lab”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = “hpzsnt08.dll” [“HP”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 80 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 27 seconds. ---------- (total run time: 212 seconds)

Gutek · 11 Styczeń 2006 22:17

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

Po tym, jeśli jeszcze nie zadziała, proszę się upewnić iż jest:

Prawy klik na Pulpit >>> Właściwości >>> Pulpit >>> Dostosuj Pulpit >>> Sieć Web >>> odznaczona opcja Blokuj elementy pulpitu

mery · 11 Styczeń 2006 22:27

Już wszystko pięknie wygląda Wielkie podziękowania. Mam nadzięję że to już wszystko. Chyba że mam jeszcze cos pousuwać bo w ostatnim logu widzę wiele pozycji [file not found] i nie wiem czy z nimi też mam coś robić?

Jeszcze tylko jedno naiwne pytanie laika - skoro mam zablokowane przywracanie systemu, a bedę go kiedyś chciała przywrócić to czy nie przywrócę sobie tych wszystkich problemów?

Gutek · 12 Styczeń 2006 05:40

zablokowane czy wyłaczone? Daj nowy log z Silenta