kitts
25 Styczeń 2006 21:16
#21
OK zrobiłem. Nadal przy wchodzeniu do Windows jest próba poszukiwania services.exe.
Co mam teraz pokazac do oceny?
Gutek
25 Styczeń 2006 21:24
#22
Daj log z hijacka i Sielnta
Gutek
26 Styczeń 2006 08:09
#24
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\windows\inet20010\3.00.13.dll O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\nppifllp.dll (file missing)
ja sie mecze z kluczami a ty plikow nie usunoles!
kitts
26 Styczeń 2006 17:48
#25
dał bym głowę, że wyciąłem z dysku ręczne a także przez Hijacka wszystkie wskazane pliki, raczej niczego nie przeoczylem ale moze sie myle bo sie na tym nie znam. W kazdym razie przepraszam za zamieszanie tym spowodowane! Nie rozumiem co mam zrobic w zwiazku z tym poleceniem
co to jest albo raczej gdzie jest folder awaryjny i co mam w nim zrobic - wpisac czy wyrzucic podany plik?
kuz5
26 Styczeń 2006 20:55
#26
Masz wystartowac do trybu awaryjnego (zaraz przy odpaleniu kompa klikasz F8 i z listy trybów uruchamiania wybierasz tryb awaryjny ) a następmie folder na czerwono usuwasz ręcznie:
C:\windows* * inet20010**
kitts
26 Styczeń 2006 21:21
#27
dziekuje za podpowiedź. Oto nowy log z Hijacka:
Logfile of HijackThis v1.99.1 Scan saved at 22:23:05, on 2006-01-26 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\windows\Explorer.EXE C:\windows\system32\ntvdm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\windows\System32\svchost.exe C:\windows\SOUNDMAN.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\windows\System32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Krakery\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlen.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.48.117.19:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: load=C:\YDPDict\watch.exe F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe N1 - Netscape 4: user_pref(“browser.startup.homepage”, “http://www.wp.pl/ ”); (C:\Program Files\Netscape\Users\marsob\prefs.js) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM…\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM…\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM…\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM…\Run: [CloneCDElbyCDFL] “C:\Program Files\CloneCD\ElbyCheck.exe” /L ElbyCDFL O4 - HKLM…\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\RunServices: [hf] C:\Program Files\HideFolders\hf.exe /s O4 - HKCU…\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{D4E99A87-1213-44D0-A529-AE3B377D44EA}: NameServer = 81.219.160.2,217.17.34.10 O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\System32\textwareilluminatorbaseProtocol.dll O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Gutek
26 Styczeń 2006 22:41
#28
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe
Tryb awaryjny z linią komend:
Jak wybierzesz podczas startu F8 dostaniesz czarny ekran na którym masz wybrać strzałką z klawiatury “Tryb awaryjny z obsługą linii komend”. Wylądujesz na czarnym ekranie z migającym C:>. To właśnie linia komend, w której wpisujesz:
RD /S /Q “C:\WINDOWS\inet20010”
RD /S /Q “C:\secure32.html”
kitts
27 Styczeń 2006 13:15
#29
W trybie awaryjnym z linią komend mogę wpisywac po takim poczatku wiersza:
C:\Document Settings\admin
czy mam tam wpisywac, czy moze przejsc na C: bezpośrednio?
Na poczatku tego leczenia zalozylem konsole odzyskiwania moze stąd ten zapis
Gutek
27 Styczeń 2006 13:51
#30
komendy jak podalem masz wklejac z C:\
kitts
27 Styczeń 2006 19:30
#31
Niestety nie moge wykonac dokladnie tego polecenia gdyż
masz wybrać strzałką z klawiatury “Tryb awaryjny z obsługą linii komend” zamiast tego mam “tryb awaryjny z wiereszem polecenia”, czy to jest to samo co “z obsługą linii komend”? po wejściu do tego mam zapis C:\Documents and Settings\admin> i tylko tam moge pisac ale po wpisaniu pierwszego z poleceń otrzymuję napis o niewykonalnosci tego co chcę od komputera
Gutek
27 Styczeń 2006 20:16
#32
tryb awaryjny z wiereszem polecenia tak wybierz i po tym nowe logi - albo w trybie awaryjnym nadaj prawa folderowi -
po tym usuniesz w awaryjnym
kitts
27 Styczeń 2006 20:53
#33
wszedłem przez kosnole odzyskiwania w trybie awaryjnym i po C:> wpisałem te polecenia ale za każdym razem uzyskiwałem odpowiedż “parametr nie jest prawidłowy”.
Gdzie mam znależć tą opcję ‘nadaj prawa plikowi’?
Rozumiem, że jak tam wejdę mam wybrać prawym klikiem właściwości dla plików/folderów
oraz
Czy dobrze to rozumiem???
Gutek
27 Styczeń 2006 21:08
#34
nie wiemm jak inaczej mam wytlumaczyc a plik C:\secure32.html sprobuj tak:
Użyj Pocket Killbox Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżke
C:\secure32.html
i naciskasz X czerwony . Program poprosi o reset kompa … czyli resetujesz.
folderowi nadaj prawa abys ty mogl jego w awaryjnym skasowac
kitts
27 Styczeń 2006 21:43
#35
Na ile umiałem to zrobiłem, oto nowy log z Hijacka:
Logfile of HijackThis v1.99.1 Scan saved at 22:45:54, on 2006-01-27 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\windows\Explorer.EXE C:\windows\system32\ntvdm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\windows\System32\svchost.exe C:\windows\SOUNDMAN.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\windows\System32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Krakery\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlen.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.48.117.19:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: load=C:\YDPDict\watch.exe F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe N1 - Netscape 4: user_pref(“browser.startup.homepage”, “http://www.wp.pl/ ”); (C:\Program Files\Netscape\Users\marsob\prefs.js) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM…\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM…\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM…\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM…\Run: [CloneCDElbyCDFL] “C:\Program Files\CloneCD\ElbyCheck.exe” /L ElbyCDFL O4 - HKLM…\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\RunServices: [hf] C:\Program Files\HideFolders\hf.exe /s O4 - HKCU…\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{D4E99A87-1213-44D0-A529-AE3B377D44EA}: NameServer = 81.219.160.2,217.17.34.10 O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\System32\textwareilluminatorbaseProtocol.dll O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Gutek
27 Styczeń 2006 21:55
#36
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe
W trybie awaryjnym usun folder i plik - Proponuje zobacz http://www.searchengines.pl/phpbb203/in … opic=10662
kitts
27 Styczeń 2006 22:12
#37
Ale ja nie mam na dysku C: ani w trybie awaryjnym ani w normalnym w katalogu Windows folderu inet20010 a przed chwilą w awaryjnym usunałem plik z dysku c: secure32.html wyrzycając go tez z kosza
Gutek
27 Styczeń 2006 22:29
#38
W trybie awaryjnym jak jestes logujesz sie jako Ty nie administrator - nowe logi w tym z Silenta - Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989
kitts
29 Styczeń 2006 19:09
#39
Jak juz pisałem poprzednio, jak bym sie nie logował w tryb awaryjny nie mam na dysku ani C:\secure32.html ani C:\WINDOWS\inet20010 nie mogę zatem ich usunąć. Oto nowe logi z Silenta:
“Silent Runners.vbs”, revision 43, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\windows\System32\ctfmon.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”] “zBrowser Launcher” = “C:\Program Files\Logitech\iTouch\iTouch.exe” ["Logitech Inc. "] “EM_EXEC” = “C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE” ["Logitech Inc. "] “MMTray” = “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe” [“Musicmatch, Inc.”] “LVCOMS” = “C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE” [“Logitech Inc.”] “CloneCDElbyCDFL” = ““C:\Program Files\CloneCD\ElbyCheck.exe” /L ElbyCDFL” [“Elaborate Bytes AG”] “mmtask” = “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe” [“Musicmatch Inc.”] “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {5945c046-1e7d-11d1-bc44-00c04fd912be}(Default) = “Windows Messenger 4.7” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\windows\INF\msmsgs.inf,BLC.Remove.PerUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0E6C58A9-F592-4862-B35F-CA45E24003B3}” = “CloneCD” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\CloneCD\ElbyVCDShell.dll” [“Elaborate Bytes”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WebCheck” = “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\xp236711.dll” [null data] HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “load” = “C:\YDPDict\watch.exe” [null data] INFECTION WARNING! “run” = “C:\WINDOWS\inet20010\services.exe” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Corel\Graphics8\programs\CMFFld80.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\Web\Wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “44BE0690-5429-47f0-85BB-3FFD8020233E” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7}” = “zSearch Bar” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\zSearch\zSearch.dll” [file not found] “{952EC978-4920-4F18-8237-91D69B54C580}” = “BA Toolbar” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\SearchLocate\sidebar.dll” [file not found] “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “UCmore XP - The Search Accelerator” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [file not found] Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{D6CA5D91-5EA2-4654-9B75-499267012611}\ = “BrowserAngel Sidepanel” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\SearchLocate\sidebar.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ iPod Service, iPodService, “C:\Program Files\iPod\bin\iPodService.exe” [“Apple Computer, Inc.”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = INFECTION WARNING! “Lkbdflt2” [“Logitech, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 55 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 17 seconds. ---------- (total run time: 537 seconds)
oraz z Hijacka
Logfile of HijackThis v1.99.1 Scan saved at 20:07:49, on 2006-01-29 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\windows\Explorer.EXE C:\windows\system32\ntvdm.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\windows\System32\svchost.exe C:\windows\SOUNDMAN.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\windows\System32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Krakery\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlen.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 80.48.117.19:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: load=C:\YDPDict\watch.exe F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe N1 - Netscape 4: user_pref(“browser.startup.homepage”, “http://www.wp.pl/ ”); (C:\Program Files\Netscape\Users\marsob\prefs.js) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM…\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM…\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM…\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM…\Run: [CloneCDElbyCDFL] “C:\Program Files\CloneCD\ElbyCheck.exe” /L ElbyCDFL O4 - HKLM…\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\RunServices: [hf] C:\Program Files\HideFolders\hf.exe /s O4 - HKCU…\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab O16 - DPF: {70AA7362-0A16-11D4-877B-008048C4AC6F} (MainControl Class) - http://download.mks.com.pl/files/webscan/WebScan.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{D4E99A87-1213-44D0-A529-AE3B377D44EA}: NameServer = 81.219.160.2,217.17.34.10 O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\System32\textwareilluminatorbaseProtocol.dll O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Gutek
29 Styczeń 2006 19:56
#40
Otworz notanik i wklej -
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
Jak wchodzisz do trybu awaryjnego logujesz się jako Ty nie jako administrator?
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe
