jakis syf, ja juz sie wykanczam :(
cos sie zakorzenilo Pod paskiem adresu w przegladarce mam jakies REMOWE TOOLBAR Jak biore widok i chce to wylaczyc to sie nie da bo nie sa podswietlone te funkcje :( I to samo jest jak otworze jakis folder NO i na strone startowo sie wrypalo PLIS o pomoc
Odpowiedzi: 4
juz jest ok WIELKIE DZIEKI !!
Wyłacz przywracanie
Usun wyboldowane pliki oraz wpisy wymienione nizej:
Nowa wersja rootkita Ms4Hd:
Sciagnij >> remv3 i uruchom go w trybie awaryjnym, wpisy usun Hijackiem
Usun wyboldowane pliki oraz wpisy wymienione nizej:
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot–searches.com*;*lender–search.com*
O2 – BHO: WHttpHelper Class – {9896231A–C487–43A5–8369–6EC9B0A96CC0} – C:\WINDOWS\System32\WStart.dll
O2 – BHO: IE SP2 AddOn – {BFFC1D43–F557–4486–BBB2–70A1C1A46CA3} – C:\WINDOWS\System32\sphkt.dll
O3 – Toolbar: SearchToolbar – {08BEC6AA–49FC–4379–3587–4B21E286C19E} – C:\WINDOWS\System32\ie2cltr.dll
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O16 – DPF: {14A3221B–1678–1982–A355–7263B1281987} – ms–its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe
Nowa wersja rootkita Ms4Hd:
O17 – HKLM\System\CCS\Services\Tcpip\..\{D8B657C6–CA0A–459C–B4AE–4509D05EE92E}: NameServer = 69.50.176.156,195.225.176.31
O17 – HKLM\System\CCS\Services\Tcpip\..\{E018C20F–C580–4006–9DD2–06609DD50930}: NameServer = 69.50.176.156,195.225.176.31
Sciagnij >> remv3 i uruchom go w trybie awaryjnym, wpisy usun Hijackiem
Logfile of HijackThis v1.99.1
Scan saved at 19:35:02, on 2005–05–10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\FLASHGET\flashget.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Piotrek\USTAWI~1\Temp\Rar$EX00.502\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot–searches.com*;*lender–search.com*
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: WHttpHelper Class – {9896231A–C487–43A5–8369–6EC9B0A96CC0} – C:\WINDOWS\System32\WStart.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IE SP2 AddOn – {BFFC1D43–F557–4486–BBB2–70A1C1A46CA3} – C:\WINDOWS\System32\sphkt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: SearchToolbar – {08BEC6AA–49FC–4379–3587–4B21E286C19E} – C:\WINDOWS\System32\ie2cltr.dll
O4 – HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: Download All by FlashGet – C:\PROGRA~1\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\PROGRA~1\FLASHGET\jc_link.htm
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O16 – DPF: {14A3221B–1678–1982–A355–7263B1281987} – ms–its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe
O17 – HKLM\System\CCS\Services\Tcpip\..\{D8B657C6–CA0A–459C–B4AE–4509D05EE92E}: NameServer = 69.50.176.156,195.225.176.31
O17 – HKLM\System\CCS\Services\Tcpip\..\{E018C20F–C580–4006–9DD2–06609DD50930}: NameServer = 69.50.176.156,195.225.176.31
O23 – Service: MGABGEXE – Matrox Graphics Inc. – C:\WINDOWS\System32\mgabg.exe
Scan saved at 19:35:02, on 2005–05–10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\FLASHGET\flashget.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Piotrek\USTAWI~1\Temp\Rar$EX00.502\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot–searches.com*;*lender–search.com*
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: WHttpHelper Class – {9896231A–C487–43A5–8369–6EC9B0A96CC0} – C:\WINDOWS\System32\WStart.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IE SP2 AddOn – {BFFC1D43–F557–4486–BBB2–70A1C1A46CA3} – C:\WINDOWS\System32\sphkt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: SearchToolbar – {08BEC6AA–49FC–4379–3587–4B21E286C19E} – C:\WINDOWS\System32\ie2cltr.dll
O4 – HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: Download All by FlashGet – C:\PROGRA~1\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\PROGRA~1\FLASHGET\jc_link.htm
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O16 – DPF: {14A3221B–1678–1982–A355–7263B1281987} – ms–its:mhtml:file://C:\foo.mht!http://82.179.170.82/e9xr2.chm::/file.exe
O17 – HKLM\System\CCS\Services\Tcpip\..\{D8B657C6–CA0A–459C–B4AE–4509D05EE92E}: NameServer = 69.50.176.156,195.225.176.31
O17 – HKLM\System\CCS\Services\Tcpip\..\{E018C20F–C580–4006–9DD2–06609DD50930}: NameServer = 69.50.176.156,195.225.176.31
O23 – Service: MGABGEXE – Matrox Graphics Inc. – C:\WINDOWS\System32\mgabg.exe
W szukajke forumową: "REMOWE TOOLBAR" i http://forum.centrumxp.pl/viewtopic.php?t=33646
Wklej log z programu Hijack This, o ktorym wiecej przeczytasz w FAQ w tym dziale.
Wklej log z programu Hijack This, o ktorym wiecej przeczytasz w FAQ w tym dziale.
Strona 1 / 1