kto mi sprawdzi loga– PROSZĘ!
Logfile of HijackThis v1.99.1
Scan saved at 22:19:43, on 2005–07–10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\System32\gglib.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Media Gateway\MediaGateway.exe
D:\WINDOWS\System32\paytime.exe
D:\WINDOWS\sys4232.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\System32\paytime.exe
C:\Program Files\SpySheriff\SpySheriff.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Winamp\Winamp.exe
D:\WINDOWS\System32\newdial1.exe
D:\WINDOWS\System32\newdial1.exe
D:\WINDOWS\msmsgrxp.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\Rar$EX00.797\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{00A6FAF6–072E–44cf–8957–5838F569A31D} – (no file)
F3 – REG:win.ini: run=hpfsched
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.pizdato.biz
O1 – Hosts: 127.0.0.3 pizdato.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
O1 – Hosts: 127.0.0.3 txiframe.biz
O1 – Hosts: 127.0.0.3 www.txiframe.biz
O1 – Hosts: 127.0.0.3 procounter.biz
O1 – Hosts: 127.0.0.3 www.procounter.biz
O1 – Hosts: 127.0.0.3 advadmin.biz
O1 – Hosts: 127.0.0.3 www.advadmin.biz
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {AC2DB7B9–BBCB–47F5–B2D2–4C8D0CE9496D} –
D:\WINDOWS\System32\aioc.dll (file missing)
O2 – BHO: Starware – {CA356D79–679B–4b4c–8E49–5AF97014F4C1} – D:\Program
Files\Starware\bin\Starware.dll (file missing)
O3 – Toolbar: YourSiteBar – {86227D9C–0EFE–4f8a–AA55–30386A3F5686} – D:\Program
Files\YourSiteBar\ysb.dll (file missing)
O3 – Toolbar: Starware – {D49E9D35–254C–4c6a–9D17–95018D228FF5} – D:\Program
Files\Starware\bin\Starware.dll (file missing)
O3 – Toolbar: RX Toolbar – {25D8BACF–3DE2–4B48–AE22–D659B8D835B0} – D:\Program
Files\RXToolBar\RXToolBar.dll (file missing)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} –
D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"
–osboot
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [vmtuner] gglib.exe
O4 – HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"
O4 – HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 – HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [BearShare] "D:\Program Files\BearShare\BearShare.exe" /pause
O4 – HKLM\..\Run: [Media Gateway] D:\Program Files\Media Gateway\MediaGateway.exe
O4 – HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [sys4232] D:\WINDOWS\sys4232.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [_Cat2] D:\WINDOWS\nmstt.exe
O4 – HKLM\..\Run: [_Cat3] D:\WINDOWS\msmsgrxp.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Registry Cleaner] "D:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Dzieńdobry!] D:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto
O4 – HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – HKCU\..\Run: [sys4232] D:\WINDOWS\sys4232.exe
O4 – Startup: PopTray.lnk = D:\Program Files\PopTray\PopTray.exe
O4 – Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 – Global Startup: Action Manager 32.lnk = D:\Program Files\ScannerU\AM32.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: NkbMonitor.exe.lnk = D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 – Extra context menu item: &Search – http://bar.mywebsearch.com/menusearch.html?
p=ZNxdm414YYPL
O8 – Extra context menu item: E&ksport do programu Microsoft Excel –
res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program
Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} –
D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: SideFind – {10E42047–DEB9–4535–A118–B3F6EC39B807} – D:\Program
Files\SideFind\sidefind.dll (file missing)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} –
D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} –
D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} –
D:\WINDOWS\web\related.htm
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O18 – Filter: text/html – {4B489322–664B–48EA–8674–A50081292E78} –
D:\WINDOWS\System32\aioc.dll
O18 – Filter: text/plain – {4B489322–664B–48EA–8674–A50081292E78} –
D:\WINDOWS\System32\aioc.dll
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Firebird Guardian – DefaultInstance (FirebirdGuardianDefaultInstance) – The Firebird
Project – D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 – Service: Firebird Server – DefaultInstance (FirebirdServerDefaultInstance) – The Firebird Project –
D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
:(
Scan saved at 22:19:43, on 2005–07–10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\System32\gglib.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Media Gateway\MediaGateway.exe
D:\WINDOWS\System32\paytime.exe
D:\WINDOWS\sys4232.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\System32\paytime.exe
C:\Program Files\SpySheriff\SpySheriff.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Winamp\Winamp.exe
D:\WINDOWS\System32\newdial1.exe
D:\WINDOWS\System32\newdial1.exe
D:\WINDOWS\msmsgrxp.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\Rar$EX00.797\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – _{00A6FAF6–072E–44cf–8957–5838F569A31D} – (no file)
F3 – REG:win.ini: run=hpfsched
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.pizdato.biz
O1 – Hosts: 127.0.0.3 pizdato.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
O1 – Hosts: 127.0.0.3 txiframe.biz
O1 – Hosts: 127.0.0.3 www.txiframe.biz
O1 – Hosts: 127.0.0.3 procounter.biz
O1 – Hosts: 127.0.0.3 www.procounter.biz
O1 – Hosts: 127.0.0.3 advadmin.biz
O1 – Hosts: 127.0.0.3 www.advadmin.biz
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {AC2DB7B9–BBCB–47F5–B2D2–4C8D0CE9496D} –
D:\WINDOWS\System32\aioc.dll (file missing)
O2 – BHO: Starware – {CA356D79–679B–4b4c–8E49–5AF97014F4C1} – D:\Program
Files\Starware\bin\Starware.dll (file missing)
O3 – Toolbar: YourSiteBar – {86227D9C–0EFE–4f8a–AA55–30386A3F5686} – D:\Program
Files\YourSiteBar\ysb.dll (file missing)
O3 – Toolbar: Starware – {D49E9D35–254C–4c6a–9D17–95018D228FF5} – D:\Program
Files\Starware\bin\Starware.dll (file missing)
O3 – Toolbar: RX Toolbar – {25D8BACF–3DE2–4B48–AE22–D659B8D835B0} – D:\Program
Files\RXToolBar\RXToolBar.dll (file missing)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} –
D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"
–osboot
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [vmtuner] gglib.exe
O4 – HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"
O4 – HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 – HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [BearShare] "D:\Program Files\BearShare\BearShare.exe" /pause
O4 – HKLM\..\Run: [Media Gateway] D:\Program Files\Media Gateway\MediaGateway.exe
O4 – HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [sys4232] D:\WINDOWS\sys4232.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [_Cat2] D:\WINDOWS\nmstt.exe
O4 – HKLM\..\Run: [_Cat3] D:\WINDOWS\msmsgrxp.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Registry Cleaner] "D:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Dzieńdobry!] D:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto
O4 – HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – HKCU\..\Run: [sys4232] D:\WINDOWS\sys4232.exe
O4 – Startup: PopTray.lnk = D:\Program Files\PopTray\PopTray.exe
O4 – Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 – Global Startup: Action Manager 32.lnk = D:\Program Files\ScannerU\AM32.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: NkbMonitor.exe.lnk = D:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 – Extra context menu item: &Search – http://bar.mywebsearch.com/menusearch.html?
p=ZNxdm414YYPL
O8 – Extra context menu item: E&ksport do programu Microsoft Excel –
res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program
Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} –
D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: SideFind – {10E42047–DEB9–4535–A118–B3F6EC39B807} – D:\Program
Files\SideFind\sidefind.dll (file missing)
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} –
D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} –
D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} –
D:\WINDOWS\web\related.htm
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O18 – Filter: text/html – {4B489322–664B–48EA–8674–A50081292E78} –
D:\WINDOWS\System32\aioc.dll
O18 – Filter: text/plain – {4B489322–664B–48EA–8674–A50081292E78} –
D:\WINDOWS\System32\aioc.dll
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Firebird Guardian – DefaultInstance (FirebirdGuardianDefaultInstance) – The Firebird
Project – D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 – Service: Firebird Server – DefaultInstance (FirebirdServerDefaultInstance) – The Firebird Project –
D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
:(
Odpowiedzi: 15
Bobi:
Update: Chyba tym razem sie Żółty mylisz. Ten programik to taki upiękniacz pulpitu, ale ten niebieski ekranik pochodzi od fałszywej tapety Spyware Sheriff.
:oops: Przepraszam za wprowadzenie zamieszania.
juź pulpit mam normalny dziękuję bardoz za pomoc :D
Usun z klucza:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System, wartość Wallpaper
Poszukaj pliku C:\WINDOWS\svchost.exe
Czemu to ja musze się dopytywac czy u Ciebie wszystko w porządku ?
Update: Chyba tym razem sie Żółty mylisz. Ten programik to taki upiękniacz pulpitu, ale ten niebieski ekranik pochodzi od fałszywej tapety Spyware Sheriff.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System, wartość Wallpaper
Poszukaj pliku C:\WINDOWS\svchost.exe
Czemu to ja musze się dopytywac czy u Ciebie wszystko w porządku ?
Update: Chyba tym razem sie Żółty mylisz. Ten programik to taki upiękniacz pulpitu, ale ten niebieski ekranik pochodzi od fałszywej tapety Spyware Sheriff.
jest tylko niebieskie wczesniej vył jakis komunikat ale to jakos usunelam
z pulpitem nie jest ok bo jest cały granatowy a pozostal pliki udalo mi się usnąć
Z pulpitem to pewności nie mam, ale wydaje mi się, źę odpowiada za problemy z nim to:
D:\PROGRA~1\Webshots\webshots.scr
Bobi – popraw mnie jeśli się myle :)
z pulpitem nie jest ok bo jest cały granatowy a pozostal pliki udalo mi się usnąć
W takim razie w porządu, masz jakieś inne objawy infekcji ?
Z pulpitem wszystko ok ?
Usunęłaś wszystkie wymienione pliki, znalazłaś wszystkie ?
Z pulpitem wszystko ok ?
Usunęłaś wszystkie wymienione pliki, znalazłaś wszystkie ?
W takim razie w porządu, masz jakieś inne objawy infekcji ?
Z pulpitem wszystko ok ?
Usunęłaś wszystkie wymienione pliki, znalazłaś wszystkie ?
Z pulpitem wszystko ok ?
Usunęłaś wszystkie wymienione pliki, znalazłaś wszystkie ?
zainstalowałam to Registrar Lite i tam mam wszystko tylko nie ma folderu EXPLORER, jest tylko Hardware, Sam, Security, Software, System.[/b]
Pierwszego poszukaj dobrze, albo ściągnij sobie Registrar Lite i w nim wklej ścieźke do klucza, automatycznie Cie do niego przeniesie.
W kluczu ze screena usun: ClassicShell, ForceActiveDesktopOn, NoActiveDesktop
W kluczu ze screena usun: ClassicShell, ForceActiveDesktopOn, NoActiveDesktop
tego pierwszego nie moge znaleźć a to drugie to takie cos mam:
Uzywaj opcji ZMIEŃ jeśli chcesz coś do posta dopisać.
Zakończ proces:
MediaGateway.exe
Usuń:
Jeszcze mam cztery uwagi:
1. Gdybys przy usuwaniu dostawała info, ze plik jest uźywany etc. powtórz to tyle, ze w trybie awaryjnym
2. Gdybyś któregoś pliku/katalogu nie mogła znaleźć na dysku najpierw zaznacz pokazywanie ukrytych i systemowych plików, nadal sie nie uda – posłuź się Killboxem.
3. Mam nadzieje, ze wzięłać się porządnie za usuwanie Haxdoora, zostawia on kupe innych plików i tworzy ukryte usługi, kilkakrotnie na forum była przerabiana procedura jego usuwania, wymienione były pliki jakie tworzy, podawny był fix.
4. Wyeksportuj mi jeszcze dwa klucze z Twojego rejestru:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Zakończ proces:
MediaGateway.exe
Usuń:
R3 – Default URLSearchHook is missing
O2 – BHO: Starware – {CA356D79–679B–4b4c–8E49–5AF97014F4C1} – D:\Program Files\Starware\bin\Starware.dll (file missing)
O4 – HKLM\..\Run: [vmtuner] gglib.exe
O4 – HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 – HKLM\..\Run: [Media Gateway] D:\Program Files\Media Gateway\MediaGateway.exe
O4 – HKLM\..\Run: [_Cat2] D:\WINDOWS\nmstt.exe
O4 – HKLM\..\Run: [_Cat3] D:\WINDOWS\msmsgrxp.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
Jeszcze mam cztery uwagi:
1. Gdybys przy usuwaniu dostawała info, ze plik jest uźywany etc. powtórz to tyle, ze w trybie awaryjnym
2. Gdybyś któregoś pliku/katalogu nie mogła znaleźć na dysku najpierw zaznacz pokazywanie ukrytych i systemowych plików, nadal sie nie uda – posłuź się Killboxem.
3. Mam nadzieje, ze wzięłać się porządnie za usuwanie Haxdoora, zostawia on kupe innych plików i tworzy ukryte usługi, kilkakrotnie na forum była przerabiana procedura jego usuwania, wymienione były pliki jakie tworzy, podawny był fix.
4. Wyeksportuj mi jeszcze dwa klucze z Twojego rejestru:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
MÓJ LOG PO TYM JAK USUNĘŁAM TO CO SIĘ DAŁO
Logfile of HijackThis v1.99.1
Scan saved at 08:56:32, on 2005–07–11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Media Gateway\MediaGateway.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Tlen.pl\tlen.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Winamp\Winamp.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\Rar$EX00.594\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R3 – Default URLSearchHook is missing
F3 – REG:win.ini: run=hpfsched
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Starware – {CA356D79–679B–4b4c–8E49–5AF97014F4C1} – D:\Program Files\Starware\bin\Starware.dll (file missing)
O4 – HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [vmtuner] gglib.exe
O4 – HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 – HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [Media Gateway] D:\Program Files\Media Gateway\MediaGateway.exe
O4 – HKLM\..\Run: [_Cat2] D:\WINDOWS\nmstt.exe
O4 – HKLM\..\Run: [_Cat3] D:\WINDOWS\msmsgrxp.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Registry Cleaner] "D:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Dzieńdobry!] D:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto
O4 – Startup: PopTray.lnk = D:\Program Files\PopTray\PopTray.exe
O4 – Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 – Global Startup: Action Manager 32.lnk = D:\Program Files\ScannerU\AM32.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Firebird Guardian – DefaultInstance (FirebirdGuardianDefaultInstance) – The Firebird Project – D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 – Service: Firebird Server – DefaultInstance (FirebirdServerDefaultInstance) – The Firebird Project – D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
Logfile of HijackThis v1.99.1
Scan saved at 08:56:32, on 2005–07–11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Media Gateway\MediaGateway.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Tlen.pl\tlen.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Winamp\Winamp.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\Rar$EX00.594\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R3 – Default URLSearchHook is missing
F3 – REG:win.ini: run=hpfsched
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Starware – {CA356D79–679B–4b4c–8E49–5AF97014F4C1} – D:\Program Files\Starware\bin\Starware.dll (file missing)
O4 – HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [vmtuner] gglib.exe
O4 – HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 – HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [Media Gateway] D:\Program Files\Media Gateway\MediaGateway.exe
O4 – HKLM\..\Run: [_Cat2] D:\WINDOWS\nmstt.exe
O4 – HKLM\..\Run: [_Cat3] D:\WINDOWS\msmsgrxp.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Registry Cleaner] "D:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Dzieńdobry!] D:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto
O4 – Startup: PopTray.lnk = D:\Program Files\PopTray\PopTray.exe
O4 – Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 – Global Startup: Action Manager 32.lnk = D:\Program Files\ScannerU\AM32.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Firebird Guardian – DefaultInstance (FirebirdGuardianDefaultInstance) – The Firebird Project – D:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 – Service: Firebird Server – DefaultInstance (FirebirdServerDefaultInstance) – The Firebird Project – D:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
GDZIE MAM SZUKAĆ TYCH PLIKÓW:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
Łoooo... matko, badziewia w brud, nie wiem jak sie z tego wygrzebiesz.
1. Wylącz przywracanie
2. Sciągnij SpSeHjfix112 oraz KillTrusted
3. Odpal system w trybie awaryjnym
4. Rozpakuj i uruchom ściągnięte programy
5. Opróznij Temp
6. Wyeksponowane pliki/katalogi usuwasz z dysku a wpisy zaznaczasz i standardowo FIX CHECKED:
Te wpisy powinny zniknąć po uzyciu KillTrusted, ale gdyby co to usun:
Backdoor.Haxdoor.D
Opis usuwania byl na forum wielokrotnie podawany, w wyszukiwarke jako słowo kluczowe podaj nazwe biblioteki wyboldowanej, zaznacz szukanie wszystkich słów.
Start >> Uruchom >> regedit
Przejdz do klucza: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i usun stamtad podany ciąg.
Po wszyskich zabiegac koniecznie pokazujesz nowy log.
Teraz byc moźe coś opuściłem, ale tyle tego jest ze mozna się machnąc, jeśli nie teraz to wyjdzie następnym razem.
1. Wylącz przywracanie
2. Sciągnij SpSeHjfix112 oraz KillTrusted
3. Odpal system w trybie awaryjnym
4. Rozpakuj i uruchom ściągnięte programy
5. Opróznij Temp
6. Wyeksponowane pliki/katalogi usuwasz z dysku a wpisy zaznaczasz i standardowo FIX CHECKED:
D:\WINDOWS\System32\newdial1.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\DOROTA~1\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll/spage.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 – BHO: (no name) – {AC2DB7B9–BBCB–47F5–B2D2–4C8D0CE9496D} – D:\WINDOWS\System32\aioc.dll (file missing)
O2 – BHO: Starware – {CA356D79–679B–4b4c–8E49–5AF97014F4C1} – D:\Program Files\Starware\bin\Starware.dll (file missing)
O3 – Toolbar: YourSiteBar – {86227D9C–0EFE–4f8a–AA55–30386A3F5686} – D:\Program Files\YourSiteBar\ysb.dll (file missing)
O3 – Toolbar: Starware – {D49E9D35–254C–4c6a–9D17–95018D228FF5} – D:\Program Files\Starware\bin\Starware.dll (file missing)
O3 – Toolbar: RX Toolbar – {25D8BACF–3DE2–4B48–AE22–D659B8D835B0} – D:\Program Files\RXToolBar\RXToolBar.dll (file missing)
O4 – HKLM\..\Run: [vmtuner] gglib.exe
O4 – HKLM\..\Run: [sp] rundll32 D:\DOCUME~1\ANIAR~1.RES\USTAWI~1\Temp\se.dll,DllInstall
O4 – HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"
O4 – HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 – HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [sys4232] D:\WINDOWS\sys4232.exe
O4 – HKLM\..\Run: [_Cat2] D:\WINDOWS\nmstt.exe
O4 – HKLM\..\Run: [_Cat3] D:\WINDOWS\msmsgrxp.exe
O4 – HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – HKCU\..\Run: [sys4232] D:\WINDOWS\sys4232.exe
O8 – Extra context menu item: &Search – http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414YYPL
O9 – Extra button: SideFind – {10E42047–DEB9–4535–A118–B3F6EC39B807} – D:\Program Files\SideFind\sidefind.dll (file missing)
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O18 – Filter: text/html – {4B489322–664B–48EA–8674–A50081292E78} – D:\WINDOWS\System32\aioc.dll
O18 – Filter: text/plain – {4B489322–664B–48EA–8674–A50081292E78} – D:\WINDOWS\System32\aioc.dll
Te wpisy powinny zniknąć po uzyciu KillTrusted, ale gdyby co to usun:
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.Pamela.biz
O1 – Hosts: 127.0.0.3 Pamela.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
O1 – Hosts: 127.0.0.3 txiframe.biz
O1 – Hosts: 127.0.0.3 www.txiframe.biz
O1 – Hosts: 127.0.0.3 procounter.biz
O1 – Hosts: 127.0.0.3 www.procounter.biz
O1 – Hosts: 127.0.0.3 advadmin.biz
O1 – Hosts: 127.0.0.3 www.advadmin.biz
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
Backdoor.Haxdoor.D
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
Opis usuwania byl na forum wielokrotnie podawany, w wyszukiwarke jako słowo kluczowe podaj nazwe biblioteki wyboldowanej, zaznacz szukanie wszystkich słów.
R3 – URLSearchHook: (no name) – _{00A6FAF6–072E–44cf–8957–5838F569A31D} – (no file)
Start >> Uruchom >> regedit
Przejdz do klucza: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i usun stamtad podany ciąg.
Po wszyskich zabiegac koniecznie pokazujesz nowy log.
Teraz byc moźe coś opuściłem, ale tyle tego jest ze mozna się machnąc, jeśli nie teraz to wyjdzie następnym razem.
Strona 1 / 1