LOG DO SPRAWDZENIA
Logfile of HijackThis v1.99.1
Scan saved at 14:10:19, on 2005–07–21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\NormanNEW\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\NormanNEW\bin\NJEEVES.EXE
C:\NORMANNEW\Nvc\BIN\nvcoas.exe
C:\NORMANNEW\Nvc\BIN\NVCSCHED.EXE
C:\NORMANNEW\Nvc\BIN\nipsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Hewlett–Packard\HP Share–to–Web\hpgs2wnd.exe
C:\NormanNEW\bin\ZLH.EXE
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett–Packard\HP Share–to–Web\hpgs2wnf.exe
C:\WINDOWS\system32\mszx23.exe
C:\Program Files\reor\hcos.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\NormanNEW\Nvc\BIN\NIP.EXE
C:\NormanNEW\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tomek\Ustawienia lokalne\Temp\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = x–net.gliwice.pl:8080
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 – REG:win.ini: load=C:\YDPDict\watch.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {AA6FDAB3–1057–47F6–5DC7–49A1EF963EC9} – C:\WINDOWS\System32\wasgdotq.dll
O4 – HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 – HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 – HKLM\..\Run: [Share–to–Web Namespace Daemon] C:\Program Files\Hewlett–Packard\HP Share–to–Web\hpgs2wnd.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [Norman ZANDA] C:\NormanNEW\bin\ZLH.EXE /LOAD /SPLASH
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett–Packard\Digital Imaging\Unload\hpqcmon.exe
O4 – HKCU\..\Run: [Tsrs] C:\Program Files\reor\hcos.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 – HKCU\..\Run: [Okhtht] C:\WINDOWS\System32\w?nlogon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Anty_16BitNT Automatyczna Ochrona] C:\WINDOWS\Anty_16BitNT.exe AO
O4 – Global Startup: ProChat Startup.lnk = C:\Program Files\ProChat\prochat.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O9 – Extra button: Microsoft AntiSpyware helper – {4011D48B–20A4–446C–936C–19E3BAC80857} – (no file) (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {4011D48B–20A4–446C–936C–19E3BAC80857} – (no file) (HKCU)
O12 – Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {41F17733–B041–4099–A042–B518BB6A408C} – http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/...b?1120666503698
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – C:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Norman API–hooking helper (NipSvc) – Unknown owner – C:\NORMANNEW\Nvc\BIN\nipsvc.exe
O23 – Service: Norman NJeeves – Unknown owner – C:\NormanNEW\bin\NJEEVES.EXE
O23 – Service: Norman ZANDA – Unknown owner – C:\NormanNEW\bin\ZANDA.EXE
O23 – Service: Norman Virus Control on–access component (nvcoas) – Norman ASA – C:\NORMANNEW\Nvc\BIN\nvcoas.exe
O23 – Service: Norman Virus Control Scheduler (NVCScheduler) – Norman Data Defense Systems – C:\NORMANNEW\Nvc\BIN\NVCSCHED.EXE
O23 – Service: SmartLinkService (SLService) – – C:\WINDOWS\SYSTEM32\slserv.exe
Scan saved at 14:10:19, on 2005–07–21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\NormanNEW\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\NormanNEW\bin\NJEEVES.EXE
C:\NORMANNEW\Nvc\BIN\nvcoas.exe
C:\NORMANNEW\Nvc\BIN\NVCSCHED.EXE
C:\NORMANNEW\Nvc\BIN\nipsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Hewlett–Packard\HP Share–to–Web\hpgs2wnd.exe
C:\NormanNEW\bin\ZLH.EXE
C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett–Packard\HP Share–to–Web\hpgs2wnf.exe
C:\WINDOWS\system32\mszx23.exe
C:\Program Files\reor\hcos.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\NormanNEW\Nvc\BIN\NIP.EXE
C:\NormanNEW\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tomek\Ustawienia lokalne\Temp\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = x–net.gliwice.pl:8080
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 – REG:win.ini: load=C:\YDPDict\watch.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {AA6FDAB3–1057–47F6–5DC7–49A1EF963EC9} – C:\WINDOWS\System32\wasgdotq.dll
O4 – HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 – HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 – HKLM\..\Run: [Share–to–Web Namespace Daemon] C:\Program Files\Hewlett–Packard\HP Share–to–Web\hpgs2wnd.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [Norman ZANDA] C:\NormanNEW\bin\ZLH.EXE /LOAD /SPLASH
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett–Packard\Digital Imaging\Unload\hpqcmon.exe
O4 – HKCU\..\Run: [Tsrs] C:\Program Files\reor\hcos.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 – HKCU\..\Run: [Okhtht] C:\WINDOWS\System32\w?nlogon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Anty_16BitNT Automatyczna Ochrona] C:\WINDOWS\Anty_16BitNT.exe AO
O4 – Global Startup: ProChat Startup.lnk = C:\Program Files\ProChat\prochat.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O9 – Extra button: Microsoft AntiSpyware helper – {4011D48B–20A4–446C–936C–19E3BAC80857} – (no file) (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {4011D48B–20A4–446C–936C–19E3BAC80857} – (no file) (HKCU)
O12 – Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {41F17733–B041–4099–A042–B518BB6A408C} – http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/...b?1120666503698
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – C:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Norman API–hooking helper (NipSvc) – Unknown owner – C:\NORMANNEW\Nvc\BIN\nipsvc.exe
O23 – Service: Norman NJeeves – Unknown owner – C:\NormanNEW\bin\NJEEVES.EXE
O23 – Service: Norman ZANDA – Unknown owner – C:\NormanNEW\bin\ZANDA.EXE
O23 – Service: Norman Virus Control on–access component (nvcoas) – Norman ASA – C:\NORMANNEW\Nvc\BIN\nvcoas.exe
O23 – Service: Norman Virus Control Scheduler (NVCScheduler) – Norman Data Defense Systems – C:\NORMANNEW\Nvc\BIN\NVCSCHED.EXE
O23 – Service: SmartLinkService (SLService) – – C:\WINDOWS\SYSTEM32\slserv.exe
Odpowiedzi: 1
Wylaczasz przywracanie i usuwasz:
Pierwszy proces i ostatni wpis pochodza od Haxdoora.
usuwanie jest na tyle skomplikowane iź jest troszke smiecia ukrytego.
Nie bede sie powtarzał wiec wpisz sobie w wyszukiwarke na forum słowo: drct16
Znajdziesz tam rozwiazanie: wymienione pliki do usuniecia oraz fix.
C:\WINDOWS\system32\mszx23.exe
C:\Program Files\reor\hcos.exe
C:\WINDOWS\System32\w?nlogon.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
O2 – BHO: (no name) – {AA6FDAB3–1057–47F6–5DC7–49A1EF963EC9} – C:\WINDOWS\System32\wasgdotq.dll
O4 – HKCU\..\Run: [Tsrs] C:\Program Files\reor\hcos.exe
O4 – HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 – HKCU\..\Run: [Okhtht] C:\WINDOWS\System32\w?nlogon.exe
Teraz tak, przechodzisz do katalogu system32, znajdziesz w nim dwa winlogony obok siebie, sprawdzisz własciwosci obydwu i usuniesz tego który NIE będzie miał w firmie Microsoftu.
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O9 – Extra button: Microsoft AntiSpyware helper – {4011D48B–20A4–446C–936C–19E3BAC80857} – (no file) (HKCU)
O9 – Extra 'Tools' menuitem: Microsoft AntiSpyware helper – {4011D48B–20A4–446C–936C–19E3BAC80857} – (no file) (HKCU)
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 81.222.131.59
O15 – Trusted IP range: 81.222.131.59 (HKLM)
O16 – DPF: {41F17733–B041–4099–A042–B518BB6A408C} – http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O20 – Winlogon Notify: drct16 – C:\WINDOWS\SYSTEM32\drct16.dll
Pierwszy proces i ostatni wpis pochodza od Haxdoora.
usuwanie jest na tyle skomplikowane iź jest troszke smiecia ukrytego.
Nie bede sie powtarzał wiec wpisz sobie w wyszukiwarke na forum słowo: drct16
Znajdziesz tam rozwiazanie: wymienione pliki do usuniecia oraz fix.
Strona 1 / 1