Prosze o sprawdzenie loga !!
Logfile of HijackThis v1.99.1
Scan saved at 13:11:22, on 2005–05–20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\kernels32.exe
D:\WINDOWS\System32\fdecx10n.exe
D:\WINDOWS\System32\eudrdsvr.exe
D:\Documents and Settings\Remik\Dane aplikacji\arni.exe
D:\WINDOWS\System32\win32.exe
D:\WINDOWS\System32\??rss.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\vxh8jkdq6.exe
D:\WINDOWS\System32\vxh8jkdq6.exe
D:\DOCUME~1\Remik\USTAWI~1\Temp\xwxload.exe
D:\WINDOWS\System32\Services\{95A9AF33–CBB3–4CAB–B9EF–CF84DB5F6C2D}\SVCHOST.EXE
D:\DOCUME~1\Remik\USTAWI~1\Temp\msldf.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\vxgame3.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=Explorer.exe D:\WINDOWS\System32\kernels32.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Loader Class – {2E246FAE–8420–11D9–870D–000C2917DE7F} – C:\WINDOWS\SYSTEM\Loader.dll
O2 – BHO: (no name) – {A66AF09C–1655–41D8–5DB3–40A19D923CE2} – D:\WINDOWS\System32\umsumrn.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [System] D:\WINDOWS\System32\kernels32.exe
O4 – HKLM\..\Run: [WindowsUpdate] D:\WINDOWS\System\svchost.exe /s
O4 – HKLM\..\Run: [qn3i36O] fdecx10n.exe
O4 – HKLM\..\Run: [Service Host] D:\WINDOWS\System32\Services\{95A9AF33–CBB3–4CAB–B9EF–CF84DB5F6C2D}\SVCHOST.EXE
O4 – HKLM\..\RunServices: [SystemTools] D:\WINDOWS\System32\kernels32.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [System] D:\WINDOWS\svchost.exe
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [bCssRWimi] eudrdsvr.exe
O4 – HKCU\..\Run: [Taos] D:\Documents and Settings\Remik\Dane aplikacji\arni.exe
O4 – HKCU\..\Run: [wupd] D:\WINDOWS\System32\win32.exe
O4 – HKCU\..\Run: [Mdrjz] D:\WINDOWS\System32\??rss.exe
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: 67.19.178.84 (HKLM)
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=4600
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O21 – SSODL: System – {A536C236–4EA3–42DA–86B2–81E510EE9AC4} – vr_sys.dll (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
Prosze o sprawdzenie loga bo wydaje mi sie ze cos siedzi w komputerze, wszyskto sie zacina,stracil mi sie pulpit a jak chce zmienic jest zasloniete i nieda sie, i jak dam ctrl–alt–delete pisze ze menadzer zadan zostal wylaczony przez administratora a nic nie wylanczalem z gory dziekuje !!
Scan saved at 13:11:22, on 2005–05–20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\kernels32.exe
D:\WINDOWS\System32\fdecx10n.exe
D:\WINDOWS\System32\eudrdsvr.exe
D:\Documents and Settings\Remik\Dane aplikacji\arni.exe
D:\WINDOWS\System32\win32.exe
D:\WINDOWS\System32\??rss.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\vxh8jkdq6.exe
D:\WINDOWS\System32\vxh8jkdq6.exe
D:\DOCUME~1\Remik\USTAWI~1\Temp\xwxload.exe
D:\WINDOWS\System32\Services\{95A9AF33–CBB3–4CAB–B9EF–CF84DB5F6C2D}\SVCHOST.EXE
D:\DOCUME~1\Remik\USTAWI~1\Temp\msldf.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\vxgame3.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=Explorer.exe D:\WINDOWS\System32\kernels32.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Loader Class – {2E246FAE–8420–11D9–870D–000C2917DE7F} – C:\WINDOWS\SYSTEM\Loader.dll
O2 – BHO: (no name) – {A66AF09C–1655–41D8–5DB3–40A19D923CE2} – D:\WINDOWS\System32\umsumrn.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [System] D:\WINDOWS\System32\kernels32.exe
O4 – HKLM\..\Run: [WindowsUpdate] D:\WINDOWS\System\svchost.exe /s
O4 – HKLM\..\Run: [qn3i36O] fdecx10n.exe
O4 – HKLM\..\Run: [Service Host] D:\WINDOWS\System32\Services\{95A9AF33–CBB3–4CAB–B9EF–CF84DB5F6C2D}\SVCHOST.EXE
O4 – HKLM\..\RunServices: [SystemTools] D:\WINDOWS\System32\kernels32.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [System] D:\WINDOWS\svchost.exe
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [bCssRWimi] eudrdsvr.exe
O4 – HKCU\..\Run: [Taos] D:\Documents and Settings\Remik\Dane aplikacji\arni.exe
O4 – HKCU\..\Run: [wupd] D:\WINDOWS\System32\win32.exe
O4 – HKCU\..\Run: [Mdrjz] D:\WINDOWS\System32\??rss.exe
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: 67.19.178.84 (HKLM)
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=4600
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O21 – SSODL: System – {A536C236–4EA3–42DA–86B2–81E510EE9AC4} – vr_sys.dll (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
Prosze o sprawdzenie loga bo wydaje mi sie ze cos siedzi w komputerze, wszyskto sie zacina,stracil mi sie pulpit a jak chce zmienic jest zasloniete i nieda sie, i jak dam ctrl–alt–delete pisze ze menadzer zadan zostal wylaczony przez administratora a nic nie wylanczalem z gory dziekuje !!
Odpowiedzi: 3
W logu nadal masz Haxdoor–a, wez sie za niego dokladnie.
Co do zablokowanej zmiany tapety to w edytorze rejestru (Start >> Uruchom >> regedit) w kluczu: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System usuń wartość Wallpaper
Co do zablokowanej zmiany tapety to w edytorze rejestru (Start >> Uruchom >> regedit) w kluczu: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System usuń wartość Wallpaper
Logfile of HijackThis v1.99.1
Scan saved at 14:37:17, on 2005–05–20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
Wszystko tak jak by ok, ale nie moge w dalszym ciagu zmienic tla pulpitu, dalej jest zacieniowane :( :(
Scan saved at 14:37:17, on 2005–05–20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
Wszystko tak jak by ok, ale nie moge w dalszym ciagu zmienic tla pulpitu, dalej jest zacieniowane :( :(
Wyłącz przywracanie
Przeczytaj http://forum.centrumxp.pl/viewtopic.php?t=34271 aby odblokowac menadzera zadan.
Zakoncz procesy:
kernels32.exe
fdecx10n.exe
eudrdsvr.exe
arni.exe
win32.exe
??rss.exe (taka sama sytualcja tutaj
vxh8jkdq6.exe
vxh8jkdq6.exe
xwxload.exe
SVCHOST.EXE (uruchomiony przez usera, a nie system)
msldf.exe
rundll32.exe
vxgame3.exe
Pozbadz sie pogrubionych plików/katalogów oraz wpisów:
Przeczytaj http://forum.centrumxp.pl/viewtopic.php?t=34271 aby odblokowac menadzera zadan.
Zakoncz procesy:
kernels32.exe
fdecx10n.exe
eudrdsvr.exe
arni.exe
win32.exe
??rss.exe (taka sama sytualcja tutaj
vxh8jkdq6.exe
vxh8jkdq6.exe
xwxload.exe
SVCHOST.EXE (uruchomiony przez usera, a nie system)
msldf.exe
rundll32.exe
vxgame3.exe
Pozbadz sie pogrubionych plików/katalogów oraz wpisów:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
F2 – REG:system.ini: Shell=Explorer.exe D:\WINDOWS\System32\kernels32.exe
O2 – BHO: Loader Class – {2E246FAE–8420–11D9–870D–000C2917DE7F} – C:\WINDOWS\SYSTEM\Loader.dll
O2 – BHO: (no name) – {A66AF09C–1655–41D8–5DB3–40A19D923CE2} – D:\WINDOWS\System32\umsumrn.dll
O4 – HKLM\..\Run: [System] D:\WINDOWS\System32\kernels32.exe
O4 – HKLM\..\Run: [WindowsUpdate] D:\WINDOWS\System\svchost.exe /s
Pamietaj o lokalizacji
O4 – HKLM\..\Run: [qn3i36O] fdecx10n.exe
O4 – HKLM\..\Run: [Service Host] D:\WINDOWS\System32\Services\{95A9AF33–CBB3–4CAB–B9EF–CF84DB5F6C2D}\SVCHOST.EXE
O4 – HKLM\..\RunServices: [SystemTools] D:\WINDOWS\System32\kernels32.exe
O4 – HKCU\..\Run: [System] D:\WINDOWS\svchost.exe
Rowniez pamietaj o sciezce dostępu
O4 – HKCU\..\Run: [bCssRWimi] eudrdsvr.exe
O4 – HKCU\..\Run: [Taos] D:\Documents and Settings\Remik\Dane aplikacji\arni.exe
O4 – HKCU\..\Run: [wupd] D:\WINDOWS\System32\win32.exe
O4 – HKCU\..\Run: [Mdrjz] D:\WINDOWS\System32\??rss.exe
Odwołaj sie przy usuwaniu do tematu ktory linkowałem na górze
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: 67.19.178.84 (HKLM)
Gdyby powracały zastosuj program KillTrusted
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=4600
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
Backdoor.Haxdoor.D, wiecej w tym temacie >> http://forum.centrumxp.pl/viewtopic.php?t=34123
O21 – SSODL: System – {A536C236–4EA3–42DA–86B2–81E510EE9AC4} – vr_sys.dll (file missing)
Strona 1 / 1