Prosze o sprawdzenie loga
Logfile of HijackThis v1.99.1
Scan saved at 21:17:37, on 2005–04–29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\dev32.exe
D:\WINDOWS\System32\ahtun.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Win9x.exe
D:\WINDOWS\System32\combo.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Remik\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: CIEExtension Object – {B51DC573–E998–4834–9B45–BAB7C2AE0A75} – D:\Program Files\Ad–Protect\ADPIEmonitor.dll (file missing)
O3 – Toolbar: Yahoo! Toolbar – {EF99BD32–C1FB–11D2–892F–0090271D4F88} – D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKLM\..\Run: [Windows Network Controller] Win9x.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKLM\..\RunServices: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKLM\..\RunServices: [Windows Network Controller] Win9x.exe
O4 – HKLM\..\RunOnce: [Windows Network Controller] Win9x.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKCU\..\Run: [Windows Network Controller] Win9x.exe
O4 – HKCU\..\RunOnce: [Windows Network Controller] Win9x.exe
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O20 – Winlogon Notify: ntfs32 – D:\WINDOWS\SYSTEM32\ntfs32.dll
O21 – SSODL: Web Event Logger – {7CFBACFF–EE01–1231–ABDD–416592E5D639} – D:\WINDOWS\System32\Pllinknj.dll (file missing)
O23 – Service: Provides three management service (FreeBSD) – Unknown owner – D:\WINDOWS\System32\dev32.exe
O23 – Service: Debug oupost relations (LAGOS) – Unknown owner – D:\WINDOWS\System32\ahtun.exe
Scan saved at 21:17:37, on 2005–04–29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\dev32.exe
D:\WINDOWS\System32\ahtun.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Win9x.exe
D:\WINDOWS\System32\combo.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Remik\USTAWI~1\Temp\se.dll/spage.html
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: CIEExtension Object – {B51DC573–E998–4834–9B45–BAB7C2AE0A75} – D:\Program Files\Ad–Protect\ADPIEmonitor.dll (file missing)
O3 – Toolbar: Yahoo! Toolbar – {EF99BD32–C1FB–11D2–892F–0090271D4F88} – D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKLM\..\Run: [Windows Network Controller] Win9x.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKLM\..\RunServices: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKLM\..\RunServices: [Windows Network Controller] Win9x.exe
O4 – HKLM\..\RunOnce: [Windows Network Controller] Win9x.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKCU\..\Run: [Windows Network Controller] Win9x.exe
O4 – HKCU\..\RunOnce: [Windows Network Controller] Win9x.exe
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O20 – Winlogon Notify: ntfs32 – D:\WINDOWS\SYSTEM32\ntfs32.dll
O21 – SSODL: Web Event Logger – {7CFBACFF–EE01–1231–ABDD–416592E5D639} – D:\WINDOWS\System32\Pllinknj.dll (file missing)
O23 – Service: Provides three management service (FreeBSD) – Unknown owner – D:\WINDOWS\System32\dev32.exe
O23 – Service: Debug oupost relations (LAGOS) – Unknown owner – D:\WINDOWS\System32\ahtun.exe
Odpowiedzi: 3
Z większych rzeczy mamy jeszcze:
Przy Haxdoor'ze mamy jeszcze ukryte usługi i pliki.
Z plików musisz poszukać:
w32tm.exe
drct16.dll
cz.dll
vdmt16.sys
hz.dll
winlow.sys
wz.dll
p2.ini
I oczywiscie usunać, włącz pokazywanie przez system plików systemowych i ukrytych spod opcji folderów.
Sciągnij TEGO fixa i dodaj do rejestru ale dopiero jak pliki usuniesz.
Small–ED natomist oprocz pliku troche śmieci w rejestrze. Odpal regedit, przejdz do gałęzi HKEY_USERS i przeszukaj (CTRL+F) na obecność "atipatxx.exe". Wszystko co znajdzie usun.
Nie wiem czy tylko zapomniałas zaptaszkowac i usunać czy rzeczywiscie paytime nadal sobie siedzi.
Usun paytime.exe i poszukaj dodatkowo systime.exe.
Są jeszcze takie śmieciuchy:
Yahoo zostawiłas czyli rozumiem, ze uzywasz ??
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
O4 – HKLM\..\RunServices: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
Przy Haxdoor'ze mamy jeszcze ukryte usługi i pliki.
Z plików musisz poszukać:
w32tm.exe
drct16.dll
cz.dll
vdmt16.sys
hz.dll
winlow.sys
wz.dll
p2.ini
I oczywiscie usunać, włącz pokazywanie przez system plików systemowych i ukrytych spod opcji folderów.
Sciągnij TEGO fixa i dodaj do rejestru ale dopiero jak pliki usuniesz.
Small–ED natomist oprocz pliku troche śmieci w rejestrze. Odpal regedit, przejdz do gałęzi HKEY_USERS i przeszukaj (CTRL+F) na obecność "atipatxx.exe". Wszystko co znajdzie usun.
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
Nie wiem czy tylko zapomniałas zaptaszkowac i usunać czy rzeczywiscie paytime nadal sobie siedzi.
Usun paytime.exe i poszukaj dodatkowo systime.exe.
Są jeszcze takie śmieciuchy:
R3 – Default URLSearchHook is missing
O2 – BHO: CIEExtension Object – {B51DC573–E998–4834–9B45–BAB7C2AE0A75} – D:\Program Files\Ad–Protect\ADPIEmonitor.dll (file missing)
Yahoo zostawiłas czyli rozumiem, ze uzywasz ??
Logfile of HijackThis v1.99.1
Scan saved at 23:36:13, on 2005–04–29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: CIEExtension Object – {B51DC573–E998–4834–9B45–BAB7C2AE0A75} – D:\Program Files\Ad–Protect\ADPIEmonitor.dll (file missing)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\RunServices: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
Komputer chodzi szybciej i szybko sie laduje,nie moge poradzic sobie tylko z tym
D:\WINDOWS\SYSTEM32\drct16.dll
nie moge tego usunac:(
Bardzo ,bardzo dziekuje za ekspresowa profesjonalna pomoc
:D
Scan saved at 23:36:13, on 2005–04–29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Remik\Pulpit\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: CIEExtension Object – {B51DC573–E998–4834–9B45–BAB7C2AE0A75} – D:\Program Files\Ad–Protect\ADPIEmonitor.dll (file missing)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\RunServices: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = D:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 – Global Startup: Watch.lnk = D:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 – DPF: {5D86DDB5–BDF9–441B–9E9E–D4730F4EE499} – http://www.bitdefender.com/scan8/oscan8.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114335506121
O16 – DPF: {7B297BFD–85E4–4092–B2AF–16A91B2EA103} (WScanCtl Class) – http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
Komputer chodzi szybciej i szybko sie laduje,nie moge poradzic sobie tylko z tym
D:\WINDOWS\SYSTEM32\drct16.dll
nie moge tego usunac:(
Bardzo ,bardzo dziekuje za ekspresowa profesjonalna pomoc
:D
Jest masakrycznie :?
1. Wyłączasz przywracanie
2. Startujesz system w awaryjnym
3. Oprozniasz Temp
4. Usuwasz wyboldowane pliki z dysku i FIXujesz wpisy w Hijacku.
Troj/Small–ED:
Trojan CWS paytime:
se.dll:
I tu niespodzianka bo mamy nową wersje która sie niezle kryje.
Sciagnij SpSeHjfix112 oraz Startdreck
Z tego drugiego interesuje mnie opcje Run keys i Running processes
Sprawdz w rejestrze co masz w: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, w wartości AppInit_DLLs
Worm.Ogid:
Yahoo, jeśli sama nie instalowałaś to odinstaluj i pozbadz sie:
Backdoor.Haxdoor.D:
Wiecej o nim TUTAJ
Win32.Agent.JB:
Fałszywe usługi:
Obie zatrzymujesz w services.msc
Potem w Hijacku, Config >> Misc Tools >> Delete an NT service
Wpisujesz: FreeBSD, zatwierdzasz
Następnie: LAGOS i rowniez zatwierdzasz
Pliki usuwasz po resecie systemu.
Róźne inne smieci:
WORM_WOOTBOT.I:
Nowy log chce widziec do sprawdzenia.
Zainstaluj antywirusa i polataj system przez Windows Update.
1. Wyłączasz przywracanie
2. Startujesz system w awaryjnym
3. Oprozniasz Temp
4. Usuwasz wyboldowane pliki z dysku i FIXujesz wpisy w Hijacku.
Troj/Small–ED:
O4 – HKLM\..\Run: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKLM\..\RunServices: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
O4 – HKCU\..\Run: [atipatxx] D:\WINDOWS\System32\atipatxx.exe
Trojan CWS paytime:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
O4 – HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
se.dll:
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Remik\USTAWI~1\Temp\se.dll/spage.html
I tu niespodzianka bo mamy nową wersje która sie niezle kryje.
Sciagnij SpSeHjfix112 oraz Startdreck
Z tego drugiego interesuje mnie opcje Run keys i Running processes
Sprawdz w rejestrze co masz w: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, w wartości AppInit_DLLs
Worm.Ogid:
O4 – HKLM\..\Run: [combo.exe] combo.exe
Yahoo, jeśli sama nie instalowałaś to odinstaluj i pozbadz sie:
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 – Toolbar: Yahoo! Toolbar – {EF99BD32–C1FB–11D2–892F–0090271D4F88} – D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O8 – Extra context menu item: &Yahoo! Search – file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 – Extra context menu item: Yahoo! &Dictionary – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 – Extra context menu item: Yahoo! &Maps – file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 – Extra button: Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 – Extra 'Tools' menuitem: Yahoo! Messenger – {4528BBE0–4E08–11D5–AD55–00010333D0AD} – D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
Backdoor.Haxdoor.D:
O20 – Winlogon Notify: drct16 – D:\WINDOWS\SYSTEM32\drct16.dll
Wiecej o nim TUTAJ
Win32.Agent.JB:
O20 – Winlogon Notify: ntfs32 – D:\WINDOWS\SYSTEM32\ntfs32.dll
Fałszywe usługi:
O23 – Service: Provides three management service (FreeBSD) – Unknown owner – D:\WINDOWS\System32\dev32.exe
O23 – Service: Debug oupost relations (LAGOS) – Unknown owner – D:\WINDOWS\System32\ahtun.exe
Obie zatrzymujesz w services.msc
Potem w Hijacku, Config >> Misc Tools >> Delete an NT service
Wpisujesz: FreeBSD, zatwierdzasz
Następnie: LAGOS i rowniez zatwierdzasz
Pliki usuwasz po resecie systemu.
Róźne inne smieci:
R3 – Default URLSearchHook is missing
O2 – BHO: CIEExtension Object – {B51DC573–E998–4834–9B45–BAB7C2AE0A75} – D:\Program Files\Ad–Protect\ADPIEmonitor.dll (file missing)
O21 – SSODL: Web Event Logger – {7CFBACFF–EE01–1231–ABDD–416592E5D639} – D:\WINDOWS\System32\Pllinknj.dll (file missing)
WORM_WOOTBOT.I:
O4 – HKLM\..\Run: [Windows Network Controller] Win9x.exe
O4 – HKLM\..\RunServices: [Windows Network Controller] Win9x.exe
O4 – HKLM\..\RunOnce: [Windows Network Controller] Win9x.exe
O4 – HKCU\..\Run: [Windows Network Controller] Win9x.exe
O4 – HKCU\..\RunOnce: [Windows Network Controller] Win9x.exe
Nowy log chce widziec do sprawdzenia.
Zainstaluj antywirusa i polataj system przez Windows Update.
Strona 1 / 1