trojan jakiś
mam problem bo mi wyskoczylo takie okno zamiast tapety:
A fatal error in IE has occured at 0028:c0011e36 in VXD VMM + 00010E36>Error was caused by trojan–Spy. HTML.Smitfraud.c
*System can not function in normal mode.Please chceck yuo security settings.
*Scan your PC with abalible antiwirus/spyware remover program to fix the problem
.jak cos to daje log:
Logfile of HijackThis v1.99.1
Scan saved at 16:36:35, on 2005–04–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\SYSTEM32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\System32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\WINDOWS.000\system32\spoolsv.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
D:\WINDOWS.000\System32\nvsvc32.exe
D:\WINDOWS.000\System32\helper.exe
C:\program files\powerstrip\pstrip.exe
D:\WINDOWS.000\System32\intmonp.exe
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\WINDOWS.000\System32\ctfmon.exe
C:\wp.exe
D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp
D:\Program Files\D–Link AirPlus\AirPlus.exe
D:\Program Files\NetPanel\NetPanel.exe
D:\Program Files\MKS\Bin\mks_scan.exe
D:\WINDOWS.000\System32\msiexec.exe
D:\WINDOWS.000\popuper.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Klonowscy\Moje dokumenty\ściągnięte\hijackthis_199\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 – URLSearchHook: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 – BHO: Solid Converter PDF – {259F616C–A300–44F5–B04A–ED001A26C85C} – D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 – BHO: IE 4.x–5.x BHO in ObjectPascal – {49E0E0F0–5C30–11D4–945D–000000000000} – D:\PROGRA~1\MarBit\TOOLS\IEHelper.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – D:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IEHlprObj Class – {CE7C3CF0–4B15–11D1–ABED–709549C10000} – D:\Program Files\NetPanel\IEHelper.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS.000\System32\msdxm.ocx
O3 – Toolbar: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
O3 – Toolbar: Solid Converter PDF – {259F616C–A300–44F5–B04A–ED001A26C85C} – D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.000\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS.000\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.000\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] D:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] D:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [NetPanel] "D:\Program Files\NetPanel\Starter.exe" /path="D:\Program Files\NetPanel"
O4 – HKLM\..\Run: [KAZAA] "D:\Program Files\Kazaa Lite Rewolucja\kpp.exe" "D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp" /SYSTRAY
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.000\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 – Startup: Spolszczenie – Auto Update.lnk = D:\Program Files\ICQLite\icq_5.03_build_2315_pl.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 – Extra context menu item: &ICQ Toolbar Search – res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 – Extra context menu item: Download All by FlashGet – D:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Download with Internet TOOLS – D:\Program Files\MarBit\TOOLS\MBdownload.htm
O9 – Extra button: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra 'Tools' menuitem: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge–c293.cab
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7134E7CE–00E2–4488–9531–1AA8F98676EA}: NameServer = 213.199.225.10,213.199.225.14
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – D:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – D:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – D:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – D:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS.000\System32\nvsvc32.exe
proszę o pomoc.skanowałem go ad aware se
A fatal error in IE has occured at 0028:c0011e36 in VXD VMM + 00010E36>Error was caused by trojan–Spy. HTML.Smitfraud.c
*System can not function in normal mode.Please chceck yuo security settings.
*Scan your PC with abalible antiwirus/spyware remover program to fix the problem
.jak cos to daje log:
Logfile of HijackThis v1.99.1
Scan saved at 16:36:35, on 2005–04–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\SYSTEM32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\System32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\WINDOWS.000\system32\spoolsv.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
D:\WINDOWS.000\System32\nvsvc32.exe
D:\WINDOWS.000\System32\helper.exe
C:\program files\powerstrip\pstrip.exe
D:\WINDOWS.000\System32\intmonp.exe
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\WINDOWS.000\System32\ctfmon.exe
C:\wp.exe
D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp
D:\Program Files\D–Link AirPlus\AirPlus.exe
D:\Program Files\NetPanel\NetPanel.exe
D:\Program Files\MKS\Bin\mks_scan.exe
D:\WINDOWS.000\System32\msiexec.exe
D:\WINDOWS.000\popuper.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Klonowscy\Moje dokumenty\ściągnięte\hijackthis_199\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 – URLSearchHook: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 – BHO: Solid Converter PDF – {259F616C–A300–44F5–B04A–ED001A26C85C} – D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 – BHO: IE 4.x–5.x BHO in ObjectPascal – {49E0E0F0–5C30–11D4–945D–000000000000} – D:\PROGRA~1\MarBit\TOOLS\IEHelper.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – D:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IEHlprObj Class – {CE7C3CF0–4B15–11D1–ABED–709549C10000} – D:\Program Files\NetPanel\IEHelper.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS.000\System32\msdxm.ocx
O3 – Toolbar: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
O3 – Toolbar: Solid Converter PDF – {259F616C–A300–44F5–B04A–ED001A26C85C} – D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.000\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS.000\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.000\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] D:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] D:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [NetPanel] "D:\Program Files\NetPanel\Starter.exe" /path="D:\Program Files\NetPanel"
O4 – HKLM\..\Run: [KAZAA] "D:\Program Files\Kazaa Lite Rewolucja\kpp.exe" "D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp" /SYSTRAY
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.000\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 – Startup: Spolszczenie – Auto Update.lnk = D:\Program Files\ICQLite\icq_5.03_build_2315_pl.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 – Extra context menu item: &ICQ Toolbar Search – res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 – Extra context menu item: Download All by FlashGet – D:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Download with Internet TOOLS – D:\Program Files\MarBit\TOOLS\MBdownload.htm
O9 – Extra button: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra 'Tools' menuitem: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge–c293.cab
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7134E7CE–00E2–4488–9531–1AA8F98676EA}: NameServer = 213.199.225.10,213.199.225.14
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – D:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – D:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – D:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – D:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS.000\System32\nvsvc32.exe
proszę o pomoc.skanowałem go ad aware se
Odpowiedzi: 20
Peter_l – tez sie zastanów
Przecie jak byk (co prawda post był edytowany po uwadze na PW) jest juz pokazany CURRENT_USER
Wartosci skasowane, wiec w czym problem ??
Chyba zes quote zrobił zanim pytajacy posta wyedytował i dopiero teraz wysłales.
Przypominam ze było to koło 8.00 – 9.00 rano :P
Przecie jak byk (co prawda post był edytowany po uwadze na PW) jest juz pokazany CURRENT_USER
Wartosci skasowane, wiec w czym problem ??
Chyba zes quote zrobił zanim pytajacy posta wyedytował i dopiero teraz wysłales.
Przypominam ze było to koło 8.00 – 9.00 rano :P
klonpiotr:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Kolo, zastanów się. Ma być "HKEY_CURRENT_USER" a nie "HKEY_LOCAL_MACHINE" :!: :!: :!: :!: :!: :!: :!: :!:
wreszcie zrobiłem.sory za zawracanie d... .a i jeszcze musiałem usuwać Virtual Maid toolbar bo on ciągle właczał to strona.pozdro i dzięki
no dobra.to juz chodzi.tylko jeszcze mi cos siedzi
Siedzi i siedzieć bedzie dopoki sie syfu nie pozbedziesz i nie zaczniesz czytać co sie do Ciebie pisze.
Zakoncz proces:
msole32.exe
Usun z dysku:
msole32.exe
msmsgs.exe (ten bedzie gdzies w Windows albo Windows/system32)
FIX:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchmaid.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmaid.com/search.php?qq=%s
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchmaid.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
Znasz tę strone:
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
Jesli nie kontrolka won
Ponawiam sugestie odinstalowania syfiastej Kazaa bo to ona sprowadziła Worm.P2P.Sambud
no dobra.to juz chodzi.tylko jeszcze mi cos siedzi
Logfile of HijackThis v1.99.1
Scan saved at 09:26:28, on 2005–04–16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\SYSTEM32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\System32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\WINDOWS.000\system32\spoolsv.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
D:\WINDOWS.000\System32\nvsvc32.exe
D:\WINDOWS.000\System32\msole32.exe
C:\program files\powerstrip\pstrip.exe
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\WINDOWS.000\System32\ctfmon.exe
D:\Program Files\D–Link AirPlus\AirPlus.exe
D:\Program Files\ICQLite\X_icq_5.03_build_2315_pl.exe
D:\Program Files\NetPanel\NetPanel.exe
D:\Program Files\MKS\Bin\mks_scan.exe
D:\WINDOWS.000\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Klonowscy\Moje dokumenty\ściągnięte\hijackthis_199\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchmaid.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmaid.com/search.php?qq=%s
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchmaid.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – D:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IEHlprObj Class – {CE7C3CF0–4B15–11D1–ABED–709549C10000} – D:\Program Files\NetPanel\IEHelper.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS.000\System32\msdxm.ocx
O3 – Toolbar: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
O3 – Toolbar: (no name) – {259F616C–A300–44F5–B04A–ED001A26C85C} – (no file)
O3 – Toolbar: Virtual Maid – {77B2F8DE–CB3F–4b6b–839B–807DD1ADBA1C} – D:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.000\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS.000\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.000\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] D:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] D:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [NetPanel] "D:\Program Files\NetPanel\Starter.exe" /path="D:\Program Files\NetPanel"
O4 – HKLM\..\Run: [KAZAA] "D:\Program Files\Kazaa Lite Rewolucja\kpp.exe" "D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp" /SYSTRAY
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.000\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Startup: Spolszczenie – Auto Update.lnk = D:\Program Files\ICQLite\icq_5.03_build_2315_pl.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 – Extra context menu item: &ICQ Toolbar Search – res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 – Extra context menu item: Download All by FlashGet – D:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra 'Tools' menuitem: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7134E7CE–00E2–4488–9531–1AA8F98676EA}: NameServer = 213.199.225.10,213.199.225.14
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – D:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – D:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – D:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – D:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS.000\System32\nvsvc32.exe
Logfile of HijackThis v1.99.1
Scan saved at 09:26:28, on 2005–04–16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\SYSTEM32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\System32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\WINDOWS.000\system32\spoolsv.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
D:\WINDOWS.000\System32\nvsvc32.exe
D:\WINDOWS.000\System32\msole32.exe
C:\program files\powerstrip\pstrip.exe
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\WINDOWS.000\System32\ctfmon.exe
D:\Program Files\D–Link AirPlus\AirPlus.exe
D:\Program Files\ICQLite\X_icq_5.03_build_2315_pl.exe
D:\Program Files\NetPanel\NetPanel.exe
D:\Program Files\MKS\Bin\mks_scan.exe
D:\WINDOWS.000\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Klonowscy\Moje dokumenty\ściągnięte\hijackthis_199\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchmaid.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmaid.com/search.php?qq=%s
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchmaid.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchmaid.com/search.php?qq=%s
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmaid.com/bar/index.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaid.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmaid.com/search.php?qq=%s
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaid.com/search.php?qq=%s
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmaid.com/search.php?qq=%s
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – D:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IEHlprObj Class – {CE7C3CF0–4B15–11D1–ABED–709549C10000} – D:\Program Files\NetPanel\IEHelper.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS.000\System32\msdxm.ocx
O3 – Toolbar: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
O3 – Toolbar: (no name) – {259F616C–A300–44F5–B04A–ED001A26C85C} – (no file)
O3 – Toolbar: Virtual Maid – {77B2F8DE–CB3F–4b6b–839B–807DD1ADBA1C} – D:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.000\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS.000\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.000\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] D:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] D:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [NetPanel] "D:\Program Files\NetPanel\Starter.exe" /path="D:\Program Files\NetPanel"
O4 – HKLM\..\Run: [KAZAA] "D:\Program Files\Kazaa Lite Rewolucja\kpp.exe" "D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp" /SYSTRAY
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.000\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Startup: Spolszczenie – Auto Update.lnk = D:\Program Files\ICQLite\icq_5.03_build_2315_pl.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 – Extra context menu item: &ICQ Toolbar Search – res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 – Extra context menu item: Download All by FlashGet – D:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra 'Tools' menuitem: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7134E7CE–00E2–4488–9531–1AA8F98676EA}: NameServer = 213.199.225.10,213.199.225.14
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – D:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – D:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – D:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – D:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS.000\System32\nvsvc32.exe
Po uwagach na PW wreszcie sie udało
Z tego klucza usun wartosci: NoDispBackgroundPage, NoDispAppearancePage, Wallpaper
Z tego klucza usun wartosci: NoDispBackgroundPage, NoDispAppearancePage, Wallpaper
Nazwa klucza: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Nazwa klasy:
Czas ost. zapisu: 2005–04–15 – 12:29
Wartość 0
Nazwa: WallpaperStyle
Typ: REG_DWORD
Dane: 0x0
Wartość 1
Nazwa: NoDispBackgroundPage
Typ: REG_DWORD
Dane: 0x1
Wartość 2
Nazwa: NoDispAppearancePage
Typ: REG_DWORD
Dane: 0x1
Wartość 3
Nazwa: Wallpaper
Typ: REG_SZ
Dane: c:\wp.bmp
sory
Nazwa klasy:
Czas ost. zapisu: 2005–04–15 – 12:29
Wartość 0
Nazwa: WallpaperStyle
Typ: REG_DWORD
Dane: 0x0
Wartość 1
Nazwa: NoDispBackgroundPage
Typ: REG_DWORD
Dane: 0x1
Wartość 2
Nazwa: NoDispAppearancePage
Typ: REG_DWORD
Dane: 0x1
Wartość 3
Nazwa: Wallpaper
Typ: REG_SZ
Dane: c:\wp.bmp
sory
Dobra powoli bo widze ze nawet gdybym 20 postów w tym temacie spłodził to i tak byś nie zakapował
Idziesz sobie po kolei otwierajac kolejne klucze HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Teraz prawym na System i eksportuj, wpisz sobie jakas nazwe
Powstał ci plik, teraz prawym i edytuj
Kopiujesz wszystko co Ci notatnik wypluje i wklejasz do posta
Łatwiej sie nie da
Idziesz sobie po kolei otwierajac kolejne klucze HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Teraz prawym na System i eksportuj, wpisz sobie jakas nazwe
Powstał ci plik, teraz prawym i edytuj
Kopiujesz wszystko co Ci notatnik wypluje i wklejasz do posta
Łatwiej sie nie da
nie kumam o co chodzi.jak coś to napisz cos co moźe zrozumiem.muszę wylączać bo babka mi zrzędzi źe juz nie moge wytrzymać."bla bla bla eno komputer............" dobija mnie.jutro zobacze dalej.
Nazwa klucza: HKEY_LOCAL_MACHINE...
Wiesz gdzies sie teraz przejechał znów ??
Nazwa klucza: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Nazwa klasy:
Czas ost. zapisu: 2005–02–08 – 16:10
Wartość 0
Nazwa: dontdisplaylastusername
Typ: REG_DWORD
Dane: 0x0
Wartość 1
Nazwa: legalnoticecaption
Typ: REG_SZ
Dane:
Wartość 2
Nazwa: legalnoticetext
Typ: REG_SZ
Dane:
Wartość 3
Nazwa: shutdownwithoutlogon
Typ: REG_DWORD
Dane: 0x1
Wartość 4
Nazwa: undockwithoutlogon
Typ: REG_DWORD
Dane: 0x1
Nazwa klasy:
Czas ost. zapisu: 2005–02–08 – 16:10
Wartość 0
Nazwa: dontdisplaylastusername
Typ: REG_DWORD
Dane: 0x0
Wartość 1
Nazwa: legalnoticecaption
Typ: REG_SZ
Dane:
Wartość 2
Nazwa: legalnoticetext
Typ: REG_SZ
Dane:
Wartość 3
Nazwa: shutdownwithoutlogon
Typ: REG_DWORD
Dane: 0x1
Wartość 4
Nazwa: undockwithoutlogon
Typ: REG_DWORD
Dane: 0x1
Nie zadne MRU, a ten oto klucz: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
to chyba o to chodzi
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="regsvr32 /HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\1"
"MRUList"="ba"
"b"="regedit\\1"
albo to
Nazwa klucza: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Nazwa klasy:
Czas ost. zapisu: 2005–04–15 – 22:13
Wartość 0
Nazwa: a
Typ: REG_SZ
Dane: regsvr32 /HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\1
Wartość 1
Nazwa: MRUList
Typ: REG_SZ
Dane: ba
Wartość 2
Nazwa: b
Typ: REG_SZ
Dane: regedit\1
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="regsvr32 /HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\1"
"MRUList"="ba"
"b"="regedit\\1"
albo to
Nazwa klucza: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Nazwa klasy:
Czas ost. zapisu: 2005–04–15 – 22:13
Wartość 0
Nazwa: a
Typ: REG_SZ
Dane: regsvr32 /HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\1
Wartość 1
Nazwa: MRUList
Typ: REG_SZ
Dane: ba
Wartość 2
Nazwa: b
Typ: REG_SZ
Dane: regedit\1
W logu masz nadal:
Poza tym Kazaa tez siedzi a z nią to dzien w dzien bedziesz miał takie klocki
Otworz regedit idz po kolei kluczami, które Ci podalem, na koncu kliknij prawym i eksportuj
Zapisz, powstały plik otwórz notatnikiem i tresc wyslij w poscie.
O4 – HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
Poza tym Kazaa tez siedzi a z nią to dzien w dzien bedziesz miał takie klocki
Otworz regedit idz po kolei kluczami, które Ci podalem, na koncu kliknij prawym i eksportuj
Zapisz, powstały plik otwórz notatnikiem i tresc wyslij w poscie.
sory ale nie kumam.nie jestem na takim etapie.tzn. .ze mam loga dać??jak coś....
dam
Logfile of HijackThis v1.99.1
Scan saved at 21:58:08, on 2005–04–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\SYSTEM32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\System32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\WINDOWS.000\system32\spoolsv.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
D:\WINDOWS.000\System32\nvsvc32.exe
D:\WINDOWS.000\System32\helper.exe
C:\program files\powerstrip\pstrip.exe
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\WINDOWS.000\System32\ctfmon.exe
D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp
D:\Program Files\D–Link AirPlus\AirPlus.exe
D:\Program Files\ICQLite\X_icq_5.03_build_2315_pl.exe
D:\Program Files\NetPanel\NetPanel.exe
D:\Program Files\MKS\Bin\mks_scan.exe
C:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Klonowscy\Moje dokumenty\ściągnięte\hijackthis_199\HijackThis.exe
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 – URLSearchHook: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 – BHO: IE 4.x–5.x BHO in ObjectPascal – {49E0E0F0–5C30–11D4–945D–000000000000} – D:\PROGRA~1\MarBit\TOOLS\IEHelper.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – D:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IEHlprObj Class – {CE7C3CF0–4B15–11D1–ABED–709549C10000} – D:\Program Files\NetPanel\IEHelper.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS.000\System32\msdxm.ocx
O3 – Toolbar: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
O3 – Toolbar: (no name) – {259F616C–A300–44F5–B04A–ED001A26C85C} – (no file)
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.000\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS.000\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.000\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] D:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] D:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [NetPanel] "D:\Program Files\NetPanel\Starter.exe" /path="D:\Program Files\NetPanel"
O4 – HKLM\..\Run: [KAZAA] "D:\Program Files\Kazaa Lite Rewolucja\kpp.exe" "D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp" /SYSTRAY
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.000\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Startup: Spolszczenie – Auto Update.lnk = D:\Program Files\ICQLite\icq_5.03_build_2315_pl.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 – Extra context menu item: &ICQ Toolbar Search – res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 – Extra context menu item: Download All by FlashGet – D:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Download with Internet TOOLS – D:\Program Files\MarBit\TOOLS\MBdownload.htm
O9 – Extra button: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra 'Tools' menuitem: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7134E7CE–00E2–4488–9531–1AA8F98676EA}: NameServer = 213.199.225.10,213.199.225.14
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – D:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – D:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – D:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – D:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS.000\System32\nvsvc32.exe
dam
Logfile of HijackThis v1.99.1
Scan saved at 21:58:08, on 2005–04–15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS.000\System32\smss.exe
D:\WINDOWS.000\SYSTEM32\winlogon.exe
D:\WINDOWS.000\system32\services.exe
D:\WINDOWS.000\system32\lsass.exe
D:\WINDOWS.000\system32\svchost.exe
D:\WINDOWS.000\System32\svchost.exe
D:\WINDOWS.000\Explorer.EXE
D:\WINDOWS.000\system32\spoolsv.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
D:\WINDOWS.000\System32\nvsvc32.exe
D:\WINDOWS.000\System32\helper.exe
C:\program files\powerstrip\pstrip.exe
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\WINDOWS.000\System32\ctfmon.exe
D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp
D:\Program Files\D–Link AirPlus\AirPlus.exe
D:\Program Files\ICQLite\X_icq_5.03_build_2315_pl.exe
D:\Program Files\NetPanel\NetPanel.exe
D:\Program Files\MKS\Bin\mks_scan.exe
C:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Klonowscy\Moje dokumenty\ściągnięte\hijackthis_199\HijackThis.exe
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 – URLSearchHook: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
F2 – REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 – BHO: IE 4.x–5.x BHO in ObjectPascal – {49E0E0F0–5C30–11D4–945D–000000000000} – D:\PROGRA~1\MarBit\TOOLS\IEHelper.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – D:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: IEHlprObj Class – {CE7C3CF0–4B15–11D1–ABED–709549C10000} – D:\Program Files\NetPanel\IEHelper.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS.000\System32\msdxm.ocx
O3 – Toolbar: ICQ Toolbar – {855F3B16–6D32–4fe6–8A56–BBB695989046} – D:\Program Files\ICQToolbar\toolbaru.dll
O3 – Toolbar: (no name) – {259F616C–A300–44F5–B04A–ED001A26C85C} – (no file)
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.000\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroCheck] D:\WINDOWS.000\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O4 – HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.000\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] D:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] D:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [NetPanel] "D:\Program Files\NetPanel\Starter.exe" /path="D:\Program Files\NetPanel"
O4 – HKLM\..\Run: [KAZAA] "D:\Program Files\Kazaa Lite Rewolucja\kpp.exe" "D:\Program Files\Kazaa Lite Rewolucja\kazaalite.kpp" /SYSTRAY
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.000\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Startup: Spolszczenie – Auto Update.lnk = D:\Program Files\ICQLite\icq_5.03_build_2315_pl.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 – Extra context menu item: &ICQ Toolbar Search – res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 – Extra context menu item: Download All by FlashGet – D:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Download with Internet TOOLS – D:\Program Files\MarBit\TOOLS\MBdownload.htm
O9 – Extra button: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra 'Tools' menuitem: ICQ Lite – {B863453A–26C3–4e1f–A54D–A2CD196348E9} – D:\Program Files\ICQLite\ICQLite.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – D:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra button: (no name) – SolidConverterPDF – (no file) (HKCU)
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 – DPF: {8626DFA9–2BAC–4BDA–8663–8DAA0F942C0D} – http://megapanel.gem.pl/temp/netp/0892/1719/8286/3400/5_0892171982863400.ocx
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7134E7CE–00E2–4488–9531–1AA8F98676EA}: NameServer = 213.199.225.10,213.199.225.14
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – D:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – D:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – D:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – D:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS.000\System32\nvsvc32.exe
we wlaściowościach ekranu jest tylko wygaszacz i ustawienia.nie wszystkich zakładek.
Wiec –
Pokaz co masz w kluczu: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Wyeksportuj cała gałąź to Ci fixa zrobie
nie znam sie za bardzo.wywaliłem ten prog. i obrazek i zamiast obrazka jest czarny ekran, a we wlaściowościach ekranu jest tylko wygaszacz i ustawienia.nie wszystkich zakładek.
Wszystko to za sprawą tego wp.exe i IMO tego fałszywego programu anty
Plików sie pozbyles ??
Moze wystarczy usunac wejscie we wlasciwosciach pulpitu/pulpit/dostosuj pulpit/sieć web
Skasuj plik wp.bmp
Poszukaj w rejestrze odwołan do wp.exe i usun je
Pokaz co masz w kluczu: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Plików sie pozbyles ??
Moze wystarczy usunac wejscie we wlasciwosciach pulpitu/pulpit/dostosuj pulpit/sieć web
Skasuj plik wp.bmp
Poszukaj w rejestrze odwołan do wp.exe i usun je
Pokaz co masz w kluczu: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
dobra.to zrobilem,tylko na pulpicie jest nadal niebieskie tlo i napis:
A fatal error in IE has occured at 0028:c0011e36 in VXD VMM + 00010E36>Error was caused by trojan–Spy. HTML.Smitfraud.c
*System can not function in normal mode.Please chceck yuo security settings.
*Scan your PC with abalible antiwirus/spyware remover program to fix the problem
.jak cos to daje log:
A fatal error in IE has occured at 0028:c0011e36 in VXD VMM + 00010E36>Error was caused by trojan–Spy. HTML.Smitfraud.c
*System can not function in normal mode.Please chceck yuo security settings.
*Scan your PC with abalible antiwirus/spyware remover program to fix the problem
.jak cos to daje log:
Eeeee tam. Jesli nie umiesz zamknac procesu i usunac pliku, sprobuj albo w trybie awaryjnym, albo podaj siezki do tych plikow w HiJacku naciskajac przycisk Config, nastepnie Misc Tools i pozniej Delete a file on reboot.intmonp.exe (–||–)
popuper.exe (–||–)
tych procesów nie da sie zakończyć