YOUR SYSTEM IS INFECTED windows Me

czesc mam problem z pulpitem nie moge zmienic tego ekranu wie moze ktos jak to skutecznie usunąc? a no i jeszcze włącza mi sie co jakis czas samoczynnie internet explorer z jakimis porno stronami. załączam obraz pulpitu i log z hijacka.

Logfile of HijackThis v1.97.7
Scan saved at 12:01:49, on 2005–09–10
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SVCHOST.EXE
C:\PROGRAM FILES\GADU–GADU\GG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\SPY\HIJACKTHIS.EXE

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best–search.cc/search.php?v=6&aff=8808745
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best–search.cc/index.php?v=6&aff=8808745
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://best–search.cc/index.php?v=6&aff=8808745
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {9896231A–C487–43A5–8369–6EC9B0A96CC0} – C:\WINDOWS\SYSTEM\WSTART.DLL
O2 – BHO: (no name) – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar1.dll
O2 – BHO: (no name) – {B75F75B8–93F3–429D–FF34–660B206D897A} – C:\WINDOWS\SYSTEM\ZOLKER006.DLL
O2 – BHO: (no name) – {200F16BA–AE5D–DA84–2DF4–D0F88D959399} – C:\WINDOWS\SYSTEM\IXIGJ.DLL
O2 – BHO: (no name) – {7F6828CA–9E42–462C–BC60–418C8144012C} – C:\WINDOWS\SYSTEM\BHOMOD.DLL
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar1.dll
O3 – Toolbar: @msdxmLC.dll,–1@1045,&Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 – HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray
O4 – HKCU\..\Run: [Rlaa] C:\Program Files\iret\oter.exe
O4 – HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O8 – Extra context menu item: &Google Search – res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 – Extra context menu item: Cac&hed Snapshot of Page – res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 – Extra context menu item: Si&milar Pages – res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 – Extra context menu item: Backward &Links – res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 – Extra context menu item: Translate into English – res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 – Extra button: Related (HKLM)
O9 – Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 – Extra button: Messenger (HKLM)
O9 – Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 – Extra button: eBay – Homepage (HKLM)
O15 – Trusted Zone: *.clickspring.net
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=4600

1. Wklej to do notatnika:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Rlaa"=–

[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{200F16BA–AE5D–DA84–2DF4–D0F88D959399}]

[–HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{200F16BA–AE5D–DA84–2DF4–D0F88D959399}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=–
"Wallpaper"=–

Z rozwijanej listy wybierz wszystkie pliki, zapisz z rozszerzeniem reg
Wszystkie wymienone pliki/katalogi usuwasz z dysku i dodajesz teg fixa.
W poprzednim poście przez pomyłke kazałem skosić wejscie Gadu–Gadu, jesli zrobiłeś to to przywróc wpis z backupu. Błąd zaraz poprawie.

Bobi

Dodano: 11.08.2005 12:24:07

no raczej nie bo wyłaączałem wczoraj przywracanie

naski7

Dodano: 11.08.2005 11:53:15

Wpisy wracają pewnie z powodu przywracania systemu – ME.

Rebe

Dodano: 11.08.2005 09:27:59

tak, własnie powracają na nowo.C:\ROAWTU.EXE nie wiem co to jest, tez chyba jakis syf. masz tu log z silent runners:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non–default values, except where indicated by "{++}"

Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray" ["sms–express.com"]
"Rlaa" = "C:\Program Files\iret\oter.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Instalator systemu Windows Konwerter FAT32"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{200F16BA–AE5D–DA84–2DF4–D0F88D959399}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\IXIGJ.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{2E9D3540–211C–11d0–A5F2–00A0248C37BE}" = "Nero Shell Extension Property Sheet"
–> {CLSID}\InProcServer32\(Default) = "D:\Program files\uninst\nero\neroshx.dll" ["Ahead Software AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

System Policies [Description]:
––––––––––––––––––––––––––––––

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"
[disables Display Properties|Background (tab); selects wallpaper if
Active Desktop is enabled]

Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop enabled via System Policy.

Wallpaper selected via System Policy.

Enabled Scheduled Tasks:
––––––––––––––––––––––––

"Rozpoczęcie aplikacji dostrajania" –> launches: "walign" [MS]
"Harmonogram programu PCHealth dla zbierania danych" –> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE –c" [MS]

Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 – 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 – 6

Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––

HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
The Internet Explorer version cannot be found!

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
The contents of IERESET.INF cannot be reliably checked!

Added lines (compared with English–language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

Missing lines (compared with English–language version):
[Strings]: 2 lines

––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 23 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
–––––––––– (total run time: 68 seconds)

naski7

Dodano: 11.08.2005 01:28:23

tak, własnie powracają na nowo.C:\ROAWTU.EXE nie wiem co to jest, tez chyba jakis syf. masz tu log z silent runners:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non–default values, except where indicated by "{++}"

Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray" ["sms–express.com"]
"Rlaa" = "C:\Program Files\iret\oter.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Instalator systemu Windows Konwerter FAT32"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{200F16BA–AE5D–DA84–2DF4–D0F88D959399}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\IXIGJ.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{2E9D3540–211C–11d0–A5F2–00A0248C37BE}" = "Nero Shell Extension Property Sheet"
–> {CLSID}\InProcServer32\(Default) = "D:\Program files\uninst\nero\neroshx.dll" ["Ahead Software AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

System Policies [Description]:
––––––––––––––––––––––––––––––

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"
[disables Display Properties|Background (tab); selects wallpaper if
Active Desktop is enabled]

Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop enabled via System Policy.

Wallpaper selected via System Policy.

Enabled Scheduled Tasks:
––––––––––––––––––––––––

"Rozpoczęcie aplikacji dostrajania" –> launches: "walign" [MS]
"Harmonogram programu PCHealth dla zbierania danych" –> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE –c" [MS]

Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 – 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 – 6

Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––

HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)
The Internet Explorer version cannot be found!

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
The contents of IERESET.INF cannot be reliably checked!

Added lines (compared with English–language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

Missing lines (compared with English–language version):
[Strings]: 2 lines

––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 23 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
–––––––––– (total run time: 68 seconds)

naski7

Dodano: 11.08.2005 01:28:23

Coś niedokłądnie usuwasz bo syf się odnawia.

C:\ROAWTU.EXE – znasz to ?
C:\PROGRAM FILES\IRET\OTER.EXE
O2 – BHO: (no name) – {200F16BA–AE5D–DA84–2DF4–D0F88D959399} – C:\WINDOWS\SYSTEM\IXIGJ.DLL
O4 – HKCU\..\Run: [Rlaa] C:\Program Files\iret\oter.exe

Oczywiście wszystkie wyboldowane pliki z dysku usuwasz ręcznie ?
Jesli tak i mimo wszystko wracają prosze o log z Silent Runners.

Bobi

Dodano: 11.08.2005 00:10:34

Logfile of HijackThis v1.99.1
Scan saved at 19:14:19, on 2005–09–10
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GADU–GADU\GG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ROAWTU.EXE
C:\PROGRAM FILES\IRET\OTER.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
D:\SPY\HIJACKTHIS\HIJACKTHIS.EXE

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
O2 – BHO: (no name) – {200F16BA–AE5D–DA84–2DF4–D0F88D959399} – C:\WINDOWS\SYSTEM\IXIGJ.DLL
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray
O4 – HKCU\..\Run: [Rlaa] C:\Program Files\iret\oter.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm

naski7

Dodano: 10.08.2005 21:19:58

O21 – SSODL: System – {8C4D62FE–AEC1–470A–9D45–72EE2998798C} – vr_sys.dll (file missing)
O21 – SSODL: OLE Module – {0656A137–B161–CADD–9777–E37A75727E78} – C:\WINDOWS\SYSTEM\abirvalg32.dll
O21 – SSODL: mawgIFe – {24521D11–8EF8–B7BB–508B–F9F25BBF115A} – C:\WINDOWS\SYSTEM\LWP.DLL

Bobi

Dodano: 10.08.2005 20:05:53

zostało cos takiego:
Logfile of HijackThis v1.99.1
Scan saved at 13:42:05, on 2005–09–10
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GADU–GADU\GG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\ROAWTU.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\SPY\HIJACKTHIS\HIJACKTHIS.EXE

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O21 – SSODL: System – {8C4D62FE–AEC1–470A–9D45–72EE2998798C} – vr_sys.dll (file missing)
O21 – SSODL: OLE Module – {0656A137–B161–CADD–9777–E37A75727E78} – C:\WINDOWS\SYSTEM\abirvalg32.dll
O21 – SSODL: mawgIFe – {24521D11–8EF8–B7BB–508B–F9F25BBF115A} – C:\WINDOWS\SYSTEM\LWP.DLL

naski7

Dodano: 10.08.2005 15:47:50

Hijack w bardzo starej wersji, sciagnij 1.99.1 i spod niej stwórz loga

Jak na razie:
Wyłącz przywracanie
Zakoncz proces:
SVCHOST.EXE

Usuń:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://best–search.cc/search.php?v=6&aff=8808745
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://best–search.cc/index.php?v=6&aff=8808745
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://best–search.cc/index.php?v=6&aff=8808745
O2 – BHO: (no name) – {9896231A–C487–43A5–8369–6EC9B0A96CC0} – C:\WINDOWS\SYSTEM\WSTART.DLL
O2 – BHO: (no name) – {B75F75B8–93F3–429D–FF34–660B206D897A} – C:\WINDOWS\SYSTEM\ZOLKER006.DLL
O2 – BHO: (no name) – {200F16BA–AE5D–DA84–2DF4–D0F88D959399} – C:\WINDOWS\SYSTEM\IXIGJ.DLL
O2 – BHO: (no name) – {7F6828CA–9E42–462C–BC60–418C8144012C} – C:\WINDOWS\SYSTEM\BHOMOD.DLL
O4 – HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 – HKCU\..\Run: [Rlaa] C:\Program Files\iret\oter.exe
O4 – HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O9 – Extra button: eBay – Homepage (HKLM)
O15 – Trusted Zone: *.clickspring.net
refid=4600

Bobi

Dodano: 10.08.2005 14:52:36

Wpisz ten komunikat, albo zwrot "czerwony pulpit" w wyszukiwarkę forum – zaznacz szukanie wszystkich śłów i ogranicz wyszukiwanie do tego działu.

PS.
Temat wystarczy umieścij w jednym dziale – nie ma potrzeby rozmnaźanie go – powtorka z innych systemów wyleciała.

Rebe

Dodano: 10.08.2005 14:26:41

Wpisz ten komunikat, albo zwrot "czerwony pulpit" w wyszukiwarkę forum – zaznacz szukanie wszystkich śłów i ogranicz wyszukiwanie do tego działu.

PS.
Temat wystarczy umieścij w jednym dziale – nie ma potrzeby rozmnaźanie go – powtorka z innych systemów wyleciała.

Rebe

Dodano: 10.08.2005 14:26:41

YOUR SYSTEM IS INFECTED windows Me

Odpowiedzi: 12