Zmiana strony startowej i ulubionych... nic nie pomaga...
Witam,
Mam wielki problem... ostatnio na kompa wlazl mi jakis shit i przy kazdym uruchomieniu zmienia mi strone startowa na find–everything.com, a do ulubionych dodaje 'Free Porn' i inne gowna... Probowalem juz Ad–aware'a, HiJack This (Ktory znalazl te rzeczy, ktore to zmieniaja... ale o tym za chwile), wywalalem rozne rzeczy z autostartu... i nic, oto moj log z HiJackThis'a:
Logfile of HijackThis v1.98.0
Scan saved at 09:04:52, on 2004–07–09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesTGTSoftStyleXPStyleXPService.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
E:ProgramyLiteSteplitestep.exe
C:WINDOWSSystem32driversCDAC11BA.EXE
C:Program FilesNorton AntiVirus avapsvc.exe
C:WINDOWSSystem32 vsvc32.exe
C:WINDOWSSystem32svchost.exe
E:programyQuickTimeqttask.exe
C:WINDOWSSystem32P2P NetworkingP2P Networking.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:WINDOWSsystem32 undll32.exe
E:programyOvernetOvernet.exe
C:Program FilesTGTSoftStyleXPStyleXP.exe
C:WINDOWSziphelp.exe
C:Program FilesWinZipWZQKPICK.EXE
E:ProgramyMyIE2MyIE.exe
C:WINDOWSexplorer.exe
E:Programyspywareguardsetup.exe
C:DOCUME~1PAWE~1USTAWI~1TempINS5.tmp
E:ProgramyHijackThis.exe
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.find–everything.com/index.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://www.find–everything.com/index.htm
R3 – URLSearchHook: PerfectNavBHO Class – {00D6A7E7–4A97–456f–848A–3B75BF7554D7} – C:PROGRA~1PERFEC~1BHOPERFEC~1.DLL
F2 – REG:system.ini: UserInit=C:WINDOWSsystem32userinit.exe,kernel32.exe,
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0 CEReaderActiveXAcroIEHelper.dll
O2 – BHO: SpywareGuard Download Protection – {4A368E80–174F–4872–96B5–0B27DDD11DB2} – C:Program FilesSpywareGuarddlprotect.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:Program FilesNorton AntiVirusNavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:Program FilesNorton AntiVirusNavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [desktop] C:WINDOWSSystem32desktop.exe
O4 – HKLM..Run: [QuickTime Task] "E:programyQuickTimeqttask.exe" –atboottime
O4 – HKLM..Run: [P2P Networking] C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTART
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [ccRegVfy] "C:Program FilesCommon FilesSymantec SharedccRegVfy.exe"
O4 – HKLM..Run: [New.net Startup] rundll32 C:PROGRA~1NEWDOT~1NEWDOT~1.DLL,NewDotNetStartup –s
O4 – HKLM..Run: [COM Services] kernel32.exe
O4 – HKLM..Run: [Overnet] E:programyOvernetOvernet.exe –t
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exe
O4 – HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 – HKLM..Run: [AltnetPointsManager] c:program filesaltnetpoints managerpoints manager.exe –s
O4 – HKCU..Run: [STYLEXP] C:Program FilesTGTSoftStyleXPStyleXP.exe –Hide
O4 – HKCU..Run: [ziphelp] C:WINDOWSziphelp.exe
O4 – Startup: SpywareGuard.lnk = C:Program FilesSpywareGuardsgmain.exe
O4 – Global Startup: Adobe Gamma Loader.exe.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O4 – Global Startup: WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE
O8 – Extra context menu item: Download All by FlashGet – E:Programyflashgetjc_all.htm
O8 – Extra context menu item: Download using FlashGet – E:Programyflashgetjc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O16 – DPF: {1D6711C8–7154–40BB–8380–3DEA45B69CBF} (Web P2P Installer) –
Wiem, ze chodzi tu o to:
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.find–everything.com/index.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://www.find–everything.com/index.htm
Wywalalem to i jeszcze kilka innych rzeczy, ale po restarcie samo sie znow dodaje...
Aha – to sie dzieje tylko na koncie moim (bo jest jeszcze drugie, na ktorym wszystko jest ok)... help plz!
Mam wielki problem... ostatnio na kompa wlazl mi jakis shit i przy kazdym uruchomieniu zmienia mi strone startowa na find–everything.com, a do ulubionych dodaje 'Free Porn' i inne gowna... Probowalem juz Ad–aware'a, HiJack This (Ktory znalazl te rzeczy, ktore to zmieniaja... ale o tym za chwile), wywalalem rozne rzeczy z autostartu... i nic, oto moj log z HiJackThis'a:
Logfile of HijackThis v1.98.0
Scan saved at 09:04:52, on 2004–07–09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesTGTSoftStyleXPStyleXPService.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
E:ProgramyLiteSteplitestep.exe
C:WINDOWSSystem32driversCDAC11BA.EXE
C:Program FilesNorton AntiVirus avapsvc.exe
C:WINDOWSSystem32 vsvc32.exe
C:WINDOWSSystem32svchost.exe
E:programyQuickTimeqttask.exe
C:WINDOWSSystem32P2P NetworkingP2P Networking.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:WINDOWSsystem32 undll32.exe
E:programyOvernetOvernet.exe
C:Program FilesTGTSoftStyleXPStyleXP.exe
C:WINDOWSziphelp.exe
C:Program FilesWinZipWZQKPICK.EXE
E:ProgramyMyIE2MyIE.exe
C:WINDOWSexplorer.exe
E:Programyspywareguardsetup.exe
C:DOCUME~1PAWE~1USTAWI~1TempINS5.tmp
E:ProgramyHijackThis.exe
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.find–everything.com/index.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://www.find–everything.com/index.htm
R3 – URLSearchHook: PerfectNavBHO Class – {00D6A7E7–4A97–456f–848A–3B75BF7554D7} – C:PROGRA~1PERFEC~1BHOPERFEC~1.DLL
F2 – REG:system.ini: UserInit=C:WINDOWSsystem32userinit.exe,kernel32.exe,
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0 CEReaderActiveXAcroIEHelper.dll
O2 – BHO: SpywareGuard Download Protection – {4A368E80–174F–4872–96B5–0B27DDD11DB2} – C:Program FilesSpywareGuarddlprotect.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:Program FilesNorton AntiVirusNavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:Program FilesNorton AntiVirusNavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [desktop] C:WINDOWSSystem32desktop.exe
O4 – HKLM..Run: [QuickTime Task] "E:programyQuickTimeqttask.exe" –atboottime
O4 – HKLM..Run: [P2P Networking] C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTART
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [ccRegVfy] "C:Program FilesCommon FilesSymantec SharedccRegVfy.exe"
O4 – HKLM..Run: [New.net Startup] rundll32 C:PROGRA~1NEWDOT~1NEWDOT~1.DLL,NewDotNetStartup –s
O4 – HKLM..Run: [COM Services] kernel32.exe
O4 – HKLM..Run: [Overnet] E:programyOvernetOvernet.exe –t
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exe
O4 – HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 – HKLM..Run: [AltnetPointsManager] c:program filesaltnetpoints managerpoints manager.exe –s
O4 – HKCU..Run: [STYLEXP] C:Program FilesTGTSoftStyleXPStyleXP.exe –Hide
O4 – HKCU..Run: [ziphelp] C:WINDOWSziphelp.exe
O4 – Startup: SpywareGuard.lnk = C:Program FilesSpywareGuardsgmain.exe
O4 – Global Startup: Adobe Gamma Loader.exe.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 – Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O4 – Global Startup: WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE
O8 – Extra context menu item: Download All by FlashGet – E:Programyflashgetjc_all.htm
O8 – Extra context menu item: Download using FlashGet – E:Programyflashgetjc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O16 – DPF: {1D6711C8–7154–40BB–8380–3DEA45B69CBF} (Web P2P Installer) –
Wiem, ze chodzi tu o to:
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.find–everything.com/index.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://www.find–everything.com/index.htm
Wywalalem to i jeszcze kilka innych rzeczy, ale po restarcie samo sie znow dodaje...
Aha – to sie dzieje tylko na koncie moim (bo jest jeszcze drugie, na ktorym wszystko jest ok)... help plz!
Odpowiedzi: 4
Albo wylacz w zakladce Procesy Menedzera procesow, albo usun z konsoli jak napisal McScr@by.submarine:
Nie moge ich usunac z dysku, pisze ze odmowa dostepu...
CwShredder nic nie pomoze, bo updmgr.exe to jak google gadaja – trojan TR/Dldr.Keenval.3. a kernel32.exe to wedlug Symanteca Backdoor.Osirdoor, Backdoor.Osirdoor.B [AVP], BKDR_OSIRDOOR.B [Trend], BackDoor–ABT [McAfee]
Usuń przez konsole odzyskiwania danych (R) wydając polecenie del scieszka/plik.
Moźesz takźe spróbować przeskanować system CW Shredder`em.
Moźesz takźe spróbować przeskanować system CW Shredder`em.
Nie moge ich usunac z dysku, pisze ze odmowa dostepu...
Usun FIXem i pozniej z dysku pliki ktore sa w tym logu:
ziphelp.exe
updmgr.exe
kernel32.exe
PERFEC~1.DLL
sp.html (narzedzie do usuwania sp.html znajdziesz w ktoryms moim poscie w tym dziale – uzyj wyszukiwarki)
To rowniez jest podejrzane:
O4 – HKLM..Run: [desktop] C:WINDOWSSystem32desktop.exe
Te pliki to:C:WINDOWSziphelp.exe
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.find–everything.com/index.htm
R0 – HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.find–everything.com/sp.htm
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://www.find–everything.com/index.htm
R3 – URLSearchHook: PerfectNavBHO Class – {00D6A7E7–4A97–456f–848A–3B75BF7554D7} – C:PROGRA~1PERFEC~1BHOPERFEC~1.DLL
F2 – REG:system.ini: UserInit=C:WINDOWSsystem32userinit.exe,kernel32.exe,
O4 – HKLM..Run: [New.net Startup] rundll32 C:PROGRA~1NEWDOT~1NEWDOT~1.DLL,NewDotNetStartup –s
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exe
O4 – HKCU..Run: [ziphelp] C:WINDOWSziphelp.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O16 – DPF: {1D6711C8–7154–40BB–8380–3DEA45B69CBF} (Web P2P Installer) –
ziphelp.exe
updmgr.exe
kernel32.exe
PERFEC~1.DLL
sp.html (narzedzie do usuwania sp.html znajdziesz w ktoryms moim poscie w tym dziale – uzyj wyszukiwarki)
To rowniez jest podejrzane:
O4 – HKLM..Run: [desktop] C:WINDOWSSystem32desktop.exe
Strona 1 / 1