HiJack This.Co mam zaznaczyć?

16.05.04, 20:28
Mam problem z wirusami na moim compie.Trochę sobie poczytałem na różnych
forum gdzie się dowiedziałem o HiJacku.Mam wynik scanu,ale tera potrzebuję
fachowca,żeby mi pomógł.Chodzi o to,że nie wiem co mam zaznaczyć.
Z góry dzięki.
Logfile of HijackThis v1.97.7
Scan saved at 18:53:49, on 04-05-16
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\PROGRAM FILES\180SOLUTIONS\MSBB.EXE
C:\WINDOWS\REG33.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\WINDOWS\SYSTEM32\WINPROC32.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\REGISTER\REMIND32.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PULPIT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-
counter.com/?a=2&b=alexxp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-
counter.com/?a=2&b=alexxp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-
counter.com/?a=2&b=alexxp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://4-counter.com/?a=2&b=alexxp
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-
counter.com/?a=2&b=alexxp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-
counter.com/?a=2&b=alexxp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-
counter.com/?a=2&b=alexxp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://4-counter.com/?a=2&b=alexxp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Program
Microsoft Internet Explorer dostarczony przez IDG.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://www.idg.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\secure.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} -
C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} -
C:\WINDOWS\NEM216.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM
FILES\ISTBAR\ISTBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing
Talk\register.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON
ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\Run: [zutkh] C:\WINDOWS\zutkh.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1
\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32
\WINPROC32.EXE
O4 - HKCU\..\Run: [a˛] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program
Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect
Office 2000\Register\Remind32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1
O8 - Extra context menu item: Otwórz obraz w programie &Microsoft PhotoDraw -
res://C:\PROGRA~1\MICROS~1\OFFICE\1045\PHDINTL.DLL/phdContext.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.idg.pl
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.4241319444
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3}
(VacPro.internazionale_ver3) -
http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) -
http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) -
http://63.219.181.7/cax.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} -
http://www.netvenda.com/sites/games-intl/pl/games4.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) -
http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://81.190.193.145/activex/AxisCamControl.ocx
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = peceval.uznam.net.pl
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
62.233.128.18,62.233.128.17,213.77.115.28

    • netsec Re: HiJack This.Co mam zaznaczyć? 16.05.04, 20:43
      dobroslawczajkowski napisał:

      > Mam problem z wirusami na moim compie.Trochę sobie poczytałem na różnych
      > forum gdzie się dowiedziałem o HiJacku.Mam wynik scanu,ale tera potrzebuję
      > fachowca,żeby mi pomógł.Chodzi o to,że nie wiem co mam zaznaczyć.
      > Z góry dzięki.
      > Logfile of HijackThis v1.97.7
      > Scan saved at 18:53:49, on 04-05-16
      > Platform: Windows 98 SE (Win9x 4.10.2222A)
      > MSIE: Unable to get Internet Explorer version!

      Uruchom ponownie HijackTHis wykonaj SCAN i zaznacz dokładnie te pozycje:

      R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = 4-
      counter.com/?a=2&b=alexxp
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 4-
      counter.com/?a=2&b=alexxp
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = 4-
      counter.com/?a=2&b=alexxp
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      C:\WINDOWS\secure.html
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      C:\WINDOWS\secure.html
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      4-counter.com/?a=2&b=alexxp
      R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = 4-
      counter.com/?a=2&b=alexxp
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      C:\WINDOWS\secure.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 4-
      counter.com/?a=2&b=alexxp
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 4-
      counter.com/?a=2&b=alexxp
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      C:\WINDOWS\secure.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      4-counter.com/?a=2&b=alexxp
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      C:\WINDOWS\secure.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      C:\WINDOWS\secure.html
      R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
      file)
      O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} -
      C:\WINDOWS\TWAINTEC.DLL
      O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} -
      C:\WINDOWS\NEM216.DLL
      O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM
      FILES\ISTBAR\ISTBAR.DLL
      O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
      O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
      Optimizer\optimize.exe"
      O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
      O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
      O4 - HKLM\..\Run: [zutkh] C:\WINDOWS\zutkh.exe
      O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
      O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
      O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\SYSTEM32
      \WINPROC32.EXE
      O4 - HKCU\..\Run: [a˛] "C:\Program Files\a2\a2guard.exe"
      O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program
      Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
      O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
      DisableRegedit=1
      O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
      i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
      O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
      v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38097.4241319444
      O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3}
      (VacPro.internazionale_ver3) -
      www.advnt01.com/dialer/internazionale_ver3.CAB
      O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) -
      www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
      O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) -
      www.thepaymentcentre.com/build/vviewer.cab
      O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) -
      63.219.181.7/cax.cab
      O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} -
      www.netvenda.com/sites/games-intl/pl/games4.cab
      O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) -
      www.sponsoradulto.com/en/SysWebTelecom.cab
      O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
      Control) - download.macromedia.com/pub/shockwave/cabs/director/sw.cab
      O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
      81.190.193.145/activex/AxisCamControl.ocx
      O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
      skaner.mks.com.pl/SkanerOnline.cab
      Po zaznaczeniu wykonaj FIX CHECKED i OK i uruchom komputer ponownie.

      Odinstaluj w Panelu sterowania Dodaj/Usuń programy wszystkie
      programy, co do których nie masz pewności, że Ci są potrzebne.

      Wyłącz w GG połączenie bezpośrednie. Jest bardzo niebezpieczne, chociaż
      samo GG jako takie nie jest bezpieczne.

      Zaktualizuj Nortona securityresponse.symantec.com/avcenter/download/us-
      files/20040515-009-i32.exe

      Po tym uruchom komputer ponownie.

      Przeskanuj dyski Nortonem

      Połącz się z WindowsUpdate www.windowsupdate.com i zaktualizuj
      system o wszystkie krytyczne poprawki.

      --
      Net
    • Gość: kostek C:\WINDOWS\secure.html jak usunąć IP: *.pnet.com.pl 12.07.04, 14:43
      Logfile of HijackThis v1.97.7
      Scan saved at 10:57:20, on 2004-07-12
      Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Executive Software\Diskeeper\DkService.exe
      C:\Program Files\Norton AntiVirus\navapsvc.exe
      C:\WINDOWS\System32\nvsvc32.exe
      C:\WINDOWS\System32\systemout.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\explorer.exe
      C:\WINDOWS\system32\explorer.exe
      C:\Program Files\Gadu-Gadu\gg.exe
      C:\WINDOWS\System32\dsucw.exe
      C:\Program Files\totalcmd\TOTALCMD.EXE
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Program Files\Internet Explorer\IEXPLORE.EXE
      C:\Program Files\English Translator 3\ET.exe
      D:\HijackThis 1.97.7.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      C:\WINDOWS\secure.html
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      C:\WINDOWS\secure.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      C:\WINDOWS\secure.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      C:\WINDOWS\secure.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT
      USED (OK)
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT
      USED (OK)
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
      Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      C:\WINDOWS\secure.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      C:\WINDOWS\secure.html
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
      O1 - Hosts: 81.211.105.69 lender-search.com
      O1 - Hosts: 81.211.105.68 hot-searches.com
      O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
      Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
      O2 - BHO: (no name) - {17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC} - C:\PROGRA~1
      \XSOFTW~1\XPCSPY~1\IESpy.dll
      O2 - BHO: (no name) - {47F03873-954C-7B92-8756-655578AF281C} -
      C:\WINDOWS\System32\eutolvs.dll
      O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -
      C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
      O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
      O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
      Files\Norton AntiVirus\NavShExt.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
      C:\WINDOWS\System32\msdxm.ocx
      O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
      C:\Program Files\Norton AntiVirus\NavShExt.dll
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
      \NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [System Check] Rundll32.exe SysDll32.dll,SystemCheck
      O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
      O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\Wirus\USTAWI~1\Temp\wu.exe
      O4 - Startup: Power Project.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program
      Files\FlashGet\jc_link.htm
      O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a -
      C:\Program Files\FlashGet\jc_all.htm
      O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
      O15 - Trusted Zone: *.blazefind.com
      O15 - Trusted Zone: *.clickspring.net
      O15 - Trusted Zone: *.flingstone.com
      O15 - Trusted Zone: *.mt-download.com
      O15 - Trusted Zone: *.my-internet.info
      O15 - Trusted Zone: *.skoobidoo.com
      O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) -
      static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
      O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller
      Control) - www.mt-download.com/MediaTicketsInstaller.cab
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
      download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
      • netsec Re: C:\WINDOWS\secure.html jak usunąć 12.07.04, 14:59
        Gość portalu: kostek napisał(a):

        > Logfile of HijackThis v1.97.7
        > Scan saved at 10:57:20, on 2004-07-12
        > Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
        > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Sprawdź czy masz włączoną zaporę Internetową we właściwościach Twojego
        połączenia do Internetu. Tu jest opis jak to wykonać
        www.microsoft.com/poland/security/protect/windowsxp/firewall.aspx
        Wyłącz przywracanie systemu (tylko XP i Me)
        support.microsoft.com/default.aspx?scid=kb;pl;310405
        W Panelu Sterowania => Opcje Internetowe => Tymczasowe pliki Internetowe
        Usuń pliki(zaznacz całość off line) i Usuń pliki cooki.

        Z menu START wybierz Uruchom wpisz %TEMP% i kliknij OK.
        W oknie które się pojawi skasuj wszystkie pliki które można skasować.
        Upewnij się przed tym, że masz w Panelu Sterownia => Opcje folderów
        zakładka Widok zaznaczone Pokaż ukryte pliki i foldery.

        Uruchom komputer ponownie.

        Zaktualizuj Nortona Aktualizacją off-line
        securityresponse.symantec.com/avcenter/download/us-files/20040711-018-i32.exe
        Zamknij wszystkie okna przeglądarki IE.

        Uruchom komputer w trybie awaryjnym.

        Przeskanuj wszystkie dyski Nortonem.

        Po tym uruchom komputer w normalnym trybie

        Nie otwieraj przeglądarki.

        Uruchom ponownie HijackTHis,wykonaj SCAN i zaznacz dokładnie te pozycje:


        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        C:\WINDOWS\secure.html
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        C:\WINDOWS\secure.html
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        C:\WINDOWS\secure.html
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        C:\WINDOWS\secure.html
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT
        USED (OK)
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT
        USED (OK)
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
        Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        C:\WINDOWS\secure.html
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        C:\WINDOWS\secure.html
        O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
        O1 - Hosts: 81.211.105.69 lender-search.com
        O1 - Hosts: 81.211.105.68 hot-searches.com
        O2 - BHO: (no name) - {17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC} - C:\PROGRA~1
        \XSOFTW~1\XPCSPY~1\IESpy.dll
        O2 - BHO: (no name) - {47F03873-954C-7B92-8756-655578AF281C} -
        C:\WINDOWS\System32\eutolvs.dll
        O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -
        C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
        O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
        O4 - HKLM\..\Run: [System Check] Rundll32.exe SysDll32.dll,SystemCheck
        O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
        O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\Wirus\USTAWI~1\Temp\wu.exe
        O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
        O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
        O15 - Trusted Zone: *.blazefind.com
        O15 - Trusted Zone: *.clickspring.net
        O15 - Trusted Zone: *.flingstone.com
        O15 - Trusted Zone: *.mt-download.com
        O15 - Trusted Zone: *.my-internet.info
        O15 - Trusted Zone: *.skoobidoo.com
        O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) -
        static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
        O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller
        Control) - www.mt-download.com/MediaTicketsInstaller.cab

        Po zaznaczeniu wykonaj FIX CHECKED i OK.

        Uruchom komputer ponownie.

        Odszukaj pliki secure.html, IESpy.dll, eutolvs.dll, SysDll32.dll, wu.exe

        Ściągnij ten wpis do rejestru
        209.133.47.12/downloads/tools/IEFIX.reg
        Uruchom klikając i zaakceptuj wpis.

        Ściągnij najnowszy CwShedder 209.133.47.12/~merijn/files/CWShredder.exe
        Zamknij wszystkie okna Internet Explorer'a.
        Uruchom CWShredder i wykonaj FIX.

        Przeskanuj system Ad-aware z opcjami opisanymi tu
        ralphcaddell.com/pchelp/Ad-aware%20instructions.htm
        Po tym połącz się www.windowsupdate.com i zaktualizuj system o wszystkie krytyczne poprawki.
        Tutaj masz więcej na ten temat
        www.microsoft.com/poland/security/protect/windowsxp/updates.aspx
        Po wszystkim wklej nowego loga z HiJackThis, wykonaj go najnowszą wersja HiJack 1.98
      • netsec Re: C:\WINDOWS\secure.html jak usunąć 12.07.04, 15:02
        Oczywiście dodatkowo odszukaj pliki secure.html, IESpy.dll, eutolvs.dll, SysDll32.dll, wu.exe i USUŃ
Pełna wersja