prelnsTT.exe

[Gość: zarazona]

czy ktos ma jakis pomysl na usuniecie tego trojana? Mam program "avast" ktory
regularnie przy kazdym wlaczaniu komputera wykrywa go, ale nie umie usunac
gdyz jak twierdzi - jest aktualnie uzywany. Gdy ustawilam na skanowanie
podczas rozruchu kompa znalazl go i usunal, ale chyba jakos niezbyt dokladnie
bo gdy tylko system sie zaladowal a z nim i avast, wykryl ze znowu (mimo
wczesniejszego usuniecia) sie zaladowal.... obstawiam, ze z trza by go bylo z
rejestru wywalic ale nie bardzo wiem, ktory to klucz :( help!

[kalinowski11]

www.pestpatrol.com/pestinfo/t/twain-tech.asp
research.pestpatrol.com/Search/FileInfoResults.asp?MD5=e2122b80108e0bf53537e64681fc3a72

[Gość: piecyk gazowy]

Uruchom edytor rejestru i wyszukaj wpis zawierający prelnsTT.exe.

[Gość: zarazona]

dobra, wywalenie z rejestru niepomoglo. Po restarcie uparty osiol nadal siedzi
tam skad go usunelam.... wrrrrrrrrrrrrr!!!

[Gość: piecyk gazowy]

A jaki system? Wyłącz przywracanie systemu.

Być może coś jeszcze siedzi w autostarcie...

Wklej loga z HijackThis, ktoś zerknie...

[Gość: zarazona]

oto co znalazl hijackThis:
Logfile of HijackThis v1.97.7
Scan saved at 12:21:52, on 2004-08-24
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\yovaza.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
D:\Winamp\winampa.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Symantec\pcAnywhere\awrem32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\explorer.exe
d:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karolina\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03
\bin\jusched.exe
O4 - HKLM\..\Run: [HEPZHRC] C:\WINDOWS\HEPZHRC.exe
O4 - HKLM\..\Run: [bohktid] C:\WINDOWS\bohktid.exe
O4 - HKLM\..\Run: [ylgjuobcan] C:\WINDOWS\System32\yovaza.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] D:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -
quiet
O4 - HKCU\..\Run: [CTI Telefon] "C:\Program Files\Slican\CTI Telefon\CTI.exe"
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date
Manager\DateManager.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Tlumacz z LING... - www.ling.pl/ling/def-
src.php4
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation
Engine) - office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.es/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37708.0408217593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) -
download.rfwnad.com/cab/dlaccell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E3FEFF6-1EEC-44DF-A7C6-799563EEE550}:
NameServer = 194.204.159.1,194.204.152.34



co dalej?

[Gość: piecyk gazowy]

Gość portalu: zarazona napisał(a):

> O4 - HKLM\..\Run: [HEPZHRC] C:\WINDOWS\HEPZHRC.exe
> O4 - HKLM\..\Run: [bohktid] C:\WINDOWS\bohktid.exe
> O4 - HKLM\..\Run: [ylgjuobcan] C:\WINDOWS\System32\yovaza.exe

> O4 - HKCU\..\Run: [CTI Telefon] "C:\Program Files\Slican\CTI Telefon\CTI.exe"

Wiesz co to ten CTI? Jest wirust o takiej nazwie. Masz taki program CTI
Telefon? Używasz go? Jeśli tak, wszystko OK.

> O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date
> Manager\DateManager.exe

> O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) -

> download.rfwnad.com/cab/dlaccell.CAB

> co dalej?

Zaznacz to co zostawiłem, wciśnij Fix Checked, zrestertuj system i przeskanuj
antywirusem.