*.exe co nie chce się usubąć.

15.02.05, 20:14
Jest na pulpicie, wygląda niby tylko jak skrót ale nie sposób odbaleźć
lokalizacji i zobaczyć gdzie naprawde jest.
jakies erotyczne gó.. co sie nazywa Sexplorer. i jeszcze na dole po prawej
jest po włączeniu kompa i mruga.
jak to usunąć.
z góry dzięki za pomoc.
    • Gość: net.pl Re: *.exe co nie chce się usubąć. IP: *.internetdsl.tpnet.pl 16.02.05, 10:39
      ja tez to mam i chce to gowno usunać
    • kalinowski11 Re: *.exe co nie chce się usubąć. 16.02.05, 10:45
      Wklejcie logi z ...

      HijackThis pokaże co "siedzi" w Twoim kompie .

      www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

      1.Ściągnij , uruchom .
      2."Do a system scan and save a logfile"
      3.Zapisz log .
      4.Zapisany log "skopiuj na myszkę" , wklej do posta i wyślij
      na forum .
      5.W wypadku gdy chcemy coś skasować , otwieramy Hijacka jeszcze
      raz , klikamy Scan , zaznaczamy co chcemy skasować i klikamy
      Fix checked . Z OPCJI KASOWANIA KORZYSTAMY PO KONSULTACJI NA FORUM .
      • Gość: zbłądziłem Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 20.04.05, 19:27
        Zbłądziłem raz i teraz mam za swoje ;(( Zrobiłem to co tutaj pisze i coś
        takiego wyszło:
        Logfile of HijackThis v1.99.1
        Scan saved at 19:17:23, on 2005-04-20
        Platform: Windows XP (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 (6.00.2600.0000)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\LEXBCES.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\system32\LEXPPS.EXE
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
        C:\WINDOWS\System32\nvsvc32.exe
        C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
        C:\Program Files\Winamp\Winampa.exe
        C:\WINDOWS\System32\LXSUPMON.EXE
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
        C:\WINDOWS\System32\RUNDLL32.EXE
        C:\Program Files\Common Files\Real\Update_OB\realsched.exe
        C:\WINDOWS\System32\paytime.exe
        C:\WINDOWS\System32\atipatxx.exe
        C:\WINDOWS\System32\rundll32.exe
        C:\WINDOWS\System32\rundll32.exe
        C:\Program Files\Nix-Ware\Antydialer\NixAntydialer.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\WINDOWS\System32\paytime.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Documents and Settings\x\Pulpit\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
        about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        81.222.131.49/index.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
        about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        81.222.131.49/index.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        about:blank
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        about:blank
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
        about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
        O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
        C:\WINDOWS\nem220.dll (file missing)
        O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
        C:\WINDOWS\systb.dll (file missing)
        O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
        Files\MyWay\myBar\1.bin\MYBAR.DLL
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} -
        C:\WINDOWS\System32\sfg_77c5.dll
        O2 - BHO: (no name) - {6A045CCF-460B-4419-9E52-D7AD3B7E9C21} -
        C:\WINDOWS\System32\ohnn.dll
        O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
        \COMMON~1\WinTools\WToolsB.dll (file missing)
        O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} -
        C:\WINDOWS\drexinit.dll
        O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
        C:\WINDOWS\System32\msbe.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
        C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
        Files\MyWay\myBar\1.bin\MYBAR.DLL
        O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
        O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
        \NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
        O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
        O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
        O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
        O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
        O4 - HKLM\..\Run: [redirect] C:\windows\redirect5.exe
        O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
        O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s
        C:\WINDOWS\System32\kdpupd.dll
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
        atboottime
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32
        \NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
        Files\webHancer\Programs\whSurvey.exe"
        O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
        Files\Real\Update_OB\realsched.exe" -osboot
        O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_77c5.dll"
        O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
        O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKLM\..\Run:
        [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir
        /PC=CP.AMS /ShowLegalNote=nonbranded
        O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
        Optimizer\optimize.exe"
        O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
        O4 - HKLM\..\Run: [Fhg] C:\WINDOWS\Emu.exe
        O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
        Network\bin\bargains.exe
        O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
        O4 - HKLM\..\Run: [tateheh] C:\WINDOWS\tateheh.exe
        O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
        O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{C19DB75B-724C-
        4E86-97E8-C0106CFEBFB9}\SVCHOST.EXE
        O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
        O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\x\USTAWI~1\Temp\se.dll,DllInstall
        O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
        \NEWDOT~1.DLL,NewDotNetStartup -s
        O4 - HKLM\..\Run: [NixWareAntydialer] C:\Program Files\Nix-
        Ware\Antydialer\NixAntydialer.exe /auto
        O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
        O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_77c5.dll"
        O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
        O4 - Startup: Power Project.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
        Office\Office10\OSA.EXE
        O8 - Extra context menu item: E&ksport do pr
        • Gość: Kolobos Re: Proszę mi też pomóc IP: *.warszawa.sdi.tpnet.pl 20.04.05, 20:40
          Nie zmiescil sie caly log doklej brakujaca czesc albo moze odrazu przeskanuj
          tez tym:
          housecall.trendmicro.com/housecall/start_corp.asp
          www.windowsecurity.com/trojanscan/
          www.pandasoftware.com/activescan/pol/activescan_principal.htm
          cwshredder.net/bin/CWShredder.exe <- CWS Shredder
          www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D

          I dopiero wklej nowy log ;-)
          • Gość: zbłądziłem Re: Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 20.04.05, 21:01
            wykonano

            Logfile of HijackThis v1.99.1
            Scan saved at 20:58:46, on 2005-04-20
            Platform: Windows XP (WinNT 5.01.2600)
            MSIE: Internet Explorer v6.00 (6.00.2600.0000)

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\csrss.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\LEXBCES.EXE
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\system32\LEXPPS.EXE
            C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
            C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
            C:\WINDOWS\System32\nvsvc32.exe
            C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
            C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
            C:\WINDOWS\System32\wuauclt.exe
            C:\Program Files\Winamp\Winampa.exe
            C:\WINDOWS\System32\LXSUPMON.EXE
            C:\Program Files\QuickTime\qttask.exe
            C:\WINDOWS\System32\RUNDLL32.EXE
            C:\Program Files\Common Files\Real\Update_OB\realsched.exe
            C:\WINDOWS\System32\paytime.exe
            C:\WINDOWS\System32\atipatxx.exe
            C:\Program Files\Nix-Ware\Antydialer\NixAntydialer.exe
            C:\WINDOWS\System32\rundll32.exe
            C:\WINDOWS\System32\rundll32.exe
            C:\WINDOWS\System32\ctfmon.exe
            C:\Program Files\Messenger\msmsgs.exe
            C:\WINDOWS\System32\paytime.exe
            C:\Documents and Settings\x\Pulpit\HijackThis.exe

            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
            81.222.131.49/index.php
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
            about:blank
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
            res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
            81.222.131.49/index.php
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
            81.222.131.49/index.php
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
            about:blank
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
            res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
            81.222.131.49/index.php
            R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
            about:blank
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
            about:blank
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
            about:blank
            R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
            81.222.131.49/index.php
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
            81.222.131.49/index.php
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
            F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
            O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
            C:\WINDOWS\nem220.dll (file missing)
            O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
            C:\WINDOWS\systb.dll (file missing)
            O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
            Files\MyWay\myBar\1.bin\MYBAR.DLL
            O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
            C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
            O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} -
            C:\WINDOWS\System32\sfg_77c5.dll
            O2 - BHO: (no name) - {6A045CCF-460B-4419-9E52-D7AD3B7E9C21} -
            C:\WINDOWS\System32\ohnn.dll
            O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
            \COMMON~1\WinTools\WToolsB.dll (file missing)
            O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} -
            C:\WINDOWS\drexinit.dll
            O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
            C:\WINDOWS\System32\msbe.dll
            O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
            C:\WINDOWS\System32\msdxm.ocx
            O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
            Files\MyWay\myBar\1.bin\MYBAR.DLL
            O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
            O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
            O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
            \NvCpl.dll,NvStartup
            O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
            O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
            O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
            O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
            O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
            O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
            O4 - HKLM\..\Run: [redirect] C:\windows\redirect5.exe
            O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
            O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s
            C:\WINDOWS\System32\kdpupd.dll
            O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
            atboottime
            O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32
            \NvMcTray.dll,NvTaskbarInit
            O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
            Files\webHancer\Programs\whSurvey.exe"
            O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
            Files\Real\Update_OB\realsched.exe" -osboot
            O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_77c5.dll"
            O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
            O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
            O4 - HKLM\..\Run:
            [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir
            /PC=CP.AMS /ShowLegalNote=nonbranded
            O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
            Optimizer\optimize.exe"
            O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
            O4 - HKLM\..\Run: [Fhg] C:\WINDOWS\Emu.exe
            O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
            Network\bin\bargains.exe
            O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
            O4 - HKLM\..\Run: [tateheh] C:\WINDOWS\tateheh.exe
            O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
            O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{C19DB75B-724C-
            4E86-97E8-C0106CFEBFB9}\SVCHOST.EXE
            O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
            O4 - HKLM\..\Run: [NixWareAntydialer] C:\Program Files\Nix-
            Ware\Antydialer\NixAntydialer.exe /auto
            O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
            \NEWDOT~1.DLL,NewDotNetStartup -s
            O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\x\USTAWI~1\Temp\se.dll,DllInstall
            O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
            O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
            O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
            O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
            O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_77c5.dll"
            O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
            O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
            O4 - Startup: Power Project.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe
            O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
            Office\Office10\OSA.EXE
            O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
            • Gość: cd. Re: Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 20.04.05, 21:02
              O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
              res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
              C:\WINDOWS\System32\msjava.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
              00401C608501} - C:\WINDOWS\System32\msjava.dll
              O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
              C:\WINDOWS\web\related.htm
              O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
              00aa003c157a} - C:\WINDOWS\web\related.htm
              O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
              file)
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
              C:\Program Files\Messenger\MSMSGS.EXE
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
              00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
              O10 - Hijacked Internet access by New.Net
              O10 - Hijacked Internet access by New.Net
              O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
              O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
              security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
              O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
              software-dl.real.com/06f89839c68b5326f406/netzip/RdxIE601.cab
              O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
              Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
              O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) -
              www.180searchassistant.com/180saax.cab
              O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
              www.pandasoftware.com/activescan/as5/asinst.cab
              O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
              skaner.mks.com.pl/SkanerOnline.cab
              O17 - HKLM\System\CCS\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
              NameServer = 194.204.152.34,194.204.159.1
              O17 - HKLM\System\CS1\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
              NameServer = 194.204.152.34,194.204.159.1
              O17 - HKLM\System\CS2\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
              NameServer = 194.204.152.34,194.204.159.1
              O17 - HKLM\System\CS3\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
              NameServer = 194.204.152.34,194.204.159.1
              O18 - Filter: text/html - {CA383568-F0B6-42D6-B521-41C81BCDEFCA} -
              C:\WINDOWS\System32\ohnn.dll
              O18 - Filter: text/plain - {CA383568-F0B6-42D6-B521-41C81BCDEFCA} -
              C:\WINDOWS\System32\ohnn.dll
              O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
              O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
              O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
              C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
              O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
              C:\WINDOWS\system32\LEXBCES.EXE
              O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
              C:\WINDOWS\System32\nvsvc32.exe
              O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

              rety chyba jestem rekordzistą jakimś
            • Gość: Kolobos Re: Proszę mi też pomóc IP: *.warszawa.sdi.tpnet.pl 20.04.05, 21:02
              Dalej sie nie misci, doklej koncowke ;-)
              • Gość: i nadal błądze Re: Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 20.04.05, 21:05
                chyba już
            • Gość: Kolobos Re: Proszę mi też pomóc IP: *.warszawa.sdi.tpnet.pl 20.04.05, 21:19
              Uzyj:
              www.cexx.org/LSPFix.exe i wywal new.net
              www.derbilk.de/SpSeHjfix110.zip to na se.dll

              Pozniej usun tego backdoor'a drct16.dll i jego kolege ntfs:
              www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&p=109496&#entry132561

              Odinstaluj:
              SafeGuard Protect PCShield
              New.Net
              MyBar
              WinTools
              [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE <- nie wiem jak to sie
              nazywa ale to tez :P
              webHancer Survey Companion
              BullsEye albo cos z bargains w nazwie



              Jak czegos nie bedzie to pomin

              Zaznacz w hijackthis te wpisy:

              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
              81.222.131.49/index.php
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
              about:blank
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
              res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
              81.222.131.49/index.php
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
              81.222.131.49/index.php
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
              about:blank
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
              res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
              81.222.131.49/index.php
              R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
              about:blank
              R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
              about:blank
              R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
              about:blank
              R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
              81.222.131.49/index.php
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
              81.222.131.49/index.php
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
              F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
              O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
              C:\WINDOWS\nem220.dll (file missing)
              O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
              C:\WINDOWS\systb.dll (file missing)
              O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
              Files\MyWay\myBar\1.bin\MYBAR.DLL
              O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} -
              C:\WINDOWS\System32\sfg_77c5.dll
              O2 - BHO: (no name) - {6A045CCF-460B-4419-9E52-D7AD3B7E9C21} -
              C:\WINDOWS\System32\ohnn.dll
              O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
              \COMMON~1\WinTools\WToolsB.dll (file missing)
              O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} -
              C:\WINDOWS\drexinit.dll
              O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
              C:\WINDOWS\System32\msbe.dll
              O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
              Files\MyWay\myBar\1.bin\MYBAR.DLL
              O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
              O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
              O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
              O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
              O4 - HKLM\..\Run: [redirect] C:\windows\redirect5.exe
              O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s
              C:\WINDOWS\System32\kdpupd.dll
              ] RUNDLL32.EXE C:\WINDOWS\System32
              O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
              Files\webHancer\Programs\whSurvey.exe"
              O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
              Files\Real\Update_OB\realsched.exe" -osboot
              O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_77c5.dll"
              O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
              O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
              O4 - HKLM\..\Run:
              [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir
              /PC=CP.AMS /ShowLegalNote=nonbranded
              O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
              Optimizer\optimize.exe"
              O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
              O4 - HKLM\..\Run: [Fhg] C:\WINDOWS\Emu.exe
              O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
              Network\bin\bargains.exe
              O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
              O4 - HKLM\..\Run: [tateheh] C:\WINDOWS\tateheh.exe
              O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
              O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{C19DB75B-724C-
              4E86-97E8-C0106CFEBFB9}\SVCHOST.EXE
              O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
              O4 - HKLM\..\Run: [NixWareAntydialer] C:\Program Files\Nix-
              Ware\Antydialer\NixAntydialer.exe /auto
              O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1
              \NEWDOT~1.DLL,NewDotNetStartup -s
              O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\x\USTAWI~1\Temp\se.dll,DllInstall
              O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
              O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_77c5.dll"
              O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
              O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
              O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
              O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
              C:\WINDOWS\web\related.htm
              O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
              00aa003c157a} - C:\WINDOWS\web\related.htm
              O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
              file)
              O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) -
              www.180searchassistant.com/180saax.cab
              O18 - Filter: text/html - {CA383568-F0B6-42D6-B521-41C81BCDEFCA} -
              C:\WINDOWS\System32\ohnn.dll
              O18 - Filter: text/plain - {CA383568-F0B6-42D6-B521-41C81BCDEFCA} -
              C:\WINDOWS\System32\ohnn.dll
              O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
              O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
              O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

              Fix Checked i po resecie wklej nowy log.

              SYF! Nie wiem jak mozna cos takiego zrobic, nie ma aktualizacji itd, do tego
              wchodzisz na strony porno itp i klikasz na wszystko co wyskakuje na stronach.

              Zainstaluj jeszcze:
              www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D
              www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster
              W obu wlacz ochrone przegladarki.

              Oraz antyvirusa bo chyba nie masz:
              www.avast.com/eng/avast_4_home.html
              • Gość: odnajduję się Re: Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 20.04.05, 21:59
                Znaczna poprawa. Teraz jest tak. Tylko coś nie mogę znaleźć MyBar, WinTools,
                Safe Guard, BullsEye,webHancer Survey Companion.
                Logfile of HijackThis v1.99.1
                Scan saved at 21:54:04, on 2005-04-20
                Platform: Windows XP (WinNT 5.01.2600)
                MSIE: Internet Explorer v6.00 (6.00.2600.0000)

                Running processes:
                C:\WINDOWS\System32\smss.exe
                C:\WINDOWS\system32\services.exe
                C:\WINDOWS\system32\lsass.exe
                C:\WINDOWS\system32\svchost.exe
                C:\WINDOWS\System32\svchost.exe
                C:\WINDOWS\Explorer.EXE
                C:\WINDOWS\system32\LEXBCES.EXE
                C:\WINDOWS\system32\spoolsv.exe
                C:\WINDOWS\system32\LEXPPS.EXE
                C:\WINDOWS\System32\rundll32.exe
                C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                C:\WINDOWS\System32\nvsvc32.exe
                C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                C:\Documents and Settings\x\Pulpit\HijackThis.exe

                R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
                81.222.131.49/index.php
                R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
                res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
                81.222.131.49/index.php
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
                res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
                R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                about:blank
                R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                about:blank
                R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
                81.222.131.49/index.php
                R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
                R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
                81.222.131.49/index.php
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
                R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
                O2 - BHO: (no name) - {48038193-2D90-431B-AD22-1D007B6F53B9} -
                C:\WINDOWS\System32\ohnn.dll
                O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                C:\WINDOWS\System32\msdxm.ocx
                O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
                \NvCpl.dll,NvStartup
                O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\x\USTAWI~1\Temp\se.dll,DllInstall
                O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
                O4 - Startup: Power Project.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe
                O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                Office\Office10\OSA.EXE
                O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
                file)
                O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
                C:\Program Files\Messenger\MSMSGS.EXE
                O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
                00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
                O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
                O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
                security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
                O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
                software-dl.real.com/06f89839c68b5326f406/netzip/RdxIE601.cab
                O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
                Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
                O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                www.pandasoftware.com/activescan/as5/asinst.cab
                O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                skaner.mks.com.pl/SkanerOnline.cab
                O17 - HKLM\System\CCS\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                NameServer = 194.204.152.34,194.204.159.1
                O17 - HKLM\System\CS1\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                NameServer = 194.204.152.34,194.204.159.1
                O17 - HKLM\System\CS2\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                NameServer = 194.204.152.34,194.204.159.1
                O17 - HKLM\System\CS3\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                NameServer = 194.204.152.34,194.204.159.1
                O18 - Filter: text/html - {C9409599-F7F2-466B-A984-55B727B46528} -
                C:\WINDOWS\System32\ohnn.dll
                O18 - Filter: text/plain - {C9409599-F7F2-466B-A984-55B727B46528} -
                C:\WINDOWS\System32\ohnn.dll
                O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
                O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
                C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
                C:\WINDOWS\system32\LEXBCES.EXE
                O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
                C:\WINDOWS\System32\nvsvc32.exe

                • Gość: Kolobos Re: Proszę mi też pomóc IP: *.warszawa.sdi.tpnet.pl 20.04.05, 22:05
                  e tam poprawa dalej masz syf, miales usunac
                  O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll, a ja go dalej
                  widze, wiec zrob to jeszcze raz tutaj masz opis:
                  www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&p=109496&#entry132561
                  Ma go nie byc w nastepnym logu! ;-)

                  Jeszcze raz uzyj:
                  www.derbilk.de/SpSeHjfix110.zip


                  Zaznacz te wpisy:

                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
                  81.222.131.49/index.php
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
                  res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
                  81.222.131.49/index.php
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
                  res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                  about:blank
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                  about:blank
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
                  81.222.131.49/index.php
                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
                  81.222.131.49/index.php
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
                  O2 - BHO: (no name) - {48038193-2D90-431B-AD22-1D007B6F53B9} -
                  C:\WINDOWS\System32\ohnn.dll
                  O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\x\USTAWI~1\Temp\se.dll,DllInstall
                  O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
                  file)
                  O18 - Filter: text/html - {C9409599-F7F2-466B-A984-55B727B46528} -
                  C:\WINDOWS\System32\ohnn.dll
                  O18 - Filter: text/plain - {C9409599-F7F2-466B-A984-55B727B46528} -
                  C:\WINDOWS\System32\ohnn.dll
                  O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

                  I Fix Checked, pozniej wchodzisz w hijackthis Config->Misc Tools->Delete file
                  on reboot i wklejasz tam sciezki do:
                  C:\WINDOWS\System32\ohnn.dll (nie szukasz pliku tylko wklejasz gotowa) i OK ale
                  nie resetujesz tylko dodajesz nastepny:
                  C:\WINDOWS\SYSTEM32\drct16.dll <- ale to usun tak jak jest w opisie bo to nie
                  jedyny plik, a to najgorsze co teraz masz
                  i nastepny:
                  C:\DOCUME~1\x\USTAWI~1\Temp\se.dll

                  I dopiero zresetuj, ale najpierw usun C:\WINDOWS\SYSTEM32\drct16.dll tak jak
                  jest to opisane na stronie, ktora podalem.
                  Po resecie wklej nowy log z hijackthis.
                  • lemurzysko Re: Proszę mi też pomóc 21.04.05, 00:00
                    Czegos takiego nie widzialem jeszcze. Przepraszam widzialem dzisiaj u mojej lubej .czeka mnie powazna operacja podobna do tej
                  • Gość: to znowu ja Re: Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 21.04.05, 10:01
                    Witam ponownie. Szukałem drct16.dll w Windows/system32 i nie znalazłem, ale za
                    to avastem wyrzuciłem kilka trojanów. Jestem bardzo bardzo wdzięczny za twoją
                    wielką pomoc. Widzę, że pomagasz tu wielu osobom, gdybym był blokersem czy
                    innym hiphopowcem powiedziałbym respect dla ciebie :). Wybawiłeś mnie z
                    kłopotów i od gniewu mojej kobiety ;))
                    A teraz to wygląda tak:

                    Logfile of HijackThis v1.99.1
                    Scan saved at 09:51:26, on 2005-04-21
                    Platform: Windows XP (WinNT 5.01.2600)
                    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

                    Running processes:
                    C:\WINDOWS\System32\smss.exe
                    C:\WINDOWS\SYSTEM32\winlogon.exe
                    C:\WINDOWS\system32\services.exe
                    C:\WINDOWS\system32\lsass.exe
                    C:\WINDOWS\system32\svchost.exe
                    C:\WINDOWS\System32\svchost.exe
                    C:\WINDOWS\Explorer.EXE
                    C:\WINDOWS\system32\LEXBCES.EXE
                    C:\WINDOWS\system32\LEXPPS.EXE
                    C:\WINDOWS\system32\spoolsv.exe
                    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                    C:\Program Files\Alwil Software\Avast4\ashServ.exe
                    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                    C:\WINDOWS\System32\nvsvc32.exe
                    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                    C:\WINDOWS\System32\wuauclt.exe
                    C:\Documents and Settings\x\Pulpit\HijackThis.exe

                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
                    res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                    www.onet.pl/
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
                    res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                    C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
                    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                    C:\WINDOWS\System32\msdxm.ocx
                    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
                    \NvCpl.dll,NvStartup
                    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                    O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
                    O4 - Startup: Power Project.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe
                    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                    Office\Office10\OSA.EXE
                    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
                    C:\Program Files\Messenger\MSMSGS.EXE
                    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
                    00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
                    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
                    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
                    security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
                    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
                    software-dl.real.com/06f89839c68b5326f406/netzip/RdxIE601.cab
                    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
                    Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
                    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                    www.pandasoftware.com/activescan/as5/asinst.cab
                    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                    skaner.mks.com.pl/SkanerOnline.cab
                    O17 - HKLM\System\CCS\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                    NameServer = 194.204.152.34,194.204.159.1
                    O17 - HKLM\System\CS1\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                    NameServer = 194.204.152.34,194.204.159.1
                    O17 - HKLM\System\CS2\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                    NameServer = 194.204.152.34,194.204.159.1
                    O17 - HKLM\System\CS3\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                    NameServer = 194.204.152.34,194.204.159.1
                    O18 - Filter: text/html - {D01559F4-6D59-42F6-8B79-1D9D4824AED6} -
                    C:\WINDOWS\System32\ohnn.dll
                    O18 - Filter: text/plain - {D01559F4-6D59-42F6-8B79-1D9D4824AED6} -
                    C:\WINDOWS\System32\ohnn.dll
                    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
                    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
                    Software\Avast4\ashServ.exe
                    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
                    Software\Avast4\ashMaiSv.exe" /service (file missing)
                    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
                    Software\Avast4\ashWebSv.exe" /service (file missing)
                    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
                    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
                    C:\WINDOWS\system32\LEXBCES.EXE
                    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
                    C:\WINDOWS\System32\nvsvc32.exe

                    • Gość: Kolobos Re: Proszę mi też pomóc IP: *.warszawa.sdi.tpnet.pl 21.04.05, 12:12
                      Ale usuwales wszystko zwiazane z drct16.dll tak jak w opisie na stronie, ktora
                      podalem? Bo to trojan ma tez keyloggera z tego co pamietam i zapisuje wszystko
                      co wpisujesz na klawiaturze itd dlatego tyle razy pisalem zebys usunal tak jak
                      to jest opisane.

                      Log dalej wyglada prawie tak samo jak ostatnim razem, zaznacz te wpisy:

                      Zostal juz tylko ten CWS AboutBlank

                      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
                      res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
                      res://C:\DOCUME~1\x\USTAWI~1\Temp\se.dll/spage.html
                      O18 - Filter: text/html - {D01559F4-6D59-42F6-8B79-1D9D4824AED6} -
                      C:\WINDOWS\System32\ohnn.dll
                      O18 - Filter: text/plain - {D01559F4-6D59-42F6-8B79-1D9D4824AED6} -
                      C:\WINDOWS\System32\ohnn.dll

                      I Fix Checked, pozniej sciagnij to:
                      www.downloads.subratam.org/KillBox.zip
                      Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam nie szukaj
                      tylko wklejaj gotowa) i naciskaj czerwony przycik ale na pytanie o reset
                      odpowiadaj nie i tak zrob z tymi plikami:
                      C:\WINDOWS\System32\ohnn.dll
                      C:\DOCUME~1\x\USTAWI~1\Temp\se.dll

                      Po resecie wklej nowy log z hijackthis.
                      • Gość: zrobione Re: Proszę mi też pomóc IP: *.internetdsl.tpnet.pl 21.04.05, 12:37
                        Zrobione panie kierowniku :)

                        Logfile of HijackThis v1.99.1
                        Scan saved at 12:34:14, on 2005-04-21
                        Platform: Windows XP (WinNT 5.01.2600)
                        MSIE: Internet Explorer v6.00 (6.00.2600.0000)

                        Running processes:
                        C:\WINDOWS\System32\smss.exe
                        C:\WINDOWS\SYSTEM32\winlogon.exe
                        C:\WINDOWS\system32\services.exe
                        C:\WINDOWS\system32\lsass.exe
                        C:\WINDOWS\system32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\WINDOWS\Explorer.EXE
                        C:\WINDOWS\system32\LEXBCES.EXE
                        C:\WINDOWS\system32\spoolsv.exe
                        C:\WINDOWS\system32\LEXPPS.EXE
                        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                        C:\Program Files\Alwil Software\Avast4\ashServ.exe
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                        C:\WINDOWS\System32\nvsvc32.exe
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
                        C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
                        C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
                        C:\WINDOWS\System32\wuauclt.exe
                        C:\Documents and Settings\x\Pulpit\HijackThis.exe

                        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                        www.onet.pl/
                        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                        C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
                        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                        C:\WINDOWS\System32\msdxm.ocx
                        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
                        \NvCpl.dll,NvStartup
                        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
                        O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
                        O4 - Startup: Power Project.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe
                        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
                        Office\Office10\OSA.EXE
                        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
                        C:\Program Files\Messenger\MSMSGS.EXE
                        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
                        00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
                        O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
                        O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
                        security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
                        O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
                        software-dl.real.com/06f89839c68b5326f406/netzip/RdxIE601.cab
                        O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
                        Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
                        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
                        www.pandasoftware.com/activescan/as5/asinst.cab
                        O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
                        skaner.mks.com.pl/SkanerOnline.cab
                        O17 - HKLM\System\CCS\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                        NameServer = 194.204.152.34,194.204.159.1
                        O17 - HKLM\System\CS1\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                        NameServer = 194.204.152.34,194.204.159.1
                        O17 - HKLM\System\CS2\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                        NameServer = 194.204.152.34,194.204.159.1
                        O17 - HKLM\System\CS3\Services\Tcpip\..\{3955CAD2-E82B-4F2E-A7DC-94A8D0D9FCC3}:
                        NameServer = 194.204.152.34,194.204.159.1
                        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
                        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
                        O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
                        Software\Avast4\ashServ.exe
                        O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
                        Software\Avast4\ashMaiSv.exe" /service (file missing)
                        O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
                        Software\Avast4\ashWebSv.exe" /service (file missing)
                        O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
                        C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
                        O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
                        C:\WINDOWS\system32\LEXBCES.EXE
                        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
                        C:\WINDOWS\System32\nvsvc32.exe

                        A co do pytania to nie wiem sam już co zrobiłem, ale chyba nie ma tego już...
                        • Gość: Kolobos Re: Proszę mi też pomóc IP: *.warszawa.sdi.tpnet.pl 21.04.05, 13:00
                          Log jest juz czysty.
                          Skoro nie wiesz czy jest czy nie to otworz sobie ten opis i sprawdz czy
                          wszystko zrobiles i bedziesz wiedzial napewno.
                          Na koniec przeskanuj jeszcze dla pewnosci tym:
                          housecall.trendmicro.com/housecall/start_corp.asp
                          www.windowsecurity.com/trojanscan/
                          www.pandasoftware.com/activescan/pol/activescan_principal.htm
                          Nie wchodz wiecej na dziwne strony ani na nic klikaj i bedzie ok.
Pełna wersja