Zinfekowany Windows XP

[mar_nn]

Przy włączeniu internetu lub jakiegoś folderu avast! wykrywa konia
trojańskiego o nazwie "Win32:StartPage 076" w ścieżce:
D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll
Po wykryciu przez avast! moge dać "Usuń" albo "Kwarantanna" ale nic to nie
pomaga. Pojawia sie tez więcej niz zwykle pop-up'ów i z jednego dowiedziałem
się, że mam w 18% zainfekowanego kompa. Jak by tego było mało to jescze
internet działa wolniej niż przedtem. Co robić żeby usunąć tego wirusa?

[kalinowski11]

Ściągnij poniższy program . HijackThis pokaże co "siedzi" w Twoim kompie .

www.spychecker.com/program/hijackthis.html
www.majorgeeks.com/downloadget.php?id=3155&file=11&evp=3304750663b552982a8baee6434cfc13

1.Ściągnij , uruchom .
2."Do a system scan and save a logfile"
3.Zapisz log .
4.Zapisany log "skopiuj na myszkę" , wklej do posta i wyślij
na forum .
5.W wypadku gdy chcemy coś skasować , otwieramy Hijacka jeszcze
raz , klikamy Scan , zaznaczamy co chcemy skasować i klikamy
Fix checked . Z OPCJI KASOWANIA KORZYSTAMY PO KONSULTACJI NA FORUM .

[mar_nn]

Logfile of HijackThis v1.99.1
Scan saved at 16:58:17, on 2005-05-17
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\System32\atiupdpl.exe
D:\d\Gadu-Gadu\gg.exe
D:\WINDOWS\System32\??xplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hotbar\Bin\4.6.1.0\HbSrv.exe
D:\Program Files\Winamp\Winamp.exe
D:\Documents and Settings\Marcin\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pi..to.biz
O1 - Hosts: 127.0.0.3 pi..to.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
D:\WINDOWS\nem220.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {0564B911-5784-390C-8E78-2D27B597BCE3} -
D:\WINDOWS\System32\yzqgsja.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {073DEE19-5AD4-6A0D-8E78-2D27B597BCE3} -
D:\WINDOWS\System32\yzqgsja.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - D:\PROGRA~1
\SEARCH~2\SEARCH~2.DLL
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - D:\Program
Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O2 - BHO: - {461FAD7A-B8B9-4020-ADE6-E034E12E4013} - D:\WINDOWS\lbbho.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - D:\Program
Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} -
D:\WINDOWS\questmod.dll (file missing)
O2 - BHO: (no name) - {A132BEBF-0324-6AA0-7D27-78C2BB2546E4} -
D:\WINDOWS\System32\xgdjp.dll (file missing)
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - D:\Program
Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O2 - BHO: (no name) - {B8E78A39-A1BC-4319-B526-A81C5D5DFC13} -
D:\WINDOWS\System32\bbol.dll
O2 - BHO: (no name) - {E41EC070-7CBC-1166-E1DE-57C0CBE55AED} -
D:\WINDOWS\System32\wle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - D:\Program
Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [SAHAgent] D:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [atiupdpl] D:\WINDOWS\System32\atiupdpl.exe
O4 - HKLM\..\RunServices: [atiupdpl] D:\WINDOWS\System32\atiupdpl.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\d\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Wrdj] D:\WINDOWS\System32\??xplore.exe
O4 - HKCU\..\Run: [atiupdpl] D:\WINDOWS\System32\atiupdpl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-
9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com

[Gość: Kolobos]

Wszyscy macie to samo, ciagle tylko aboutblank do tego new.net itp.

Uzyj tego:
www.trojaner-info.de/files/SpSeHjfix112.exe
www.cexx.org/LSPFix.exe i usun newdotnet6_38.dll
www.searchengines.pl/phpbb203/index.php?
s=5debf1bfeab0c89e54567f66c39699f0&act=Attach&type=post&id=459

W hijackthis wybierz scan only i zaznacz te wpisy:

> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> 213.159.117.134/index.php
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> 213.159.117.134/index.php
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
> res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> about:blank
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> about:blank
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> 213.159.117.134/index.php
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> 213.159.117.134/index.php
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
> R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
> file)
> O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
> O1 - Hosts: 127.0.0.3 x.full-tgp.net
> O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
> O1 - Hosts: 127.0.0.3 autoescrowpay.com
> O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
> O1 - Hosts: 127.0.0.3 www.awmdabest.com
> O1 - Hosts: 127.0.0.3 www.sexfiles.nu
> O1 - Hosts: 127.0.0.3 awmdabest.com
> O1 - Hosts: 127.0.0.3 sexfiles.nu
> O1 - Hosts: 127.0.0.3 allforadult.com
> O1 - Hosts: 127.0.0.3 www.allforadult.com
> O1 - Hosts: 127.0.0.3 www.iframe.biz
> O1 - Hosts: 127.0.0.3 iframe.biz
> O1 - Hosts: 127.0.0.3 www.newiframe.biz
> O1 - Hosts: 127.0.0.3 newiframe.biz
> O1 - Hosts: 127.0.0.3 www.vesbiz.biz
> O1 - Hosts: 127.0.0.3 vesbiz.biz
> O1 - Hosts: 127.0.0.3 www.pi..to.biz
> O1 - Hosts: 127.0.0.3 pi..to.biz
> O1 - Hosts: 127.0.0.3 www.aaasexypics.com
> O1 - Hosts: 127.0.0.3 aaasexypics.com
> O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
> O1 - Hosts: 127.0.0.3 virgin-tgp.net
> O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
> D:\WINDOWS\nem220.dll (file missing)
> O2 - BHO: (no name) - {0564B911-5784-390C-8E78-2D27B597BCE3} -
> D:\WINDOWS\System32\yzqgsja.dll
> O2 - BHO: (no name) - {073DEE19-5AD4-6A0D-8E78-2D27B597BCE3} -
> D:\WINDOWS\System32\yzqgsja.dll
> O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - D:\PROGRA~1
> \SEARCH~2\SEARCH~2.DLL
> O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - D:\Program
> Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
> O2 - BHO: - {461FAD7A-B8B9-4020-ADE6-E034E12E4013} - D:\WINDOWS\lbbho.dll
> O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - D:\Program
> Files\NewDotNet\newdotnet6_38.dll
> O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} -
> D:\WINDOWS\questmod.dll (file missing)
> O2 - BHO: (no name) - {A132BEBF-0324-6AA0-7D27-78C2BB2546E4} -
> D:\WINDOWS\System32\xgdjp.dll (file missing)
> O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - D:\Program
> Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
> O2 - BHO: (no name) - {B8E78A39-A1BC-4319-B526-A81C5D5DFC13} -
> D:\WINDOWS\System32\bbol.dll
> O2 - BHO: (no name) - {E41EC070-7CBC-1166-E1DE-57C0CBE55AED} -
> D:\WINDOWS\System32\wle.dll
> O3 - Toolbar: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - D:\Program
> Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
> O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1
> \NEWDOT~2.DLL,NewDotNetStartup -s
> O4 - HKLM\..\Run: [SAHAgent] D:\WINDOWS\System32\SahAgent.exe
> O4 - HKLM\..\Run: [atiupdpl] D:\WINDOWS\System32\atiupdpl.exe
> O4 - HKLM\..\RunServices: [atiupdpl] D:\WINDOWS\System32\atiupdpl.exe
> O4 - HKCU\..\Run: [Wrdj] D:\WINDOWS\System32\??xplore.exe
> O4 - HKCU\..\Run: [atiupdpl] D:\WINDOWS\System32\atiupdpl.exe
> O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-
49c8-
> 9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> D:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
> 00aa003c157a} - D

I Fix Checked, nastepnie sciagnij:
www.downloads.subratam.org/KillBox.zip
Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam/a nie
szukaj tylko wklejaj gotowa) i naciskaj czerwony przycisk ale na pytanie o
reset odpowiadaj nie i tak zrob z tymi plikami:

D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
D:\WINDOWS\System32\??xplore.exe
D:\WINDOWS\System32\atiupdpl.exe
D:\WINDOWS\System32\SahAgent.exe
D:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll
D:\Program Files\NewDotNet\newdotnet6_38.dll
D:\WINDOWS\System32\bbol.dll
D:\WINDOWS\System32\wle.dll
D:\WINDOWS\System32\yzqgsja.dll
D:\PROGRA~1\SEARCH~2\SEARCH~2.DLL
D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
D:\WINDOWS\lbbho.dll
D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll

I po resecie wklejasz CALY log, a nie tak jak teraz tylko czesc.

[kalinowski11]

Tutaj też warto by było zajrzeć :)

windowsupdate.microsoft.com/

Pozdrawiam .

[neder]

Ja tylko tak dla pewności:) Ponieważ masz dużo do usuwania to uważaj co
zaznaczasz. Niektórzy mają skłonności do nadinterpretacji i zaznaczają jak leci,
a że Ty masz całkiem sporo to sprawdż 2 razy zanim usuniesz coś w HJ ;) W ślepo
możesz wywalać wszystkie 01 i 015.

[mar_nn]

Logfile of HijackThis v1.99.1
Scan saved at 20:42:46, on 2005-05-17
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\System32\rundll32.exe
D:\d\Gadu-Gadu\gg.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Documents and Settings\Marcin\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {70144810-1023-4637-842B-96C5AACBA4EC} -
D:\WINDOWS\System32\bbol.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\d\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-
9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
(file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll (file missing)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c14.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) -
www.spywarestormer.com/files2/Install.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller
Control) - www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word
Games) - 67.15.101.3/g_bin/pl/wordssingle_2_0_0_33.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191}
(VacPro.internazionale_ver11) -
advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GINSOCCER Class) -
67.15.101.3/g_bin/pl/soccer_2_0_0_7.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -
67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC84E56E-E205-44BE-A19A-061045BF9496}:
NameServer = 10.0.0.138
O18 - Filter: text/html - {2B0F4BEA-B88B-456C-A494-A0A00FFF4402} -
D:\WINDOWS\System32\bbol.dll
O18 - Filter: text/plain - {2B0F4BEA-B88B-456C-A494-A0A00FFF4402} -
D:\WINDOWS\System32\bbol.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)

Coś chyba podziałało bo sie wirus nie włącza

[Gość: Kolobos]

Czytales/as co tutaj napisalem:
forum.gazeta.pl/forum/72,2.html?f=430&w=24035135&a=24037232
Bo ja dalej widze wpisy, ktore mialybyc usuniete.

[mar_nn]

Czytałem. Ktore konkretnie mialy byc usuniete a nie sa. sprawdzalem 2 razy

[neder]

to pousuwaj jeszcze raz tyle, że tym razem spróbuj zrobić to w awaryjnym (f8 lub
F5 przy starcie systemu).


pzdr.

[Gość: Kolobos]

O te:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://D:\DOCUME~1\Marcin\USTAWI~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {70144810-1023-4637-842B-96C5AACBA4EC} -
D:\WINDOWS\System32\bbol.dll (file missing)
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,NewDotNetStartup -s
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-
9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
(file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll (file missing)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c14.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) -
www.spywarestormer.com/files2/Install.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller
Control) - www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191}
(VacPro.internazionale_ver11) -
advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Filter: text/html - {2B0F4BEA-B88B-456C-A494-A0A00FFF4402} -
D:\WINDOWS\System32\bbol.dll
O18 - Filter: text/plain - {2B0F4BEA-B88B-456C-A494-A0A00FFF4402} -
D:\WINDOWS\System32\bbol.dll

Jak juz je skasujesz to wklej nowy log.

[mar_nn]

np. tych > O18 - Filter: text/html - {2B0F4BEA-B88B-456C-A494-A0A00FFF4402} -
> D:\WINDOWS\System32\bbol.dll
> O18 - Filter: text/plain - {2B0F4BEA-B88B-456C-A494-A0A00FFF4402} -
> D:\WINDOWS\System32\bbol.dll
nie napisałeś że maja byc usuniete

nowy log:

Logfile of HijackThis v1.99.1
Scan saved at 16:51:29, on 2005-05-18
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\System32\rundll32.exe
D:\d\Gadu-Gadu\gg.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Marcin\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\d\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-
9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
(file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll (file missing)
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word
Games) - 67.15.101.3/g_bin/pl/wordssingle_2_0_0_33.cab
O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GINSOCCER Class) -
67.15.101.3/g_bin/pl/soccer_2_0_0_7.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -
67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC84E56E-E205-44BE-A19A-061045BF9496}:
NameServer = 10.0.0.138
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)

[Gość: Kolobos]

W hijackthis kasujesz to:

O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1
\NEWDOT~2.DLL,NewDotNetStartup -s
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-
9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
(file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll (file missing)


Usunales juz z dysku:
D:\Program Files\ShopperReports jak nie to zrob.
To kasujesz killbox'em:
D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
I po resecie kasujesz katalog:
D:\PROGRA~1\NEWDOT~1\

Zainstaluj sobie tez nowa jave:
www.java.com

Po wszystkim wklej nowy log.

[mar_nn]

tego nie da sie usunac:
> O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-
49c8-
> 9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
> (file missing)
> O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
> 4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
> \ShprRprt.dll (file missing)

pojawiaja sie nawet jak je skasuje

nowy log:

Logfile of HijackThis v1.99.1
Scan saved at 18:20:38, on 2005-05-18
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\d\Gadu-Gadu\gg.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Marcin\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} -
D:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\d\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-
9F63-900533FAFE14} - D:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll
(file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-
4a96-8D08-02B42891C169} - D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll (file missing)
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word
Games) - 67.15.101.3/g_bin/pl/wordssingle_2_0_0_33.cab
O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GINSOCCER Class) -
67.15.101.3/g_bin/pl/soccer_2_0_0_7.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -
67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC84E56E-E205-44BE-A19A-061045BF9496}:
NameServer = 10.0.0.138
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)

[Gość: Kolobos]

Uruchom windows w trybie awaryjnym (F5 lub F8 przy starcie systemu), nie
uruchamiaj przegladarki i dopiero sprobuj usunac te dwa wpisy.
Przy okazji mozesz zrobic log z tego:
www.silentrunners.org/Silent%20Runners.vbs
I wkleic na forum.

[mar_nn]

nie podziałało



"Silent Runners.vbs", revision 36, www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""D:\d\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
["Sun Microsystems, Inc."]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WheelMouse" = "D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"avast!" = "D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"RemoteControl" = ""D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe""
["Cyberlink Corp."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00000000-6CB0-410C-8C3D-8FA8D2011D0A}\(Default) = "DownloadRedirect Class"
[from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iMesh\iMesh5
\iMeshBHO.dll" ["iMesh Ltd"]
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from
CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!
\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from
CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft
Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft
Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll"
[null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4
\ashShell.dll" ["ALWIL Software"]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\WINDOWS\Web\Wallpaper\Idylla.bmp"


Startup items in "Marcin" & "All Users" startup folders:
--------------------------------------------------------

D:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10
\OSA.EXE -b -l" [MS]
"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0
\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
D:\WINDOWS\System32\lsp.dll ["ShopAtHomeSelect"], 01 - 13, 27
%SystemRoot%\system32\mswsock.dll [MS], 14 - 16, 19 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 17 - 18


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Companion"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!
\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Companion"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Yahoo!
\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1}\
(Default) = "ShopperReports – Price Comparison"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll" [file not found]

HKLM\Software\Classes\CLSID\{A798E2B4-B6A0-4B96-8C53-8EC7A3B0895A}\
(Default) = "ShopperReports – Price Comparison"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "D:\Program Files\ShopperReports\Bin\1.0.4.0
\ShprRprt.dll" [file not found]

HKLM\Software\Classes\CLSID\{BECAFC17-BAF9-11D4-B492-00D0B77F0A6D}\
(Default) = "Hotbar Information Window"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "D:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll"
[file not found]

HKLM\Software\Classes\CLSID\{FF6B2FD5-093C-4D4F-BB98-5641130A9DE6}\
(Default) = "Web Assistant"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Program Files\Hotbar\Bin\4.6.1.0\HbHostIE.dll"
[file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_02
\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{946B3E9E-E21A-49C8-9F63-900533FAFE14}\
"ButtonText" = "ShopperReports - Compare travel rates"
"CLSIDExtension" = "{454b4812-e572-4703-a1bb-63490809eac0}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program
Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll" [file not found]

{E77EDA01-3C56-4A96-8D08-02B42891C169}\
"ButtonText" = "ShopperReports - Compare product prices"
"CLSIDExtension" = "{580a1f3f-89b4-433b-bbdb-b97aeb13f3fc}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program
Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll" [file not found]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4
\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4
\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""D:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4
\ashWebSv.exe" /service" ["ALWIL Software"]
Karta wydajności WMI, WmiApSrv, "D:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Usługa administracyjna Menedżera dysków logicznych,
dmadmin, "D:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas
Software"]

[Gość: Kolobos]

Sprobuj uzyc tego:
www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/HotBar-Adware-Removal-Tool.shtml

Zreszta to i tak juz tylko same wpisy bo plikow nie ma.

Mozna tez sprobowac to recznie usunac:
Start->Uruchom->regedit

Przejsc do galezi:
HKEY_Local_Machine\Software\Microsoft\Internet Explorer\Extensions\

I tam skasowac te dwa wpisy:
{946B3E9E-E21A-49C8-9F63-900533FAFE14}
{E77EDA01-3C56-4A96-8D08-02B42891C169}

Chyba, ze ten usuwacz sam to wszystko skasuje.

[Gość: barracuda7110]

Niestety nie czytasz wszystkiego. User Kalinowski11 napisał Ci co masz jeszcze
zrobić.