Dzięki Bobi_robert

Wylacz przywracanie
Zakoncz procesy:
Save.exe
ossproxy.exe

Wywal z dysku:
ossproxy.exe
C:Program FilesNewDotNet
C:Program FilesSave

Fix:

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://wer–mit–wem.webhop.net/
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: URLLink Class – {4A2AACF3–ADF6–11D5–98A9–00E018981B9E} – C:Program FilesNewDotNet ewdotnet3_88.dll
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [New.net Startup] rundll32 C:PROGRA~1NEWDOT~1NEWDOT~1.DLL,NewDotNetStartup
O4 – HKLM..Run: [WhenUSave] "C:Program FilesSaveSave.exe"
O4 – HKLM..Run: [OSS] c:windowssystem32ossproxy.exe –boot
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net

Nie urzywasz Google Toolbar >> leca wpisy i pliki tak wymienione:

O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:program filesgooglegoogletoolbar.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:program filesgooglegoogletoolbar.dll
O8 – Extra context menu item: &Google Search – res://C:Program FilesGooglegoogletoolbar.dll/cmsearch.html
O8 – Extra context menu item: Backward &Links – res://C:Program FilesGooglegoogletoolbar.dll/cmbacklinks.html
O8 – Extra context menu item: Cac&hed Snapshot of Page – res://C:Program FilesGooglegoogletoolbar.dll/cmcache.html
O8 – Extra context menu item: Si&milar Pages – res://C:Program FilesGooglegoogletoolbar.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://C:Program FilesGooglegoogletoolbar.dll/cmtrans.html

Twoj program:
C:Program FilesClockSyncSync.exe
Nie >> wiesz co masz robic

To samo tyczy sie:
C:Program FilesSecond NatureSnsicon.exe
C:PROGRA~1INCRED~1inIMApp.exe
i wpisy:

O4 – HKCU..Run: [IncrediMail] C:PROGRA~1INCRED~1inIncMail.exe /c
O4 – HKCU..Run: [ClockSync] "C:Program FilesClockSyncSync.exe" /q
O4 – Global Startup: Snsicon.lnk = C:Program FilesSecond NatureSnsicon.exe
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:PROGRA~1INCRED~1in esourcesWebMenuImg.htm

Co to za katalog ??:
C:RGW

Udało się go wywalić, prosze teraz o sprawdzenie hijaka
Logfile of HijackThis v1.98.2
Scan saved at 17:48:07, on 2004–11–13
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSexplorer.exe
C:Program FilesCommon FilesRealUpdate_OB ealsched.exe
C:PROGRA~1GrisoftAVG6avgcc32.exe
C:Program FilesD–Toolsdaemon.exe
C:WINDOWSSystem32 undll32.exe
C:Program FilesExecutive SoftwareDiskeeperLiteDKService.exe
C:Program FilesSaveSave.exe
C:windowssystem32ossproxy.exe
C:WINDOWSSystem32 vsvc32.exe
C:Program Filesone LabsoneAlarmzlclient.exe
C:WINDOWSsystem32oneLabsvsmon.exe
C:Program FilesCursorXPCursorXP.exe
C:Program FilesTlen.pl len.exe
C:Program FilesDesktop Architectdatray.exe
C:Program FilesClockSyncSync.exe
C:Program FilesSecond NatureSnsicon.exe
C:PROGRA~1INCRED~1inIMApp.exe
C:WINDOWSSystem32wuauclt.exe
C:WINDOWSSystem32wuauclt.exe
C:Program FilesMYIE2MyIE.exe
C:Documents and SettingsdzisiaPulpitNarzędziaHijackThisHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://wer–mit–wem.webhop.net/
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:Program FilesAdobeAcrobat 6.0 CEReaderActiveXAcroIEHelper.dll
O2 – BHO: URLLink Class – {4A2AACF3–ADF6–11D5–98A9–00E018981B9E} – C:Program FilesNewDotNet ewdotnet3_88.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:Program FilesSpybot – Search & DestroySDHelper.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:program filesgooglegoogletoolbar.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:program filesgooglegoogletoolbar.dll
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [nwiz] nwiz.exe /install
O4 – HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OB ealsched.exe" –osboot
O4 – HKLM..Run: [AVG_CC] C:PROGRA~1GrisoftAVG6avgcc32.exe /STARTUP
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [McRegWiz] C:RGWMcRegWiz.exe /autorun
O4 – HKLM..Run: [DAEMON Tools–1033] "C:Program FilesD–Toolsdaemon.exe" –lang 1033
O4 – HKLM..Run: [New.net Startup] rundll32 C:PROGRA~1NEWDOT~1NEWDOT~1.DLL,NewDotNetStartup
O4 – HKLM..Run: [WhenUSave] "C:Program FilesSaveSave.exe"
O4 – HKLM..Run: [OSS] c:windowssystem32ossproxy.exe –boot
O4 – HKLM..Run: [Zone Labs Client] "C:Program Filesone LabsoneAlarmzlclient.exe"
O4 – HKCU..Run: [CursorXP] "C:Program FilesCursorXPCursorXP.exe" –s
O4 – HKCU..Run: [IncrediMail] C:PROGRA~1INCRED~1inIncMail.exe /c
O4 – HKCU..Run: [Komunikator] C:Program FilesTlen.pl len.exe
O4 – HKCU..Run: [Desktop Architect] "C:Program FilesDesktop Architectdatray.exe" –S
O4 – HKCU..Run: [ClockSync] "C:Program FilesClockSyncSync.exe" /q
O4 – Global Startup: Snsicon.lnk = C:Program FilesSecond NatureSnsicon.exe
O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:PROGRA~1INCRED~1in esourcesWebMenuImg.htm
O8 – Extra context menu item: &Google Search – res://C:Program FilesGooglegoogletoolbar.dll/cmsearch.html
O8 – Extra context menu item: Analizuj za pomocą LeechGet – file://C:Program FilesLeechGet 2004\Parser.html
O8 – Extra context menu item: Backward &Links – res://C:Program FilesGooglegoogletoolbar.dll/cmbacklinks.html
O8 – Extra context menu item: Cac&hed Snapshot of Page – res://C:Program FilesGooglegoogletoolbar.dll/cmcache.html
O8 – Extra context menu item: Pobierz uźywając kreatora LeechGet – file://C:Program FilesLeechGet 2004\Wizard.html
O8 – Extra context menu item: Pobierz uźywając LeechGet – file://C:Program FilesLeechGet 2004\AddUrl.html
O8 – Extra context menu item: Si&milar Pages – res://C:Program FilesGooglegoogletoolbar.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://C:Program FilesGooglegoogletoolbar.dll/cmtrans.html
O9 – Extra button: eBay – Homepage – {EF79EAC5–3452–4E02–B8BD–BA4C89F1AC7A} – C:Program FilesIrfanViewEbayEbay.htm
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100298371061
O16 – DPF: {80DD2229–B8E4–4C77–B72F–F22972D723EA} (AvxScanOnline Control) – http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab

Wylacz przywracanie zeby pozniej sie nie odnowil
Wylacz ten proces w tasku
Pozniej recznie wywal cała zawartosc katalogu Temporary Internet Files z jej profilu w Documents and Settings
Wlacz Przywracanie

To chyba kopia jakiegos mutanta Worm.Korgo
Dla pewnosci w nastepnym poscie wrzuc log z programu HJT