Czerwony pulpit: DANGER: SPYWARE

Mam cholerny problem. Przegladajac neta wpieprzyl mi sie jakis spyware. Pulpit zrobil sie czerwony i na srodku wydnieje czarna ramka z wielkim napisem
DANGER: SPYWARE.
Skanowal kompa chyba 5 programami:
– Spybot
– Ad–ware
– Error Guard

Oczywiscie wszystko :P mi usunelo ale pulpit zostal i system chodzi strasznie wolno.

Log z CWSshredder:

**** Run Keys ****

RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
RUN: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
RUN: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
RUN: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
RUN: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
RUN: [PayTime] C:\WINDOWS\System32\paytime.exe
RUN: [Dil] C:\WINDOWS\Gjs.exe
RUN: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
RUN: [_Cat2] C:\WINDOWS\nmstt.exe
RUN: [Vdd] C:\WINDOWS\System32\Rdm.exe
RUN: [Bjn] C:\WINDOWS\Cbm.exe
RUN: [Uee] C:\WINDOWS\Rqt.exe
RUN: [Mfo] C:\WINDOWS\System32\Jvm.exe
RUN: [Bjq] C:\WINDOWS\Stq.exe
RUN: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
RUN: [Lpm] C:\WINDOWS\System32\Rrg.exe
RUN: [Lmp] C:\WINDOWS\Dou.exe
RUN: [Erp] C:\WINDOWS\Osr.exe
RUN: [Gsl] C:\WINDOWS\System32\Alm.exe
RUN: [Igo] C:\WINDOWS\Run.exe
RUN: [Kgn] C:\WINDOWS\System32\Tmv.exe
RUN: [Itq] C:\WINDOWS\Huu.exe
RUN: [Dnn] C:\WINDOWS\System32\Eun.exe
RUN: [Bcr] C:\WINDOWS\Ojf.exe
RUN: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
RUN: [PayTime] C:\WINDOWS\System32\paytime.exe
RUN: [Dil] C:\WINDOWS\Gjs.exe
RUN: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
RUN: [Vdd] C:\WINDOWS\System32\Rdm.exe
RUN: [Bjn] C:\WINDOWS\Cbm.exe
RUN: [Uee] C:\WINDOWS\Rqt.exe
RUN: [Mfo] C:\WINDOWS\System32\Jvm.exe
RUN: [Bjq] C:\WINDOWS\Stq.exe
RUN: [Lpm] C:\WINDOWS\System32\Rrg.exe
RUN: [Lmp] C:\WINDOWS\Dou.exe
RUN: [Erp] C:\WINDOWS\Osr.exe
RUN: [Gsl] C:\WINDOWS\System32\Alm.exe
RUN: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
RUN: [Igo] C:\WINDOWS\Run.exe
RUN: [Kgn] C:\WINDOWS\System32\Tmv.exe
RUN: [Itq] C:\WINDOWS\Huu.exe
RUN: [Dnn] C:\WINDOWS\System32\Eun.exe
RUN: [Bcr] C:\WINDOWS\Ojf.exe

**** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
BHO: [AcroIEHlprObj Class] C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
BHO: [AcroIEHlprObj Class] C:\WINDOWS\System32\jndg.dll
BHO: [Pop Class] C:\WINDOWS\winsx.dll

**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [FlashGet Bar] C:\PROGRA~1\FLASHGET\fgiebar.dll
TOOLBAR: [FlashGet Bar] C:\PROGRA~1\FLASHGET\fgiebar.dll

**** IE Extensions ****

IEExt: []
IEExt: [FlashGet] C:\PROGRA~1\FLASHGET\flashget.exe

**** Hosts File Entries ****

HOSTS: 127.0.0.3 n–glx.s–redirect.com
HOSTS: 127.0.0.3 x.full–tgp.net
HOSTS: 127.0.0.3 counter.sexmaniack.com
HOSTS: 127.0.0.3 autoescrowpay.com
HOSTS: 127.0.0.3 www.autoescrowpay.com
HOSTS: 127.0.0.3 www.awmdabest.com
HOSTS: 127.0.0.3 www.sexfiles.nu
HOSTS: 127.0.0.3 awmdabest.com
HOSTS: 127.0.0.3 sexfiles.nu
HOSTS: 127.0.0.3 allforadult.com
HOSTS: 127.0.0.3 www.allforadult.com
HOSTS: 127.0.0.3 www.iframe.biz
HOSTS: 127.0.0.3 iframe.biz
HOSTS: 127.0.0.3 www.newiframe.biz
HOSTS: 127.0.0.3 newiframe.biz
HOSTS: 127.0.0.3 www.vesbiz.biz
HOSTS: 127.0.0.3 vesbiz.biz
HOSTS: 127.0.0.3 www.pizdato.biz
HOSTS: 127.0.0.3 pizdato.biz
HOSTS: 127.0.0.3 www.aaasexypics.com
HOSTS: 127.0.0.3 aaasexypics.com
HOSTS: 127.0.0.3 www.virgin–tgp.net
HOSTS: 127.0.0.3 virgin–tgp.net
HOSTS: 127.0.0.3 www.awmcash.biz
HOSTS: 127.0.0.3 awmcash.biz
HOSTS: 127.0.0.3 buldog–stats.com
HOSTS: 127.0.0.3 www.buldog–stats.com
HOSTS: 127.0.0.3 fregat.drocherway.com
HOSTS: 127.0.0.3 slutmania.biz
HOSTS: 127.0.0.3 www.slutmania.biz
HOSTS: 127.0.0.3 toolbarpartner.com
HOSTS: 127.0.0.3 www.toolbarpartner.com
HOSTS: 127.0.0.3 www.megapornix.com
HOSTS: 127.0.0.3 megapornix.com
HOSTS: 127.0.0.3 www.sp2fucked.biz
HOSTS: 127.0.0.3 sp2fucked.biz
HOSTS: 127.0.0.3 greg–tut.com
HOSTS: 127.0.0.3 www.greg–tut.com
HOSTS: 127.0.0.3 nylonsexy.com
HOSTS: 127.0.0.3 www.nylonsexy.com
HOSTS: 127.0.0.3 vparivalka.com
HOSTS: 127.0.0.3 www.vparivalka.com

**** IE Settings ****

Default Page: http://213.159.117.134/index.php
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: http://213.159.117.134/index.php
Search Bar: res://C:\DOCUME~1\Ziomas\USTAWI~1\Temp\se.dll/sp.html
Search Page: about:blank

**** IE Context Menu (Right click) ****

IEContext: [Download All by FlashGet] C:\Program Files\FlashGet\jc_all.htm
IEContext: [Download using FlashGet] C:\Program Files\FlashGet\jc_link.htm

**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DEAAE7E–EF12–42AA–A242–C77BCD5F4C00}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DEAAE7E–EF12–42AA–A242–C77BCD5F4C00}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{81056A6F–6D13–4F42–B380–787B0CECB4AE}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{81056A6F–6D13–4F42–B380–787B0CECB4AE}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AF073C02–182B–4218–9685–63FB17B49F63}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AF073C02–182B–4218–9685–63FB17B49F63}] DATAGRAM 2

**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No

**** Downloaded Program Files ****

{33564D57–0000–0010–8000–00AA00389B71} [http://download.microsoft.com/download/F/6/E/F6E491A6–77E1–4E20–9F5F–94901338C922/wmv9VCM.CAB]
{8AD9C840–044E–11D1–B3E9–00805F499D93} [http://java.sun.com/products/plugin/autodl/jinstall–142–windows–i586.cab]
{CAFEEFAC–0014–0002–0005–ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall–142–windows–i586.cab]
{D27CDB6E–AE6D–11CF–96B8–444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]

**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe –k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AntiVirService] C:\Program Files\AVPersonal\AVGUARD.EXE
[AppMgmt] %SystemRoot%\system32\svchost.exe –k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe –k netsvcs
[AVWUpSrv] "C:\Program Files\AVPersonal\AVWUPSRV.EXE"
[BITS] %SystemRoot%\System32\svchost.exe –k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe –k netsvcs
[cisvc] C:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1–FD88–11D1–960D–00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe –k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe –k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe –k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe –k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe –k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe –k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe –k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe –k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe –k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe –k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe –k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe –k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe –k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe –k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe –k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe –k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe –k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe –k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe –k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe –k LocalService
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost –k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe –k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe –k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe –k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe –k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe –k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe –k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe –k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{F4929167–D5E4–468A–9A9D–3EAD0CEEBF1E}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe –k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe –k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe –k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe –k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe –k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe –k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe –k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe –k LocalService
[winmgmt] %systemroot%\system32\svchost.exe –k netsvcs
[WmdmPmSp] %SystemRoot%\System32\svchost.exe –k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe –k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %SystemRoot%\system32\svchost.exe –k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe –k netsvcs

**** Custom IE Search Items ****

SEARCH: [SearchAssistant] about:blank
SEARCH: [SearchAssistant] about:blank
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] http://213.159.117.134/index.php
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://213.159.117.134/index.php
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] about:blank
IEOPT: [Check_Associations] yes
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [FormSuggest PW Ask] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [FormSuggest Passwords] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Save Directory] C:\Program Files\Call of Duty\pb\htm\
IEOPT: [Default_Page_URL] http://213.159.117.134/index.php
IEOPT: [Toolbars_Placement]
IEOPT: [HOMEOldSP] about:blank
IEOPT: [Search Bar] res://C:\DOCUME~1\Ziomas\USTAWI~1\Temp\se.dll/sp.html
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: [Default_Page_URL] http://213.159.117.134/index.php
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Search Page] about:blank
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] http://213.159.117.134/index.php
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://213.159.117.134/index.php
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar] res://C:\DOCUME~1\Ziomas\USTAWI~1\Temp\se.dll/sp.html
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: [HOMEOldSP] about:blank

prosze o jedno: HELP ME!

Zaczynamy po kolei

1. Sciagasz LSP–FIX
2. Wyłaczasz przywracanie systemu
3. Startujesz system w awaryjnym bez neta
4. Odpal LSP–FIX, zaznacz "I know what I'm doing", przenies strzałką do prawego ona pliki New.Net, kliknij Finish
5. Pozbadz sie wpisów oraz pogrubionych przeze mnie plikow/katalogow z dysku:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 – HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = "%1" /S
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 – Default URLSearchHook is missing
O2 – BHO: URLLink Class – {4A2AACF3–ADF6–11D5–98A9–00E018981B9E} – C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 – BHO: (no name) – {4FC95EDD–4796–4966–9049–29649C80111D} – (no file)
O2 – BHO: (no name) – {A99E1618–98EC–98F3–7B56–50D9B27636B8} – C:\DOCUME~1\test\DANEAP~1\ONCECL~1\Inforef.exe
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\test\USTAWI~1\Temp\keep.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{084442CF–DD93–43CE–8777–47D2E86896BF}\SVCHOST.EXE
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O9 – Extra button: (no name) – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – (no file)
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O16 – DPF: {88D758A3–D33B–45FD–91E3–67749B4057FA} (Sinstaller Class) – http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

Leci ta cała masz trojkowcow zarowno z loga jak i dysku (nie pogrubiałem):

O4 – HKLM\..\Run: [Pei] C:\WINDOWS\System32\Juk.exe
O4 – HKLM\..\Run: [Ukl] C:\WINDOWS\System32\Oqk.exe
O4 – HKLM\..\Run: [Jlt] C:\WINDOWS\System32\Mou.exe
O4 – HKLM\..\Run: [Htt] C:\WINDOWS\System32\Nsr.exe
O4 – HKLM\..\Run: [Aoj] C:\WINDOWS\System32\Bst.exe
O4 – HKLM\..\Run: [Vra] C:\WINDOWS\System32\Krj.exe
O4 – HKLM\..\Run: [Ihl] C:\WINDOWS\Hse.exe
O4 – HKLM\..\Run: [Hdq] C:\WINDOWS\Fhh.exe
O4 – HKLM\..\Run: [Gch] C:\WINDOWS\Qon.exe
O4 – HKLM\..\Run: [Ejj] C:\WINDOWS\Pks.exe
O4 – HKLM\..\Run: [Hfn] C:\WINDOWS\System32\Mca.exe
O4 – HKLM\..\Run: [Mot] C:\WINDOWS\System32\Sfs.exe
O4 – HKLM\..\Run: [Ssg] C:\WINDOWS\System32\Tat.exe
O4 – HKLM\..\Run: [Otm] C:\WINDOWS\System32\Dij.exe
O4 – HKLM\..\Run: [Ncb] C:\WINDOWS\System32\Cpd.exe
O4 – HKLM\..\Run: [Pga] C:\WINDOWS\System32\Hqm.exe
O4 – HKLM\..\Run: [Kso] C:\WINDOWS\Fir.exe
O4 – HKLM\..\Run: [Mqv] C:\WINDOWS\System32\Veg.exe
O4 – HKLM\..\Run: [Ucu] C:\WINDOWS\Tsn.exe
O4 – HKLM\..\Run: [Jhb] C:\WINDOWS\System32\Aeb.exe
O4 – HKCU\..\Run: [Pei] C:\WINDOWS\System32\Juk.exe
O4 – HKCU\..\Run: [Ukl] C:\WINDOWS\System32\Oqk.exe
O4 – HKCU\..\Run: [Jlt] C:\WINDOWS\System32\Mou.exe
O4 – HKCU\..\Run: [Htt] C:\WINDOWS\System32\Nsr.exe
O4 – HKCU\..\Run: [Aoj] C:\WINDOWS\System32\Bst.exe
O4 – HKCU\..\Run: [Vra] C:\WINDOWS\System32\Krj.exe
O4 – HKCU\..\Run: [Ihl] C:\WINDOWS\Hse.exe
O4 – HKCU\..\Run: [Hdq] C:\WINDOWS\Fhh.exe
O4 – HKCU\..\Run: [Gch] C:\WINDOWS\Qon.exe
O4 – HKCU\..\Run: [Ejj] C:\WINDOWS\Pks.exe
O4 – HKCU\..\Run: [Hfn] C:\WINDOWS\System32\Mca.exe
O4 – HKCU\..\Run: [Mot] C:\WINDOWS\System32\Sfs.exe
O4 – HKCU\..\Run: [Ssg] C:\WINDOWS\System32\Tat.exe
O4 – HKCU\..\Run: [Otm] C:\WINDOWS\System32\Dij.exe
O4 – HKCU\..\Run: [Ncb] C:\WINDOWS\System32\Cpd.exe
O4 – HKCU\..\Run: [Pga] C:\WINDOWS\System32\Hqm.exe
O4 – HKCU\..\Run: [Kso] C:\WINDOWS\Fir.exe
O4 – HKCU\..\Run: [Mqv] C:\WINDOWS\System32\Veg.exe
O4 – HKCU\..\Run: [Ucu] C:\WINDOWS\Tsn.exe
O4 – HKCU\..\Run: [Jhb] C:\WINDOWS\System32\Aeb.exe

+ c:\124841.exe
C:\WINDOWS\System32\tibs.exe

Przedtem wydrukuj sobie albo zapisz na dysku strone linkowana powyzej i zastosuj sie do kazdego punktu

Znasz to: O4 – HKCU\..\Run: [BASE FREE] C:\DOCUME~1\test\DANEAP~1\COALVG~1\WaveRoad.exe ??

Bobi

Dodano: 09.04.2005 22:16:10

heeeeej!!
ja rowniez mam ten problem i bardzo prosze o sprawdzenie logu czy czego tam i powiedzenie bardzo cierpliwie co z tym dalej robic. bardzo prosze i bardzo z gory dziekuje:)

Logfile of HijackThis v1.99.0
Scan saved at 19:58:32, on 2005–04–09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
D:\Winamp\Winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\Juk.exe
C:\WINDOWS\System32\Services\{084442CF–DD93–43CE–8777–47D2E86896BF}\SVCHOST.EXE
C:\WINDOWS\System32\ctfmon.exe
c:\124841.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Delux\PS2 Keyboard English Edition\keyboard.exe
c:\124841.exe
D:\SpywareGuard\sgmain.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
D:\SpywareGuard\sgbhp.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
D:\Gadu–Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\tibs.exe
C:\WINDOWS\System32\tibs.exe
c:\124841.exe
c:\124841.exe
C:\Documents and Settings\test\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 – HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = "%1" /S
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: URLLink Class – {4A2AACF3–ADF6–11D5–98A9–00E018981B9E} – C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 – BHO: SpywareGuard Download Protection – {4A368E80–174F–4872–96B5–0B27DDD11DB2} – D:\SpywareGuard\dlprotect.dll
O2 – BHO: (no name) – {4FC95EDD–4796–4966–9049–29649C80111D} – (no file)
O2 – BHO: (no name) – {A99E1618–98EC–98F3–7B56–50D9B27636B8} – C:\DOCUME~1\test\DANEAP~1\ONCECL~1\Inforef.exe
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 – HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 – HKLM\..\Run: [RealJukeboxSystray] D:\RealJukebox\tsystray.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s
O4 – HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 – HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 – HKLM\..\Run: [Bib City Info Window] C:\Documents and Settings\All Users\Dane aplikacji\Soft drv bib city\Forkkind.exe
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [Pei] C:\WINDOWS\System32\Juk.exe
O4 – HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\test\USTAWI~1\Temp\keep.exe
O4 – HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{084442CF–DD93–43CE–8777–47D2E86896BF}\SVCHOST.EXE
O4 – HKLM\..\Run: [Ukl] C:\WINDOWS\System32\Oqk.exe
O4 – HKLM\..\Run: [Jlt] C:\WINDOWS\System32\Mou.exe
O4 – HKLM\..\Run: [Htt] C:\WINDOWS\System32\Nsr.exe
O4 – HKLM\..\Run: [Aoj] C:\WINDOWS\System32\Bst.exe
O4 – HKLM\..\Run: [Vra] C:\WINDOWS\System32\Krj.exe
O4 – HKLM\..\Run: [Ihl] C:\WINDOWS\Hse.exe
O4 – HKLM\..\Run: [Hdq] C:\WINDOWS\Fhh.exe
O4 – HKLM\..\Run: [Gch] C:\WINDOWS\Qon.exe
O4 – HKLM\..\Run: [Ejj] C:\WINDOWS\Pks.exe
O4 – HKLM\..\Run: [Hfn] C:\WINDOWS\System32\Mca.exe
O4 – HKLM\..\Run: [Mot] C:\WINDOWS\System32\Sfs.exe
O4 – HKLM\..\Run: [Ssg] C:\WINDOWS\System32\Tat.exe
O4 – HKLM\..\Run: [Otm] C:\WINDOWS\System32\Dij.exe
O4 – HKLM\..\Run: [Ncb] C:\WINDOWS\System32\Cpd.exe
O4 – HKLM\..\Run: [Pga] C:\WINDOWS\System32\Hqm.exe
O4 – HKLM\..\Run: [Kso] C:\WINDOWS\Fir.exe
O4 – HKLM\..\Run: [Mqv] C:\WINDOWS\System32\Veg.exe
O4 – HKLM\..\Run: [Ucu] C:\WINDOWS\Tsn.exe
O4 – HKLM\..\Run: [Jhb] C:\WINDOWS\System32\Aeb.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Komunikator] D:\tlen\tlen.exe
O4 – HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe –quiet
O4 – HKCU\..\Run: [BASE FREE] C:\DOCUME~1\test\DANEAP~1\COALVG~1\WaveRoad.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Pei] C:\WINDOWS\System32\Juk.exe
O4 – HKCU\..\Run: [Ukl] C:\WINDOWS\System32\Oqk.exe
O4 – HKCU\..\Run: [Jlt] C:\WINDOWS\System32\Mou.exe
O4 – HKCU\..\Run: [Htt] C:\WINDOWS\System32\Nsr.exe
O4 – HKCU\..\Run: [Aoj] C:\WINDOWS\System32\Bst.exe
O4 – HKCU\..\Run: [Vra] C:\WINDOWS\System32\Krj.exe
O4 – HKCU\..\Run: [Ihl] C:\WINDOWS\Hse.exe
O4 – HKCU\..\Run: [Hdq] C:\WINDOWS\Fhh.exe
O4 – HKCU\..\Run: [Gch] C:\WINDOWS\Qon.exe
O4 – HKCU\..\Run: [Ejj] C:\WINDOWS\Pks.exe
O4 – HKCU\..\Run: [Hfn] C:\WINDOWS\System32\Mca.exe
O4 – HKCU\..\Run: [Mot] C:\WINDOWS\System32\Sfs.exe
O4 – HKCU\..\Run: [Ssg] C:\WINDOWS\System32\Tat.exe
O4 – HKCU\..\Run: [Otm] C:\WINDOWS\System32\Dij.exe
O4 – HKCU\..\Run: [Ncb] C:\WINDOWS\System32\Cpd.exe
O4 – HKCU\..\Run: [Pga] C:\WINDOWS\System32\Hqm.exe
O4 – HKCU\..\Run: [Kso] C:\WINDOWS\Fir.exe
O4 – HKCU\..\Run: [Mqv] C:\WINDOWS\System32\Veg.exe
O4 – HKCU\..\Run: [Ucu] C:\WINDOWS\Tsn.exe
O4 – HKCU\..\Run: [Jhb] C:\WINDOWS\System32\Aeb.exe
O4 – Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: PS2 Keyboard English Edition.lnk = ?
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra button: (no name) – {CD67F990–D8E9–11d2–98FE–00C0F0318AFE} – (no file)
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {88D758A3–D33B–45FD–91E3–67749B4057FA} (Sinstaller Class) – http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{46EC2E6B–E144–476F–9635–9658082D0FC2}: NameServer = 10.100.0.254,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{46EC2E6B–E144–476F–9635–9658082D0FC2}: NameServer = 10.100.0.254,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{46EC2E6B–E144–476F–9635–9658082D0FC2}: NameServer = 10.100.0.254,194.204.152.34
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 – Service: Panda Firewall Service – Unknown – C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 – Service: Panda anti–virus service – Unknown – C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

netspirit

Dodano: 09.04.2005 21:59:14

Radze przeczytać TEN temat, a problem z pozbyciem sie innych objawów powinien ustapić.

Bobi

Dodano: 28.03.2005 18:31:26

To samo co wczesniej – wylaczyc proces, usunac pliki, zaznaczyc w HJ i FIXowac:

C:\WINDOWS\System32\Snv.exe
O4 – HKLM\..\Run: [Rvt] C:\WINDOWS\Srl.exe
O4 – HKLM\..\Run: [Rqo] C:\WINDOWS\System32\Uao.exe
O4 – HKLM\..\Run: [Qoj] C:\WINDOWS\Uvt.exe
O4 – HKLM\..\Run: [Jnf] C:\WINDOWS\System32\Ppu.exe
O4 – HKLM\..\Run: [Kar] C:\WINDOWS\Iss.exe
O4 – HKLM\..\Run: [Hpk] C:\WINDOWS\System32\Snv.exe
O4 – HKLM\..\Run: [Hbf] C:\WINDOWS\Hqn.exe
O4 – HKCU\..\Run: [Rvt] C:\WINDOWS\Srl.exe
O4 – HKCU\..\Run: [Rqo] C:\WINDOWS\System32\Uao.exe
O4 – HKCU\..\Run: [Qoj] C:\WINDOWS\Uvt.exe
O4 – HKCU\..\Run: [Jnf] C:\WINDOWS\System32\Ppu.exe
O4 – HKCU\..\Run: [Kar] C:\WINDOWS\Iss.exe
O4 – HKCU\..\Run: [Hpk] C:\WINDOWS\System32\Snv.exe
O4 – HKCU\..\Run: [Hbf] C:\WINDOWS\Hqn.exe

EL NINO

Dodano: 28.03.2005 18:15:56

Dzięki...teraz mi powiedzcie co dalej...(wszystko zrobiłam jak naleźy...chyba :D a problem nadal jest :oops:

Logfile of HijackThis v1.99.1
Scan saved at 09:47:41, on 2005–03–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\Hewlett–Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\Snv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Gadu–Gadu\gg.exe
D:\Norton\Norton AntiVirus\navapsvc.exe
D:\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Norton\SPEEDD~1\nopdb.exe
C:\DOCUME~1\EWA\USTAWI~1\Temp\Rar$EX00.973\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsprint.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – D:\Norton\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – D:\Norton\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 – HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 – HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett–Packard\HP Software Update\HPWuSchd.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 – HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
O4 – HKLM\..\Run: [Rvt] C:\WINDOWS\Srl.exe
O4 – HKLM\..\Run: [Rqo] C:\WINDOWS\System32\Uao.exe
O4 – HKLM\..\Run: [Qoj] C:\WINDOWS\Uvt.exe
O4 – HKLM\..\Run: [Jnf] C:\WINDOWS\System32\Ppu.exe
O4 – HKLM\..\Run: [Kar] C:\WINDOWS\Iss.exe
O4 – HKLM\..\Run: [Hpk] C:\WINDOWS\System32\Snv.exe
O4 – HKLM\..\Run: [Hbf] C:\WINDOWS\Hqn.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Rvt] C:\WINDOWS\Srl.exe
O4 – HKCU\..\Run: [Rqo] C:\WINDOWS\System32\Uao.exe
O4 – HKCU\..\Run: [Qoj] C:\WINDOWS\Uvt.exe
O4 – HKCU\..\Run: [Jnf] C:\WINDOWS\System32\Ppu.exe
O4 – HKCU\..\Run: [Kar] C:\WINDOWS\Iss.exe
O4 – HKCU\..\Run: [Hpk] C:\WINDOWS\System32\Snv.exe
O4 – HKCU\..\Run: [Hbf] C:\WINDOWS\Hqn.exe
O4 – Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 – DPF: Win32 Classes – file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 – DPF: {112857FE–03FF–11D5–9A3F–0080C8D85044} (GameDesire Solitaires) – http://67.15.101.3/g_bin/pl/solitaire_2_0_0_18.cab
O16 – DPF: {18506D80–9B80–11D4–82C2–0080C8D7ED4A} (GameDesire Roulette) – http://67.15.101.3/g_bin/pl/roulette_2_0_0_15.cab
O16 – DPF: {1A781DED–C22D–4153–3213–A3211E29DF13} (GameDesire Card Games) – http://67.15.101.3/g_bin/pl/cards_2_0_0_60.cab
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {41ACD49D–1974–791A–0981–AA9872721044} (GINBOARDS Class) – http://67.15.101.3/g_bin/pl/boards_2_0_0_18.cab
O16 – DPF: {4B4513E2–4E57–43DF–9496–FCD37E9DFA64} (GameDesire Sea Battle) – http://67.15.101.3/g_bin/pl/navy_2_0_0_17.cab
O16 – DPF: {A1FE3DE0–CF77–11D4–8340–0080C8D7ED4A} (GameDesire Pinball Demon) – http://67.15.101.3/g_bin/pl/demon_2_0_0_18.cab
O16 – DPF: {BFA1F11D–3121–AFE1–4112–894323212DAC} (GameDesire Word Games) – http://67.15.101.3/g_bin/pl/words_2_0_0_35.cab
O16 – DPF: {BFA1F11D–3121–AFE1–4112–983219421AEF} (GameDesire 1Player Word Games) – http://67.15.101.3/g_bin/pl/wordssingle_2_0_0_34.cab
O16 – DPF: {E23FABEE–12E3–33DA–DA12–195DAC123984} (GameDesire Mahjong) – http://67.15.101.3/g_bin/pl/mahjong_2_0_0_18.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{C41805F9–C5CD–4B95–9DE3–B1F876EBC47E}: NameServer = 194.204.152.34,194.204.153.1
O17 – HKLM\System\CS1\Services\Tcpip\..\{C41805F9–C5CD–4B95–9DE3–B1F876EBC47E}: NameServer = 194.204.152.34,194.204.153.1
O17 – HKLM\System\CS2\Services\Tcpip\..\{C41805F9–C5CD–4B95–9DE3–B1F876EBC47E}: NameServer = 194.204.152.34,194.204.153.1
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – D:\Norton\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – D:\Norton\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – D:\Norton\SPEEDD~1\nopdb.exe

Evcia

Dodano: 28.03.2005 11:52:11

Evcia:
mam problem oczywiście ten z tego tematu :wink:

Widzac Twojego loga mozna tylko powiedziec – o k..urna :P .

Wylacz procesy a pozniej usun z dysku pliki:

C:\WINDOWS\Umt.exe
C:\WINDOWS\System32\keycz1.exe
C:\WINDOWS\System32\jetl386.exe
C:\WINDOWS\System32\lclo.exe
C:\WINDOWS\System32\??rss.exe

Pliki ktore znajdziesz ponizej, rowniez usun z dysku a jesli trzeba, wylacz rowniez ich procesy jesli sa uruchomione oczywiscie. Zaznacz w HJ i nacisnij Fix checked:

R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 – BHO: (no name) – {3998CB61–25AE–2500–D586–564045EDAE92} – C:\WINDOWS\System32\eplzyof.dll
O2 – BHO: (no name) – {62919E69–7CA8–2D03–D586–564045EDAE93} – C:\WINDOWS\System32\eplzyof.dll
O4 – HKLM\..\Run: [Dsv] C:\WINDOWS\System32\Qkc.exe
O4 – HKLM\..\Run: [Doh] C:\WINDOWS\Far.exe
O4 – HKLM\..\Run: [Qms] C:\WINDOWS\Smc.exe
O4 – HKLM\..\Run: [Lqo] C:\WINDOWS\Oid.exe
O4 – HKLM\..\Run: [Prm] C:\WINDOWS\Qdi.exe
O4 – HKLM\..\Run: [Ahr] C:\WINDOWS\System32\Dmc.exe
O4 – HKLM\..\Run: [Hou] C:\WINDOWS\Umt.exe
O4 – HKLM\..\Run: [Kbt] C:\WINDOWS\Tuh.exe
O4 – HKLM\..\Run: [Lrc] C:\WINDOWS\Ohi.exe
O4 – HKLM\..\Run: [Tkq] C:\WINDOWS\System32\Cfi.exe
O4 – HKLM\..\Run: [Iae] C:\WINDOWS\System32\Fes.exe
O4 – HKLM\..\Run: [Pni] C:\WINDOWS\Aat.exe
O4 – HKLM\..\Run: [Lfu] C:\WINDOWS\System32\Spu.exe
O4 – HKLM\..\Run: [Qsr] C:\WINDOWS\Grd.exe
O4 – HKLM\..\Run: [t74X37h] keycz1.exe
O4 – HKLM\..\Run: [Vnn] C:\WINDOWS\System32\Kjb.exe
O4 – HKLM\..\Run: [Njn] C:\WINDOWS\System32\Sjt.exe
O4 – HKLM\..\Run: [Nto] C:\WINDOWS\System32\Fru.exe
O4 – HKLM\..\Run: [Cgk] C:\WINDOWS\System32\Otj.exe
O4 – HKLM\..\Run: [Evl] C:\WINDOWS\Pgv.exe
O4 – HKLM\..\Run: [Tap] C:\WINDOWS\Qsg.exe
O4 – HKLM\..\Run: [Drs] C:\WINDOWS\Eoj.exe
O4 – HKLM\..\Run: [Rsv] C:\WINDOWS\System32\Guq.exe
O4 – HKLM\..\Run: [Pud] C:\WINDOWS\System32\Boc.exe
O4 – HKLM\..\Run: [Gbp] C:\WINDOWS\Jjn.exe
O4 – HKLM\..\Run: [Aog] C:\WINDOWS\System32\Cek.exe
O4 – HKLM\..\Run: [Alh] C:\WINDOWS\System32\Idh.exe
O4 – HKLM\..\Run: [Rdi] C:\WINDOWS\System32\Nvu.exe
O4 – HKLM\..\Run: [Mme] C:\WINDOWS\Bjv.exe
O4 – HKLM\..\Run: [Sog] C:\WINDOWS\Ceb.exe
O4 – HKLM\..\Run: [Sdn] C:\WINDOWS\Vit.exe
O4 – HKLM\..\Run: [Nus] C:\WINDOWS\Bpf.exe
O4 – HKLM\..\Run: [Qse] C:\WINDOWS\System32\Tan.exe
O4 – HKLM\..\Run: [Com] C:\WINDOWS\System32\Gch.exe
O4 – HKLM\..\Run: [Nad] C:\WINDOWS\Dgl.exe
O4 – HKLM\..\Run: [Pal] C:\WINDOWS\System32\Aso.exe
O4 – HKLM\..\Run: [Mjh] C:\WINDOWS\Dss.exe
O4 – HKLM\..\Run: [Ror] C:\WINDOWS\System32\Jod.exe
O4 – HKCU\..\Run: [Dsv] C:\WINDOWS\System32\Qkc.exe
O4 – HKCU\..\Run: [cwv7RXNmQ] jetl386.exe
O4 – HKCU\..\Run: [Aehh] C:\WINDOWS\System32\lclo.exe
O4 – HKCU\..\Run: [Dmjybjlw] C:\WINDOWS\System32\??rss.exe
O4 – HKCU\..\Run: [Doh] C:\WINDOWS\Far.exe
O4 – HKCU\..\Run: [Qms] C:\WINDOWS\Smc.exe
O4 – HKCU\..\Run: [Lqo] C:\WINDOWS\Oid.exe
O4 – HKCU\..\Run: [Prm] C:\WINDOWS\Qdi.exe
O4 – HKCU\..\Run: [Ahr] C:\WINDOWS\System32\Dmc.exe
O4 – HKCU\..\Run: [Hou] C:\WINDOWS\Umt.exe
O4 – HKCU\..\Run: [Lrc] C:\WINDOWS\Ohi.exe
O4 – HKCU\..\Run: [Tkq] C:\WINDOWS\System32\Cfi.exe
O4 – HKCU\..\Run: [Iae] C:\WINDOWS\System32\Fes.exe
O4 – HKCU\..\Run: [Pni] C:\WINDOWS\Aat.exe
O4 – HKCU\..\Run: [Qsr] C:\WINDOWS\Grd.exe
O4 – HKCU\..\Run: [Vnn] C:\WINDOWS\System32\Kjb.exe
O4 – HKCU\..\Run: [Njn] C:\WINDOWS\System32\Sjt.exe
O4 – HKCU\..\Run: [Nto] C:\WINDOWS\System32\Fru.exe
O4 – HKCU\..\Run: [Cgk] C:\WINDOWS\System32\Otj.exe
O4 – HKCU\..\Run: [Evl] C:\WINDOWS\Pgv.exe
O4 – HKCU\..\Run: [Tap] C:\WINDOWS\Qsg.exe
O4 – HKCU\..\Run: [Drs] C:\WINDOWS\Eoj.exe
O4 – HKCU\..\Run: [Rsv] C:\WINDOWS\System32\Guq.exe
O4 – HKCU\..\Run: [Pud] C:\WINDOWS\System32\Boc.exe
O4 – HKCU\..\Run: [Gbp] C:\WINDOWS\Jjn.exe
O4 – HKCU\..\Run: [Aog] C:\WINDOWS\System32\Cek.exe
O4 – HKCU\..\Run: [Alh] C:\WINDOWS\System32\Idh.exe
O4 – HKCU\..\Run: [Rdi] C:\WINDOWS\System32\Nvu.exe
O4 – HKCU\..\Run: [Mme] C:\WINDOWS\Bjv.exe
O4 – HKCU\..\Run: [Sog] C:\WINDOWS\Ceb.exe
O4 – HKCU\..\Run: [Sdn] C:\WINDOWS\Vit.exe
O4 – HKCU\..\Run: [Nus] C:\WINDOWS\Bpf.exe
O4 – HKCU\..\Run: [Qse] C:\WINDOWS\System32\Tan.exe
O4 – HKCU\..\Run: [Nad] C:\WINDOWS\Dgl.exe
O4 – HKCU\..\Run: [Pal] C:\WINDOWS\System32\Aso.exe
O4 – HKCU\..\Run: [Mjh] C:\WINDOWS\Dss.exe
O4 – HKCU\..\Run: [Ror] C:\WINDOWS\System32\Jod.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.iframedollars.biz
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.iframedollars.biz (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 213.159.117.202
O15 – Trusted IP range: 213.159.117.202 (HKLM)
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://iframedollars.biz/tb/loader2.ocx

Otworz w Notatniku plik HOSTS i kazdy zapis "127.0.0.3" zamien na "127.0.0.1":

O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.Pamela.biz
O1 – Hosts: 127.0.0.3 Pamela.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com

EL NINO

Dodano: 27.03.2005 23:13:56

Czy ktoś by mi mógł sprawdzić tego nieszczęsnego loga...? I jeśli moźna to jak "najprościej" napisać mi co z tym zrobić (mam problem oczywiście ten z tego tematu :wink: ), bo juź się w tym wszystkim gubię :oops: Z góry dziękuję...

Logfile of HijackThis v1.99.1
Scan saved at 19:59:26, on 2005–03–27
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Norton\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\Hewlett–Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\Umt.exe
C:\WINDOWS\System32\keycz1.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\jetl386.exe
C:\WINDOWS\System32\lclo.exe
C:\WINDOWS\System32\??rss.exe
D:\Norton\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Norton\SPEEDD~1\nopdb.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\EWA\USTAWI~1\Temp\Rar$EX00.246\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsprint.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.pizdato.biz
O1 – Hosts: 127.0.0.3 pizdato.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O2 – BHO: (no name) – {3998CB61–25AE–2500–D586–564045EDAE92} – C:\WINDOWS\System32\eplzyof.dll
O2 – BHO: (no name) – {62919E69–7CA8–2D03–D586–564045EDAE93} – C:\WINDOWS\System32\eplzyof.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – D:\Norton\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – D:\Norton\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 – HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 – HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett–Packard\HP Software Update\HPWuSchd.exe"
O4 – HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 – HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett–Packard\Digital Imaging\bin\hpotdd01.exe
O4 – HKLM\..\Run: [Dsv] C:\WINDOWS\System32\Qkc.exe
O4 – HKLM\..\Run: [Doh] C:\WINDOWS\Far.exe
O4 – HKLM\..\Run: [Qms] C:\WINDOWS\Smc.exe
O4 – HKLM\..\Run: [Lqo] C:\WINDOWS\Oid.exe
O4 – HKLM\..\Run: [Prm] C:\WINDOWS\Qdi.exe
O4 – HKLM\..\Run: [Ahr] C:\WINDOWS\System32\Dmc.exe
O4 – HKLM\..\Run: [Hou] C:\WINDOWS\Umt.exe
O4 – HKLM\..\Run: [Kbt] C:\WINDOWS\Tuh.exe
O4 – HKLM\..\Run: [Lrc] C:\WINDOWS\Ohi.exe
O4 – HKLM\..\Run: [Tkq] C:\WINDOWS\System32\Cfi.exe
O4 – HKLM\..\Run: [Iae] C:\WINDOWS\System32\Fes.exe
O4 – HKLM\..\Run: [Pni] C:\WINDOWS\Aat.exe
O4 – HKLM\..\Run: [Lfu] C:\WINDOWS\System32\Spu.exe
O4 – HKLM\..\Run: [Qsr] C:\WINDOWS\Grd.exe
O4 – HKLM\..\Run: [t74X37h] keycz1.exe
O4 – HKLM\..\Run: [Vnn] C:\WINDOWS\System32\Kjb.exe
O4 – HKLM\..\Run: [Njn] C:\WINDOWS\System32\Sjt.exe
O4 – HKLM\..\Run: [Nto] C:\WINDOWS\System32\Fru.exe
O4 – HKLM\..\Run: [Cgk] C:\WINDOWS\System32\Otj.exe
O4 – HKLM\..\Run: [Evl] C:\WINDOWS\Pgv.exe
O4 – HKLM\..\Run: [Tap] C:\WINDOWS\Qsg.exe
O4 – HKLM\..\Run: [Drs] C:\WINDOWS\Eoj.exe
O4 – HKLM\..\Run: [Rsv] C:\WINDOWS\System32\Guq.exe
O4 – HKLM\..\Run: [Pud] C:\WINDOWS\System32\Boc.exe
O4 – HKLM\..\Run: [Gbp] C:\WINDOWS\Jjn.exe
O4 – HKLM\..\Run: [Aog] C:\WINDOWS\System32\Cek.exe
O4 – HKLM\..\Run: [Alh] C:\WINDOWS\System32\Idh.exe
O4 – HKLM\..\Run: [Rdi] C:\WINDOWS\System32\Nvu.exe
O4 – HKLM\..\Run: [Mme] C:\WINDOWS\Bjv.exe
O4 – HKLM\..\Run: [Sog] C:\WINDOWS\Ceb.exe
O4 – HKLM\..\Run: [Sdn] C:\WINDOWS\Vit.exe
O4 – HKLM\..\Run: [Nus] C:\WINDOWS\Bpf.exe
O4 – HKLM\..\Run: [Qse] C:\WINDOWS\System32\Tan.exe
O4 – HKLM\..\Run: [Com] C:\WINDOWS\System32\Gch.exe
O4 – HKLM\..\Run: [Nad] C:\WINDOWS\Dgl.exe
O4 – HKLM\..\Run: [Pal] C:\WINDOWS\System32\Aso.exe
O4 – HKLM\..\Run: [Mjh] C:\WINDOWS\Dss.exe
O4 – HKLM\..\Run: [Ror] C:\WINDOWS\System32\Jod.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Dsv] C:\WINDOWS\System32\Qkc.exe
O4 – HKCU\..\Run: [cwv7RXNmQ] jetl386.exe
O4 – HKCU\..\Run: [Aehh] C:\WINDOWS\System32\lclo.exe
O4 – HKCU\..\Run: [Dmjybjlw] C:\WINDOWS\System32\??rss.exe
O4 – HKCU\..\Run: [Doh] C:\WINDOWS\Far.exe
O4 – HKCU\..\Run: [Qms] C:\WINDOWS\Smc.exe
O4 – HKCU\..\Run: [Lqo] C:\WINDOWS\Oid.exe
O4 – HKCU\..\Run: [Prm] C:\WINDOWS\Qdi.exe
O4 – HKCU\..\Run: [Ahr] C:\WINDOWS\System32\Dmc.exe
O4 – HKCU\..\Run: [Hou] C:\WINDOWS\Umt.exe
O4 – HKCU\..\Run: [Lrc] C:\WINDOWS\Ohi.exe
O4 – HKCU\..\Run: [Tkq] C:\WINDOWS\System32\Cfi.exe
O4 – HKCU\..\Run: [Iae] C:\WINDOWS\System32\Fes.exe
O4 – HKCU\..\Run: [Pni] C:\WINDOWS\Aat.exe
O4 – HKCU\..\Run: [Qsr] C:\WINDOWS\Grd.exe
O4 – HKCU\..\Run: [Vnn] C:\WINDOWS\System32\Kjb.exe
O4 – HKCU\..\Run: [Njn] C:\WINDOWS\System32\Sjt.exe
O4 – HKCU\..\Run: [Nto] C:\WINDOWS\System32\Fru.exe
O4 – HKCU\..\Run: [Cgk] C:\WINDOWS\System32\Otj.exe
O4 – HKCU\..\Run: [Evl] C:\WINDOWS\Pgv.exe
O4 – HKCU\..\Run: [Tap] C:\WINDOWS\Qsg.exe
O4 – HKCU\..\Run: [Drs] C:\WINDOWS\Eoj.exe
O4 – HKCU\..\Run: [Rsv] C:\WINDOWS\System32\Guq.exe
O4 – HKCU\..\Run: [Pud] C:\WINDOWS\System32\Boc.exe
O4 – HKCU\..\Run: [Gbp] C:\WINDOWS\Jjn.exe
O4 – HKCU\..\Run: [Aog] C:\WINDOWS\System32\Cek.exe
O4 – HKCU\..\Run: [Alh] C:\WINDOWS\System32\Idh.exe
O4 – HKCU\..\Run: [Rdi] C:\WINDOWS\System32\Nvu.exe
O4 – HKCU\..\Run: [Mme] C:\WINDOWS\Bjv.exe
O4 – HKCU\..\Run: [Sog] C:\WINDOWS\Ceb.exe
O4 – HKCU\..\Run: [Sdn] C:\WINDOWS\Vit.exe
O4 – HKCU\..\Run: [Nus] C:\WINDOWS\Bpf.exe
O4 – HKCU\..\Run: [Qse] C:\WINDOWS\System32\Tan.exe
O4 – HKCU\..\Run: [Nad] C:\WINDOWS\Dgl.exe
O4 – HKCU\..\Run: [Pal] C:\WINDOWS\System32\Aso.exe
O4 – HKCU\..\Run: [Mjh] C:\WINDOWS\Dss.exe
O4 – HKCU\..\Run: [Ror] C:\WINDOWS\System32\Jod.exe
O4 – Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.iframedollars.biz
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.iframedollars.biz (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 213.159.117.202
O15 – Trusted IP range: 213.159.117.202 (HKLM)
O16 – DPF: Win32 Classes – file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 – DPF: {112857FE–03FF–11D5–9A3F–0080C8D85044} (GameDesire Solitaires) – http://67.15.101.3/g_bin/pl/solitaire_2_0_0_18.cab
O16 – DPF: {18506D80–9B80–11D4–82C2–0080C8D7ED4A} (GameDesire Roulette) – http://67.15.101.3/g_bin/pl/roulette_2_0_0_15.cab
O16 – DPF: {1A781DED–C22D–4153–3213–A3211E29DF13} (GameDesire Card Games) – http://67.15.101.3/g_bin/pl/cards_2_0_0_60.cab
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {41ACD49D–1974–791A–0981–AA9872721044} (GINBOARDS Class) – http://67.15.101.3/g_bin/pl/boards_2_0_0_18.cab
O16 – DPF: {4B4513E2–4E57–43DF–9496–FCD37E9DFA64} (GameDesire Sea Battle) – http://67.15.101.3/g_bin/pl/navy_2_0_0_17.cab
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://iframedollars.biz/tb/loader2.ocx
O16 – DPF: {A1FE3DE0–CF77–11D4–8340–0080C8D7ED4A} (GameDesire Pinball Demon) – http://67.15.101.3/g_bin/pl/demon_2_0_0_18.cab
O16 – DPF: {BFA1F11D–3121–AFE1–4112–894323212DAC} (GameDesire Word Games) – http://67.15.101.3/g_bin/pl/words_2_0_0_35.cab
O16 – DPF: {BFA1F11D–3121–AFE1–4112–983219421AEF} (GameDesire 1Player Word Games) – http://67.15.101.3/g_bin/pl/wordssingle_2_0_0_34.cab
O16 – DPF: {E23FABEE–12E3–33DA–DA12–195DAC123984} (GameDesire Mahjong) – http://67.15.101.3/g_bin/pl/mahjong_2_0_0_18.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{C41805F9–C5CD–4B95–9DE3–B1F876EBC47E}: NameServer = 194.204.152.34,194.204.153.1
O17 – HKLM\System\CS1\Services\Tcpip\..\{C41805F9–C5CD–4B95–9DE3–B1F876EBC47E}: NameServer = 194.204.152.34,194.204.153.1
O17 – HKLM\System\CS2\Services\Tcpip\..\{C41805F9–C5CD–4B95–9DE3–B1F876EBC47E}: NameServer = 194.204.152.34,194.204.153.1
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – D:\Norton\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – D:\Norton\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – D:\Norton\SPEEDD~1\nopdb.exe

Evcia

Dodano: 27.03.2005 22:14:15

Nazwy plikow jak w wariancie C, ale mniejsza z tym
Poszukaj na dysku folderu C:\Desktop
Jest ?? Moze byc ukryty wiec kaz systemowi pokazać te pliki

@MrStan – Najpierw sciagasz ten programik i odpalasz go
Nastepnie, otwierasz natatnik i wklejasz do niego

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

Zapisujesz z rozszerzeniem *.reg
Dodajesz go do rejestru

+ tak jak napisałem jesli cos bedzie to wywal z Panel Sterowania >> Właciwości Ekranu >> Pulpit >> Dostosuj pulpit >> Sieć Web

Bobi

Dodano: 20.03.2005 22:07:22

mi sie juz udalo doprowadzic komputer do jako takiego satnu znaczy juz jest wsyztsko zajebiscie a ten spyware to nie hyxdoor.c tylko hyxdoor.k ... usunal mi go anty spyware z microsoftu... jeszcze tylko jakkto mi powie jak usunac podwojne ikony to spoko bedzie ...

emilos

Dodano: 20.03.2005 02:27:53

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1 242 items found: 1 242 files, 0 directories.
Total of file sizes: 231 509 078 bytes 220,78 M

Administrator Account = True

––––––––––––––––––––End log–––––––––––––––––––––

Udalo mi sie zrobic scan programikiem i chyba nic nie wykazal :)

MrStan

Dodano: 20.03.2005 00:09:13

po ponownym wywaleniu plikow wymienionych przez Ciebie pare postow wyzej log wyglada tak:

Logfile of HijackThis v1.99.1
Scan saved at 22:55:16, on 2005–03–19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Opera7\Opera.exe
C:\Desktop\HijackThis.exe

O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O23 – Service: AntiVir Service (AntiVirService) – H+BEDV Datentechnik GmbH – C:\Program Files\AVPersonal\AVGUARD.EXE
O23 – Service: AntiVir Update (AVWUpSrv) – H+BEDV Datentechnik GmbH, Germany – C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

Wszystko wporzo wszystko ladnie ale...
klik prawym nie dziala :P i na pulpicie nadal sa podwojne ikony (co sciagne to sie podwaja) nie wiem od czego to.

MrStan

Dodano: 19.03.2005 23:56:40

No i po skanowaniu mksem pulpit wrocil ale sa na nim podwojne ikony, dwuklik nie dziala a DllCompare nie umiem za bardzo sie poslugiwac albo nic nie wykrywa
wiec nie wiem. Sprobuje jeszcze raz na awaryjnym usunac upierdliwy plik draw32.dll.

MrStan

Dodano: 19.03.2005 23:35:30

Jakaś dziwna ta Twa wypowiedź panie motorniczy
–sugerujesz, źe user ma pirata?
–wgrać sp2...tia tak samo jak sformatować dysk. Wypowiedź na podobnym poziomie
–SP2 znajdziesz TUTAJ
Cudze chwalicie, swego nie znacie ;)

Ad@$

Dodano: 19.03.2005 20:58:50

MrStan – Rada ode mnie :)

Zainstaluj chłopie SP2. Bez niego Twój komp jest dziurawy jak XXX (niewiem co tu wstawić :P )

Oczywiście wgrasz jeźeli masz oryginalą Winde, jeźeli jest inaczej to lipa :roll:

SP2 znajdziesz TUTAJ

motorniczy10

Dodano: 19.03.2005 17:37:52

Rzeczywiscie to ostry w usuwaniu syf ale poczekaj jeszcze z formatem
Podrzuc log z DllCompare bo ewidentnie cos odnawia syf.
Po resecie sprawdz czy klucze i pliki ktore usuwasz wracaja z powrotem

We własciwosciach pulpitu/ekran/dostasuj pulpit/siec web zobacz czy masz cos wiecej niz moja biezaca...
jesli tak usun ael najpierw spisz dla mnie nazwe

Bobi

Dodano: 19.03.2005 17:23:17

Pousuwalem te pliczki dodalem to do rejestru wszystklo zrobilem w awaryjnym po ponownym uruchomieniu to samo (pulpit prawoklik). Chyba format zrobie bo juz sil nie mam :P

MrStan

Dodano: 19.03.2005 17:13:16

Widze ze sie dogadac nie mozemy, wiec napisze po kolei

Za odnawianie tego draw32.dll odpowiedzialen sa ukryte uslugi, tak wiec zeby syfu sie pozbyc musisz najpierw te usługi i ich pliki ciachać
Startujesz system w trybie awaryjnym bez sieci.
Na dysku szukasz plików:
vdt_16.exe, draw32.dll, vm.dll, vdnt32.sys, hm.sys, wd.sys, memlow.sys, p2.ini, i.a3d, dt163.dt, klogini.dll, redir.a3d, ps.a3d ... i jesli jakis z nich znajdziesz automatycznie ładuje w kosmosie czyli kierunek kosz.

Potem zeby wyciachac w rejestrze odnosniki do syfu w uslugach, RUN ... mozesz posłuzyc sie juz wczesniej przygotowanym pliczkiem ktorego tresc i sposob z nim postepowania masz w moim poprzednim poscie.
Dodanie tych informacji do rejestru powinno wszystkie zawirowanie ponaprawiać.

Jesli wolisz opisik po angielsku to masz prosto od Symantec'a
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.c.html

Bobi

Dodano: 19.03.2005 16:37:09

Logfile of HijackThis v1.99.1
Scan saved at 15:25:43, on 2005–03–19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Desktop\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: Pop Class – {A9AEE0DD–89E1–40EE–8749–A18650CC2175} – C:\WINDOWS\winsx.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 – Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 – Extra context menu item: Download All by FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O20 – Winlogon Notify: draw32 – C:\WINDOWS\SYSTEM32\draw32.dll
O23 – Service: AntiVir Service (AntiVirService) – H+BEDV Datentechnik GmbH – C:\Program Files\AVPersonal\AVGUARD.EXE
O23 – Service: AntiVir Update (AVWUpSrv) – H+BEDV Datentechnik GmbH, Germany – C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

Ok niby wydaje sie ze jest czysto ale zostalo te draw32.dll

Tapete mam teraz czarna IE dziala zmienilem startowa ale prawoklik nie dzial :D i muli strasznie.

MrStan

Dodano: 19.03.2005 16:28:16

Uruchom system w awaryjnym

Teraz wywalasz pliki i fixujesz wpisy:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 – Default URLSearchHook is missing
O2 – BHO: Pop Class – {A9AEE0DD–89E1–40EE–8749–A18650CC2175} – C:\WINDOWS\winsx.dll
O4 – HKLM\..\Run: [Thj] C:\WINDOWS\Veq.exe
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [Ivm] C:\WINDOWS\System32\Cii.exe
O4 – HKLM\..\Run: [Tte] C:\WINDOWS\Tig.exe
O4 – HKLM\..\Run: [Lpe] C:\WINDOWS\System32\Liq.exe
O4 – HKLM\..\Run: [Hkk] C:\WINDOWS\Mif.exe
O4 – HKLM\..\Run: [Pds] C:\WINDOWS\Jvu.exe
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Lpe] C:\WINDOWS\System32\Liq.exe
O4 – HKCU\..\Run: [Hkk] C:\WINDOWS\Mif.exe
O4 – HKCU\..\Run: [Pds] C:\WINDOWS\Jvu.exe
O20 – Winlogon Notify: draw32 – C:\WINDOWS\SYSTEM32\draw32.dll

Nastepnie otwierasz notatnik i wklejasz do niego:

Windows Registry Editor Version 5.00

[–HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdnt32]

[–HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow]

[–HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_VDNT32]

[–HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_MEMLOW]

[–HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"secboot"=–

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"Disable TrayIcon"=–

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"StackSize"=–
"Impersonate"=–

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]
"hws"=–

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management]
"EnforceWriteProtect"=–
"hws"=–

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"EnforceWriteProtect"=–
"hws"=–

i zapisujeszz rezszerzeniem reg, klikasz na niego i potwierdzasz.

Bobi

Dodano: 19.03.2005 15:09:01

Logfile of HijackThis v1.99.1
Scan saved at 13:37:42, on 2005–03–19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ErrorGuard\ErrorGuard.Exe
C:\WINDOWS\Veq.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Desktop\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: Pop Class – {A9AEE0DD–89E1–40EE–8749–A18650CC2175} – C:\WINDOWS\winsx.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 – HKLM\..\Run: [Thj] C:\WINDOWS\Veq.exe
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKLM\..\Run: [Ivm] C:\WINDOWS\System32\Cii.exe
O4 – HKLM\..\Run: [Tte] C:\WINDOWS\Tig.exe
O4 – HKLM\..\Run: [Lpe] C:\WINDOWS\System32\Liq.exe
O4 – HKLM\..\Run: [Hkk] C:\WINDOWS\Mif.exe
O4 – HKLM\..\Run: [Pds] C:\WINDOWS\Jvu.exe
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 – HKCU\..\Run: [Lpe] C:\WINDOWS\System32\Liq.exe
O4 – HKCU\..\Run: [Hkk] C:\WINDOWS\Mif.exe
O4 – HKCU\..\Run: [Pds] C:\WINDOWS\Jvu.exe
O4 – Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 – Extra context menu item: Download All by FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O20 – Winlogon Notify: draw32 – C:\WINDOWS\SYSTEM32\draw32.dll
O23 – Service: AntiVir Service (AntiVirService) – H+BEDV Datentechnik GmbH – C:\Program Files\AVPersonal\AVGUARD.EXE
O23 – Service: AntiVir Update (AVWUpSrv) – H+BEDV Datentechnik GmbH, Germany – C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

Usunolem jak kazales
Plik hosts wyglada teraz tak:

# Copyright (c) 1993–1999 Microsoft Corp.
#
# To jest przykładowy plik HOSTS uźywany przez Microsoft TCP/IP
# w systemie Windows.
# Ten plik zawiera mapowania adresów IP na nazwy komputerów
# Kaźdy wpis powinien być w osobnej linii.
# W pierwszej kolumnie powinny być umieszczone adresy IP, a następnie
# odpowiadające im nazwy komputerów. Adres i nazwa powinny być oddzielone
# co najmniej jedną spacją
#
# Dodatkowo, komentarze (takie jak te) moźna wstawiać w poszczególnych
# liniach lub po nazwie komputera, oznaczając je symbolem '#'.
#
# Na przykład:
#
# 102.54.94.97 rhino.acme.com # serwer źródłowy
# 38.25.63.10 x.acme.com # komputer kliencki x

127.0.0.1 localhost
127.0.0.1 n–glx.s–redirect.com
127.0.0.1 x.full–tgp.net
127.0.0.1 counter.sexmaniack.com
127.0.0.1 autoescrowpay.com
127.0.0.1 www.autoescrowpay.com
127.0.0.1 www.awmdabest.com
127.0.0.1 www.sexfiles.nu
127.0.0.1 awmdabest.com
127.0.0.1 sexfiles.nu
127.0.0.1 allforadult.com
127.0.0.1 www.allforadult.com
127.0.0.1 www.iframe.biz
127.0.0.1 iframe.biz
127.0.0.1 www.newiframe.biz
127.0.0.1 newiframe.biz
127.0.0.1 www.vesbiz.biz
127.0.0.1 vesbiz.biz
127.0.0.1 www.Pamela.biz
127.0.0.1 Pamela.biz
127.0.0.1 www.aaasexypics.com
127.0.0.1 aaasexypics.com
127.0.0.1 www.virgin–tgp.net
127.0.0.1 virgin–tgp.net
127.0.0.1 www.awmcash.biz
127.0.0.1 awmcash.biz
127.0.0.1 buldog–stats.com
127.0.0.1 www.buldog–stats.com
127.0.0.1 fregat.drocherway.com
127.0.0.1 slutmania.biz
127.0.0.1 www.slutmania.biz
127.0.0.1 toolbarpartner.com
127.0.0.1 www.toolbarpartner.com
127.0.0.1 www.megapornix.com
127.0.0.1 megapornix.com
127.0.0.1 www.sp2fucked.biz
127.0.0.1 sp2fucked.biz
127.0.0.1 greg–tut.com
127.0.0.1 www.greg–tut.com
127.0.0.1 nylonsexy.com
127.0.0.1 www.nylonsexy.com
127.0.0.1 vparivalka.com
127.0.0.1 www.vparivalka.com

Ale nadal IE nie dziala i pulpit pozostal[usuwam plik deskop lecz on wraca] prawoklik ani ctrlaltdelete nie dzialaja :/

MrStan

Dodano: 19.03.2005 14:40:25

Czerwony pulpit: DANGER: SPYWARE

Odpowiedzi: 20