Wszystko jest juź w normie. Tylko nikt mi nie powiedział, a sam dopiero na to wpadłem, źe trzeba jeszcze zainstalować krytyczne poprawki z Windows Update :) Dzięki za wszystkie rady. Juź sam wiem jak rozpoznać które pliki są trefne. Pozdrawiam !

Mowie Ci jesli nie usuniesz wszystkiego jak nalezy to syf powroci ze zmienionymi nazwami
Odłacz kabel od neta

Tym razem do wykoszenia
Z plikow:

2005–02–06 20:53 231791 dwstyle.dll
2005–02–06 20:52 229223 lt4027hmg.dll
2005–02–06 20:36 231791 lvp2097oe.dll
2005–02–06 20:34 231383 kzdcr.dll

Z kluczy:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{837476FF–D385–4C1E–B12F–15B010FCE833}"=""

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyMS–DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\lvp2097oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

Jeśli moźesz to zobacz jeszcze raz co tym razem z tego usunąć, bo mi nie poszło poprzednim razem :–/

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:Documents and SettingsSUNNYPulpitFind It NT–2K–XP

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32

2005–02–06 20:53 231791 dwstyle.dll
2005–02–06 20:52 229223 lt4027hmg.dll
2005–02–06 20:36 231791 lvp2097oe.dll
2005–02–06 20:34 231383 kzdcr.dll
2005–01–28 16:16 dllcache
2005–01–26 14:27 Microsoft
2004–10–03 16:09 1890 KGyGaAvL.sys
2004–10–03 16:09 56 529C9FBD5D.sys
6 plik(w) 926134 bajtw
2 katalog(w) 4990115840 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32

2005–01–28 16:16 dllcache
2004–10–03 16:09 1890 KGyGaAvL.sys
2004–10–03 16:09 56 529C9FBD5D.sys
2004–08–15 09:07 488 logonui.exe.manifest
2004–08–15 09:07 488 WindowsLogon.manifest
2004–08–15 09:07 749 nwc.cpl.manifest
2004–08–15 09:07 749 sapi.cpl.manifest
2004–08–15 09:07 749 ncpa.cpl.manifest
2004–08–15 09:07 749 cdplayer.exe.manifest
2004–08–15 09:07 749 wuaucpl.cpl.manifest
9 plik(w) 6667 bajtw
1 katalog(w) 4990111744 bajtw wolnych

–––––––––––– Files Named "Guard" –––––––––––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32


–––––– Temp Files in System32 Directory ––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32


–––––––––––––––––– User Agent ––––––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{837476FF–D385–4C1E–B12F–15B010FCE833}"=""


––––––––––––– Keys Under Notify –––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyMS–DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\lvp2097oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


––––––––––––– Locate.com Results –––––––––––––

–––––––– Strings.exe Qoologic Results ––––––––


––––––––– Strings.exe Aspack Results –––––––––


–––––––––––––– HKLM Run Key ––––––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"DAEMON Tools–1033"=""C:\Program Files\D–Tools\daemon.exe" –lang 1033"
"SoundMan"="SOUNDMAN.EXE"
"WCSE Mgr"=""
"ccApp"=""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
"gcasServ"=""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe""
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe"
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponents]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsIMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMSFS]
"Installed"="1"




Wylaczasz przywracanie

Uruchamiasz system w awaryjnym bez neta

Teraz usuwasz:
hrju0519e.dll
kt4ul7h91.dll
g6lmlg3116.dll
p6n8lg5u16.dll
k0440ahqed4e0.dll
lvn2095oe.dll
lv4209hoe.dll
en44l1hq1.dll
lv2209foe.dll
q0rq0a95ed.dll
kt8sl7l71.dll
m0nq0a55ed.dll
hrrq0595e.dll
hrp8057ue.dll
m6rmlg9116.dll
hr0q05d5e.dll
l48m0el1ehq.dll
hr6405jqe.dll
ennql1551.dll
c4000edmeh0a0.dll
kt88l7lu1.dll
g604lgdq160e.dll

W rejestrze usuwasz:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{837476FF–D385–4C1E–B12F–15B010FCE833}"=""

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyTelephony]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\g6lmlg3116.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

MOzesz miec problem ze znalezieniem tych bibliotek, uzyj KillBox

Log z FindIt:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:Documents and SettingsSUNNYPulpitFind It NT–2K–XP

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32

2005–02–06 09:37 229773 hrju0519e.dll
2005–02–05 21:59 228823 kt4ul7h91.dll
2005–02–05 21:59 228768 g6lmlg3116.dll
2005–02–05 21:46 229738 p6n8lg5u16.dll
2005–02–05 20:46 228968 k0440ahqed4e0.dll
2005–02–05 14:44 229358 lvn2095oe.dll
2005–02–05 14:44 229217 lv4209hoe.dll
2005–02–05 14:32 229668 en44l1hq1.dll
2005–02–05 14:32 229197 lv2209foe.dll
2005–02–05 00:39 228968 q0rq0a95ed.dll
2005–02–04 22:16 230304 kt8sl7l71.dll
2005–02–04 22:15 231526 m0nq0a55ed.dll
2005–02–04 10:32 232186 hrrq0595e.dll
2005–02–04 10:32 228637 hrp8057ue.dll
2005–02–03 23:14 229725 m6rmlg9116.dll
2005–01–31 11:06 229661 hr0q05d5e.dll
2005–01–31 09:18 230948 l48m0el1ehq.dll
2005–01–31 09:18 229621 hr6405jqe.dll
2005–01–30 10:06 228975 ennql1551.dll
2005–01–29 11:47 231551 c4000edmeh0a0.dll
2005–01–29 11:38 231042 kt88l7lu1.dll
2005–01–28 16:16 dllcache
2005–01–26 14:39 228574 g604lgdq160e.dll
2005–01–26 14:27 Microsoft
2004–10–03 16:09 1890 KGyGaAvL.sys
2004–10–03 16:09 56 529C9FBD5D.sys
24 plik(w) 5057174 bajtw
2 katalog(w) 4986564608 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32

2005–01–28 16:16 dllcache
2004–10–03 16:09 1890 KGyGaAvL.sys
2004–10–03 16:09 56 529C9FBD5D.sys
2004–08–15 09:07 488 logonui.exe.manifest
2004–08–15 09:07 488 WindowsLogon.manifest
2004–08–15 09:07 749 nwc.cpl.manifest
2004–08–15 09:07 749 sapi.cpl.manifest
2004–08–15 09:07 749 ncpa.cpl.manifest
2004–08–15 09:07 749 cdplayer.exe.manifest
2004–08–15 09:07 749 wuaucpl.cpl.manifest
9 plik(w) 6667 bajtw
1 katalog(w) 4986564608 bajtw wolnych

–––––––––––– Files Named "Guard" –––––––––––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32

2005–02–06 09:45 229088 guard.tmp
1 plik(w) 229088 bajtw
0 katalog(w) 4986564608 bajtw wolnych

–––––– Temp Files in System32 Directory ––––––

Wolumin w stacji C to System
Numer seryjny woluminu: C8F9–AF7F

Katalog: C:WINDOWSSystem32

2005–02–06 09:45 229088 guard.tmp
1 plik(w) 229088 bajtw
0 katalog(w) 4986564608 bajtw wolnych

–––––––––––––––––– User Agent ––––––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{837476FF–D385–4C1E–B12F–15B010FCE833}"=""


––––––––––––– Keys Under Notify –––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyTelephony]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\g6lmlg3116.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


––––––––––––– Locate.com Results –––––––––––––

–––––––– Strings.exe Qoologic Results ––––––––


––––––––– Strings.exe Aspack Results –––––––––


–––––––––––––– HKLM Run Key ––––––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"DAEMON Tools–1033"=""C:\Program Files\D–Tools\daemon.exe" –lang 1033"
"SoundMan"="SOUNDMAN.EXE"
"WCSE Mgr"=""
"ccApp"=""C:\Program Files\Common Files\Symantec Shared\ccApp.exe""
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
"gcasServ"=""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe""
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe"
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponents]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsIMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMSFS]
"Installed"="1"




Spark:

Skąd go ściągnąc ?? :(

stąd

Skąd go ściągnąc ?? :(

W takim razie:

Bobi_robert:

Jesli nie uda sie to
Sciagasz FindIt i pokazujesz nam log z tego programu

Plik usunąłem i wpisy teź. Symantec Spyware.Look2Me Removal melduje źe nic nie ma.
I strony uruchamiają się z coraz większą częstotliwością.

W LSPfix zostało:

mswsock.dll (TCP/IP)
winrnr.dll (NTDS)
rsvpsp (Protocol handler)



Logfile of HijackThis v1.99.0
Scan saved at 15:04:32, on 2005–02–05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesD–Toolsdaemon.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesDU MeterDUMeter.exe
C:Program FilesMicrosoft AntiSpywaregcasServ.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesNorton AntiVirus avapsvc.exe
C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
C:WINDOWSSystem32 vsvc32.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesNorton AntiVirusSAVScan.exe
C:Program FilesWinampwinamp.exe
C:Documents and SettingsSUNNYPulpitFxSpL2Me.exe
C:Documents and SettingsSUNNYPulpitHijackThis.exe
C:WINDOWSsystem32 undll32.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:Program FilesNorton AntiVirusNavShExt.dll
O4 – HKLM..Run: [DAEMON Tools–1033] "C:Program FilesD–Toolsdaemon.exe" –lang 1033
O4 – HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [DU Meter] C:Program FilesDU MeterDUMeter.exe
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107552381711
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: Symantec Event Manager – Symantec Corporation – C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 – Service: Usługa Auto Protect programu Norton AntiVirus – Symantec Corporation – C:Program FilesNorton AntiVirus avapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:WINDOWSSystem32 vsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:Program FilesNorton AntiVirusSAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe

Nawet po usunięciu:
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch

i tak wracają. :(

Wiec masz VX2
To te wpisy:

O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch

Usuwasz nastepujaco
Sciagasz narzedzie od Symanteca
:arrow: http://securityresponse.symantec.com/avcenter/FxSpL2Me.exe
Albo Ad–awere i wtyczke VX2 Cleaner.

Jesli nie uda sie to
Sciagasz FindIt i pokazujesz nam log z tego programu

Usuwasz plik winlspak.dll

Napraw:

O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll

Po wszystkim sciagnij lspfix

Logfile of HijackThis v1.99.0Scan saved at 16:37:03, on 2005–02–04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSsystem32 undll32.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesD–Toolsdaemon.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesDU MeterDUMeter.exe
C:Program FilesMicrosoft AntiSpywaregcasServ.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesNorton AntiVirus avapsvc.exe
C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
C:WINDOWSSystem32 vsvc32.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesNorton AntiVirusSAVScan.exe
C:Program FilesWinampwinamp.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Documents and SettingsSUNNYPulpitHijackThis.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/
R0 – HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.onet.pl/
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:Program FilesNorton AntiVirusNavShExt.dll
O4 – HKLM..Run: [DAEMON Tools–1033] "C:Program FilesD–Toolsdaemon.exe" –lang 1033
O4 – HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 – HKLM..Run: [DU Meter] C:Program FilesDU MeterDUMeter.exe
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 – HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O10 – Unknown file in Winsock LSP: c:windowssystem32winlspak.dll
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: Symantec Event Manager – Symantec Corporation – C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 – Service: Symantec Password Validation – Symantec Corporation – C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 – Service: Symantec Settings Manager – Symantec Corporation – C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 – Service: Usługa Auto Protect programu Norton AntiVirus – Symantec Corporation – C:Program FilesNorton AntiVirus avapsvc.exe
O23 – Service: NVIDIA Display Driver Service – NVIDIA Corporation – C:WINDOWSSystem32 vsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:Program FilesNorton AntiVirusSAVScan.exe
O23 – Service: ScriptBlocking Service – Symantec Corporation – C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe

Byloby chyba najlepszym rozwiazaniem pokazanie/skopiowanie tutaj loga z HJ, poniewaz prawdopodobnie masz zmodyfikowany plik HOSTS a i syf jakis rowniez mogl zostac.