Kłopoty zapewne zmasowany atak wirusów i innych paści
Daje loga z hijacka, plik winssh.exe jest chocby niewidoczny nie moge go znalezc.
Logfile of HijackThis v1.99.1
Scan saved at 00:55:44, on 2005–07–20
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\MKS\Bin\NetMonSV.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
E:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\nutsrv4.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\MKS\Bin\mks_menu.exe
E:\PROGRA~1\WANADOO\TaskbarIcon.exe
E:\WINDOWS\System32\mouse.exe
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\WINDOWS\System32\winssh.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Gadu–Gadu\gg.exe
C:\program files\WINZIP\WZQKPICK.EXE
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\Program Files\Wanadoo\EspaceWanadoo.exe
E:\Program Files\Wanadoo\ComComp.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
E:\Program Files\Wanadoo\Watch.exe
E:\Program Files\ISTsvc\istsvc.exe
E:\WINDOWS\lhpeg.exe
E:\Program Files\Internet Optimizer\optimize.exe
E:\Program Files\BullsEye Network\bin\bargains.exe
E:\WINDOWS\System32\wuamkop32.exe
E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Outlook Express\msimn.exe
E:\Program Files\Internet Explorer\iexplore.exe
D:\instalki\Hijack This\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://E:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: BHObj Class – {00000010–6F7D–442C–93E3–4A4827C2E4C8} – E:\WINDOWS\nem220.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – E:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: BAHelper Class – {A3FDD654–A057–4971–9844–4ED8E67DBBB8} – E:\Program Files\SideFind\sfbho.dll
O2 – BHO: (no name) – {A5366673–E8CA–11D3–9CD9–0090271D075B} – (no file)
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – e:\program files\google\googletoolbar2.dll
O2 – BHO: ADP UrlCatcher Class – {F4E04583–354E–4076–BE7D–ED6A80FD66DA} – E:\WINDOWS\System32\msbe.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – e:\program files\google\googletoolbar2.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – E:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: ISTbar – {FAA356E4–D317–42a6–AB41–A3021C6E7D52} – E:\Program Files\ISTbar\istbarcm.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [WheelMouse] E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 – HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 – HKLM\..\Run: [wpkontakt] E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart
O4 – HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [MKS_MENU] E:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [WOOWATCH] E:\PROGRA~1\WANADOO\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] E:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 – HKLM\..\Run: [EOJ4BX2] E:\WINDOWS\lhpeg.exe
O4 – HKLM\..\Run: [Internet Optimizer] "E:\Program Files\Internet Optimizer\optimize.exe"
O4 – HKLM\..\Run: [BullsEye Network] E:\Program Files\BullsEye Network\bin\bargains.exe
O4 – HKLM\..\Run: [Power Scan] E:\Program Files\Power Scan\powerscan.exe
O4 – HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\Run: [Network Access] winssh.exe
O4 – HKLM\..\Run: [BHR3] E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 – HKLM\..\RunServices: [RecycleSTR] msreg32.exe
O4 – HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O4 – HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\RunServices: [Network Access] winssh.exe
O4 – HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: WinZip Quick Pick.lnk = C:\program files\WINZIP\WZQKPICK.EXE
O8 – Extra context menu item: &Google Search – res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 – Extra context menu item: Download All by FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: SideFind – {10E42047–DEB9–4535–A118–B3F6EC39B807} – E:\Program Files\SideFind\sidefind.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 – Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 – DPF: {99410CDE–6F16–42ce–9D49–3807F78F0287} (ClientInstaller Class) – http://www.180searchassistant.com/180saax.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{6AE58D8B–7C90–4721–ABF6–ECB0D4C94F28}: NameServer = 194.204.152.34 217.98.63.164
O18 – Protocol: ms–help – {314111C7–A502–11D2–BBCA–00C04F8EC294} – E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 – Protocol: wpmsg – {2E0AC5A0–3597–11D6–B3ED–0001021DC1C3} – E:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O20 – Winlogon Notify: drct16 – drct16.dll (file missing)
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – E:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: ASP.NET Admin Service (aspnet_admin) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_state.exe (file missing)
O23 – Service: Aplikacja systemowa modelu COM+ (COMSysApp) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: FLEXlm License Manager – Unknown owner – E:\Program Files\Rational1\common\lmgrd.exe
O23 – Service: Provides three management service (FreeBSD) – Unknown owner – E:\WINDOWS\System32\dev32.exe (file missing)
O23 – Service: Debug oupost relations (LAGOS) – Unknown owner – E:\WINDOWS\System32\ahtun.exe (file missing)
O23 – Service: NuTCRACKER Service (NuTCRACKERService) – DataFocus, Inc. – E:\WINDOWS\System32\nutsrv4.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – E:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 – Service: Pml Driver HPZ12 – HP – E:\WINDOWS\System32\HPZipm12.exe
O23 – Service: MS Software Shadow Copy Provider (SwPrv) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – E:\WINDOWS\System32\UAService7.exe (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 00:55:44, on 2005–07–20
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\MKS\Bin\NetMonSV.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
E:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\nutsrv4.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\MKS\Bin\mks_menu.exe
E:\PROGRA~1\WANADOO\TaskbarIcon.exe
E:\WINDOWS\System32\mouse.exe
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\WINDOWS\System32\winssh.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Gadu–Gadu\gg.exe
C:\program files\WINZIP\WZQKPICK.EXE
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\Program Files\Wanadoo\EspaceWanadoo.exe
E:\Program Files\Wanadoo\ComComp.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
E:\Program Files\Wanadoo\Watch.exe
E:\Program Files\ISTsvc\istsvc.exe
E:\WINDOWS\lhpeg.exe
E:\Program Files\Internet Optimizer\optimize.exe
E:\Program Files\BullsEye Network\bin\bargains.exe
E:\WINDOWS\System32\wuamkop32.exe
E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Outlook Express\msimn.exe
E:\Program Files\Internet Explorer\iexplore.exe
D:\instalki\Hijack This\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://E:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: BHObj Class – {00000010–6F7D–442C–93E3–4A4827C2E4C8} – E:\WINDOWS\nem220.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – E:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: BAHelper Class – {A3FDD654–A057–4971–9844–4ED8E67DBBB8} – E:\Program Files\SideFind\sfbho.dll
O2 – BHO: (no name) – {A5366673–E8CA–11D3–9CD9–0090271D075B} – (no file)
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – e:\program files\google\googletoolbar2.dll
O2 – BHO: ADP UrlCatcher Class – {F4E04583–354E–4076–BE7D–ED6A80FD66DA} – E:\WINDOWS\System32\msbe.dll
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – e:\program files\google\googletoolbar2.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – E:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: ISTbar – {FAA356E4–D317–42a6–AB41–A3021C6E7D52} – E:\Program Files\ISTbar\istbarcm.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [WheelMouse] E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 – HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 – HKLM\..\Run: [wpkontakt] E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart
O4 – HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [MKS_MENU] E:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [WOOWATCH] E:\PROGRA~1\WANADOO\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] E:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 – HKLM\..\Run: [EOJ4BX2] E:\WINDOWS\lhpeg.exe
O4 – HKLM\..\Run: [Internet Optimizer] "E:\Program Files\Internet Optimizer\optimize.exe"
O4 – HKLM\..\Run: [BullsEye Network] E:\Program Files\BullsEye Network\bin\bargains.exe
O4 – HKLM\..\Run: [Power Scan] E:\Program Files\Power Scan\powerscan.exe
O4 – HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\Run: [Network Access] winssh.exe
O4 – HKLM\..\Run: [BHR3] E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 – HKLM\..\RunServices: [RecycleSTR] msreg32.exe
O4 – HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O4 – HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\RunServices: [Network Access] winssh.exe
O4 – HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: WinZip Quick Pick.lnk = C:\program files\WINZIP\WZQKPICK.EXE
O8 – Extra context menu item: &Google Search – res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 – Extra context menu item: Download All by FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: SideFind – {10E42047–DEB9–4535–A118–B3F6EC39B807} – E:\Program Files\SideFind\sidefind.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 – Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 – DPF: {99410CDE–6F16–42ce–9D49–3807F78F0287} (ClientInstaller Class) – http://www.180searchassistant.com/180saax.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{6AE58D8B–7C90–4721–ABF6–ECB0D4C94F28}: NameServer = 194.204.152.34 217.98.63.164
O18 – Protocol: ms–help – {314111C7–A502–11D2–BBCA–00C04F8EC294} – E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 – Protocol: wpmsg – {2E0AC5A0–3597–11D6–B3ED–0001021DC1C3} – E:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O20 – Winlogon Notify: drct16 – drct16.dll (file missing)
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – E:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: ASP.NET Admin Service (aspnet_admin) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_state.exe (file missing)
O23 – Service: Aplikacja systemowa modelu COM+ (COMSysApp) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: FLEXlm License Manager – Unknown owner – E:\Program Files\Rational1\common\lmgrd.exe
O23 – Service: Provides three management service (FreeBSD) – Unknown owner – E:\WINDOWS\System32\dev32.exe (file missing)
O23 – Service: Debug oupost relations (LAGOS) – Unknown owner – E:\WINDOWS\System32\ahtun.exe (file missing)
O23 – Service: NuTCRACKER Service (NuTCRACKERService) – DataFocus, Inc. – E:\WINDOWS\System32\nutsrv4.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – E:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 – Service: Pml Driver HPZ12 – HP – E:\WINDOWS\System32\HPZipm12.exe
O23 – Service: MS Software Shadow Copy Provider (SwPrv) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – E:\WINDOWS\System32\UAService7.exe (file missing)
Odpowiedzi: 12
No chyba sie tego pozbyłem. Bobi wielkie dzieki za pomoc, to ostatnio swinstwo usunalem za pomoca nailfix.cmd Mam jeszcze jeden mały problem po tych przejsciach chcialem sobie wlaczyc zapore internetowa, ta z windowsa, ale mi cos pisze źe nie mozna uzyc dostępu współdzielonego zna sie ktos na tym ??
Aha i jeszcze log tak dla pewnosci :))
Logfile of HijackThis v1.99.1
Scan saved at 00:19:03, on 2005–07–21
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\MKS\Bin\NetMonSV.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
E:\WINDOWS\System32\tcpsvcs.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\nutsrv4.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Wanadoo\EspaceWanadoo.exe
E:\Program Files\Wanadoo\ComComp.exe
E:\Program Files\Wanadoo\Watch.exe
E:\WINDOWS\system32\cmd.exe
E:\Program Files\Mozilla Firefox\firefox.exe
D:\instalki\Hijack This\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – E:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O8 – Extra context menu item: Download All by FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 – HKLM\System\CCS\Services\Tcpip\..\{6AE58D8B–7C90–4721–ABF6–ECB0D4C94F28}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – E:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: ASP.NET Admin Service (aspnet_admin) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_state.exe (file missing)
O23 – Service: Aplikacja systemowa modelu COM+ (COMSysApp) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: Hardware Clock Driver (hwclock) – Unknown owner – E:\WINDOWS\System32\hwclock.exe
O23 – Service: NuTCRACKER Service (NuTCRACKERService) – DataFocus, Inc. – E:\WINDOWS\System32\nutsrv4.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – E:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 – Service: MS Software Shadow Copy Provider (SwPrv) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – E:\WINDOWS\System32\UAService7.exe (file missing)
Aha i jeszcze log tak dla pewnosci :))
Logfile of HijackThis v1.99.1
Scan saved at 00:19:03, on 2005–07–21
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\MKS\Bin\NetMonSV.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
E:\WINDOWS\System32\tcpsvcs.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\nutsrv4.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Wanadoo\EspaceWanadoo.exe
E:\Program Files\Wanadoo\ComComp.exe
E:\Program Files\Wanadoo\Watch.exe
E:\WINDOWS\system32\cmd.exe
E:\Program Files\Mozilla Firefox\firefox.exe
D:\instalki\Hijack This\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – E:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O8 – Extra context menu item: Download All by FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 – HKLM\System\CCS\Services\Tcpip\..\{6AE58D8B–7C90–4721–ABF6–ECB0D4C94F28}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – E:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: ASP.NET Admin Service (aspnet_admin) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_state.exe (file missing)
O23 – Service: Aplikacja systemowa modelu COM+ (COMSysApp) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: Hardware Clock Driver (hwclock) – Unknown owner – E:\WINDOWS\System32\hwclock.exe
O23 – Service: NuTCRACKER Service (NuTCRACKERService) – DataFocus, Inc. – E:\WINDOWS\System32\nutsrv4.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – E:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 – Service: MS Software Shadow Copy Provider (SwPrv) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – E:\WINDOWS\System32\UAService7.exe (file missing)
Uparta bestia, odpal więc komputer z płyty systemowej i uruchom konsole odzyskiwania.
Przejdz komendą cd do katalogu system32 i ubij plik komenda del
Nie ma bata teraz musi sobie opduścić.
BTW, nie mogłeś poczekać chwile jak literówki w poście poprawie ? :P
Update: Teraz doczytalem, posłanca z services.msc wyłącz, tryb uruchamiania na wyłączony.
Przejdz komendą cd do katalogu system32 i ubij plik komenda del
Nie ma bata teraz musi sobie opduścić.
BTW, nie mogłeś poczekać chwile jak literówki w poście poprawie ? :P
Update: Teraz doczytalem, posłanca z services.msc wyłącz, tryb uruchamiania na wyłączony.
Mam problem z usunieciem wuamkop32.exe ten proces jest takze aktywny w trybie awaryjnym na dodatek jak go wyłacze na jego miejsce ładuje sie inny proces, plik tez jest zastepowany. Skanuje czym sie da i nic .
e:\windows\system32\swcpbdc.exe
E:\WINDOWS\System32\wuamkop32.exe
F2 – REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O4 – HKLM\..\Run: [kscefk] e:\windows\system32\swcpbdc.exe r
O4 – HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O23 – Service: System Startup Service (SvcProc) – Unknown owner – E:\WINDOWS\svcproc.exe
To teraz masz zawirusowane dwa systemy jakbyś nie wiedział.
Usługe spod 023 usun przy pomocy wiersza poleceń komendami sc, przyklad powyźej
Reszta plikow z dysku znika, najpierw pozamykaj procesy – dwie pierwsze pozycje z listy powyźej.
Antywirusa masz zamiar instalować ? Na co czekasz ?
Bez niego to w kółko bedzie kupe syfu.
Co do userinitu, a nie mówiłem :wink:
Miałes racje zapomnialem ze usuwalem jeszcze plik userinit teraz windows chodzi ale dalej jest zainfekowany jakby ktos mogl jeszcze raz pzejrzec loga do tego pojawia sie jeszcze jakis message box Usługa Posłaniec
Logfile of HijackThis v1.99.1
Scan saved at 16:30:39, on 2005–07–20
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\MKS\Bin\mks_menu.exe
E:\PROGRA~1\WANADOO\TaskbarIcon.exe
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
E:\Program Files\MKS\Bin\NetMonSV.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
E:\WINDOWS\System32\svchost.exe
e:\windows\system32\swcpbdc.exe
E:\WINDOWS\System32\nutsrv4.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
E:\Program Files\Wanadoo\EspaceWanadoo.exe
E:\Program Files\Wanadoo\ComComp.exe
E:\Program Files\Wanadoo\Watch.exe
E:\WINDOWS\System32\wuamkop32.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\System32\taskmgr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Messenger\msmsgs.exe
D:\instalki\Hijack This\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 – REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – E:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [WheelMouse] E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 – HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 – HKLM\..\Run: [wpkontakt] E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart
O4 – HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [MKS_MENU] E:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [WOOWATCH] E:\PROGRA~1\WANADOO\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] E:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [BHR3] E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 – HKLM\..\Run: [kscefk] e:\windows\system32\swcpbdc.exe r
O4 – HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 – HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O8 – Extra context menu item: Download All by FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 – HKLM\System\CCS\Services\Tcpip\..\{6AE58D8B–7C90–4721–ABF6–ECB0D4C94F28}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – E:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: ASP.NET Admin Service (aspnet_admin) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_state.exe (file missing)
O23 – Service: Aplikacja systemowa modelu COM+ (COMSysApp) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: NuTCRACKER Service (NuTCRACKERService) – DataFocus, Inc. – E:\WINDOWS\System32\nutsrv4.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – E:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 – Service: System Startup Service (SvcProc) – Unknown owner – E:\WINDOWS\svcproc.exe
O23 – Service: MS Software Shadow Copy Provider (SwPrv) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – E:\WINDOWS\System32\UAService7.exe (file missing)
Wielkie Dzieki
Logfile of HijackThis v1.99.1
Scan saved at 16:30:39, on 2005–07–20
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\MKS\Bin\mks_menu.exe
E:\PROGRA~1\WANADOO\TaskbarIcon.exe
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
E:\Program Files\MKS\Bin\NetMonSV.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
E:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
E:\WINDOWS\System32\svchost.exe
e:\windows\system32\swcpbdc.exe
E:\WINDOWS\System32\nutsrv4.exe
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
E:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
E:\Program Files\Wanadoo\EspaceWanadoo.exe
E:\Program Files\Wanadoo\ComComp.exe
E:\Program Files\Wanadoo\Watch.exe
E:\WINDOWS\System32\wuamkop32.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\System32\dwwin.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\System32\taskmgr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Messenger\msmsgs.exe
D:\instalki\Hijack This\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 – REG:system.ini: Shell=Explorer.exe E:\WINDOWS\Nail.exe
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – E:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [WheelMouse] E:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 – HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 – HKLM\..\Run: [wpkontakt] E:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart
O4 – HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [MKS_MENU] E:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [WOOWATCH] E:\PROGRA~1\WANADOO\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] E:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [BHR3] E:\Program Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 – HKLM\..\Run: [kscefk] e:\windows\system32\swcpbdc.exe r
O4 – HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 – HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O8 – Extra context menu item: Download All by FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – \\Rafa–fahdvkbj3o\ rafał c (C)\programy\FLASHGET\jc_link.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 – HKLM\System\CCS\Services\Tcpip\..\{6AE58D8B–7C90–4721–ABF6–ECB0D4C94F28}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – E:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: ASP.NET Admin Service (aspnet_admin) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 – Service: ASP.NET State Service (aspnet_state) – Unknown owner – E:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_state.exe (file missing)
O23 – Service: Aplikacja systemowa modelu COM+ (COMSysApp) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: NuTCRACKER Service (NuTCRACKERService) – DataFocus, Inc. – E:\WINDOWS\System32\nutsrv4.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – Unknown owner – E:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 – Service: System Startup Service (SvcProc) – Unknown owner – E:\WINDOWS\svcproc.exe
O23 – Service: MS Software Shadow Copy Provider (SwPrv) – Unknown owner – E:\WINDOWS\System32\dllhost.exe (file missing)
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – E:\WINDOWS\System32\UAService7.exe (file missing)
Wielkie Dzieki
http://support.microsoft.com/?kbid=314474
Niestety te podmiany nic nie pomogły caly czas wysakuje blue screen systemroot/system32/ntdll.dll hard errora windows dalej sie nie laduje
O expandzie duzo informacji znajdziesz w windowsowym helpie.
A niech strace:
expand X:\i386\dwwin.ex_ C:\Windows\system32\dwwin.exe
Za X: podstaw litere napędu, C: to litera partycji systemowej.
Jak przywrócić ntdll.dll to juź sam sobie na przykladzie wykombinuj, lokalizacje te same.
Sie przyznaj lepiej czy jakiś innych plików systemowych nie skosiłeś :wink:
A niech strace:
expand X:\i386\dwwin.ex_ C:\Windows\system32\dwwin.exe
Za X: podstaw litere napędu, C: to litera partycji systemowej.
Jak przywrócić ntdll.dll to juź sam sobie na przykladzie wykombinuj, lokalizacje te same.
Sie przyznaj lepiej czy jakiś innych plików systemowych nie skosiłeś :wink:
Mistrzu jakbyś mogl napisac jak to polecenie expand mialoby wygladac bo jescze go nie uzywalem i skad mam wziasc ten plik ntdll z plytki ?? Ogolnie jakbys rozwinal swoja mysl :)) Wielkie dzieki
dwwin.exe to plik systemowy, Dr. Watson dokładnie i w kosekwecji jego usuniecia wysypał się własnie explorer. Brawo !
Teraz to czym prędzej odkręć wrzucając nowiuśki plik expandem z konsoli odzyskiwania.
PS: Ten plik to ntdll.exe czy ntdll.dll ?
To wielka róznica w tym wypadku, sprawdz to dokładnie.
Teraz to czym prędzej odkręć wrzucając nowiuśki plik expandem z konsoli odzyskiwania.
PS: Ten plik to ntdll.exe czy ntdll.dll ?
To wielka róznica w tym wypadku, sprawdz to dokładnie.
Probowalem pousuwac te pasci w trybie awaryjnym no i wydawalo mi sie ze juz wszystko usunalem ale po wejsciu do windowsa okazlo sie ze on nie dziala jest tylko sam pulpit bez ikon nie dziala nic nawet menedzer zadan dlatego postanowilem naprawic go przez instalacje jednak po odpaleniu z plytki instalatora i sprawdzeniu dyskow i ponownym uruchomieniu pojawił sie blad Hard error problemy z plikiem ntdll.exe, dlatego zainstalowałem druga kopie na innej partycji jednak mam pytanie czy jest jakas szansa na odzyskanie tamtego windowsa ??
Skopiowałem z nowej instalacji ten plik ntdll.exe ale dalej nic. Aha jeszcze jedno przy trybie awaryjnym pojawił mi sie jakis dziwny proces dwwin.exe i go usunalem za pomoca konsoli odzyskiwania bo w awaryjnym cały czas sie wlaczal moze to jest przyczyna ??
Skopiowałem z nowej instalacji ten plik ntdll.exe ale dalej nic. Aha jeszcze jedno przy trybie awaryjnym pojawił mi sie jakis dziwny proces dwwin.exe i go usunalem za pomoca konsoli odzyskiwania bo w awaryjnym cały czas sie wlaczal moze to jest przyczyna ??
Wyłącz przywracanie systemu
Uruchom system w trybie awaryjnym
Zaznacz wpisy w Hijacku i usun:
Odpalasz wiersz poleceń i wpisujesz:
Pozostałe katalogi wywalasz w całości ręcznie.
Wpis 020 to Haxdoor, poszukaj na forum opisu jego usuwania bo podawany był wielokrotnie, za słowo kluczowe wpisz nazwe pliku.
Jak skonczysz podrzuc nowy log bo badziewia jest kupe i za jednym zamachem mozesz sie machnąć gdzieś.
Uruchom system w trybie awaryjnym
Zaznacz wpisy w Hijacku i usun:
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://E:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 – Default URLSearchHook is missing
O2 – BHO: BHObj Class – {00000010–6F7D–442C–93E3–4A4827C2E4C8} – E:\WINDOWS\nem220.dll
O2 – BHO: BAHelper Class – {A3FDD654–A057–4971–9844–4ED8E67DBBB8} – E:\Program Files\SideFind\sfbho.dll
O2 – BHO: ADP UrlCatcher Class – {F4E04583–354E–4076–BE7D–ED6A80FD66DA} – E:\WINDOWS\System32\msbe.dll
O3 – Toolbar: ISTbar – {FAA356E4–D317–42a6–AB41–A3021C6E7D52} – E:\Program Files\ISTbar\istbarcm.dll
O4 – HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 – HKLM\..\Run: [EOJ4BX2] E:\WINDOWS\lhpeg.exe
O4 – HKLM\..\Run: [Internet Optimizer] "E:\Program Files\Internet Optimizer\optimize.exe"
O4 – HKLM\..\Run: [BullsEye Network] E:\Program Files\BullsEye Network\bin\bargains.exe
O4 – HKLM\..\Run: [Power Scan] E:\Program Files\Power Scan\powerscan.exe
O4 – HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\Run: [Network Access] winssh.exe
O4 – HKLM\..\RunServices: [RecycleSTR] msreg32.exe
O4 – HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O4 – HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 – HKLM\..\RunServices: [Network Access] winssh.exe
O9 – Extra button: SideFind – {10E42047–DEB9–4535–A118–B3F6EC39B807} – E:\Program Files\SideFind\sidefind.dll
O15 – Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 – DPF: {99410CDE–6F16–42ce–9D49–3807F78F0287} (ClientInstaller Class) – http://www.180searchassistant.com/180saax.cab
O20 – Winlogon Notify: drct16 – drct16.dll (file missing)
O23 – Service: Provides three management service (FreeBSD) – Unknown owner – E:\WINDOWS\System32\dev32.exe (file missing)
O23 – Service: Debug oupost relations (LAGOS) – Unknown owner – E:\WINDOWS\System32\ahtun.exe (file missing)
Odpalasz wiersz poleceń i wpisujesz:
cd C:\Windows
attrib –r –s –h nem220.dll
del nem220.dll
attrib –r –s –h lhpeg.exe
del lhpeg.exe
cd C:\Windows\system32
attrib –r –s –h wuamkop32.exe
del wuamkop32.exe
attrib –r –s –h winssh.exe
del winssh.exe
attrib –r –s –h msreg32.exe
del msreg32.exe
attrib –r –s –h mwupdate32.exe
del mwupdate32.exe
sc stop FreeBSD
sc delete FreeBSD
attrib –r –s –h dev32.exe
del dev32.exe
sc stop LAGOS
sc delete LAGOS
attrib –r –s –h ahtun.exe
del ahtun.exe
Pozostałe katalogi wywalasz w całości ręcznie.
Wpis 020 to Haxdoor, poszukaj na forum opisu jego usuwania bo podawany był wielokrotnie, za słowo kluczowe wpisz nazwe pliku.
Jak skonczysz podrzuc nowy log bo badziewia jest kupe i za jednym zamachem mozesz sie machnąć gdzieś.
Strona 1 / 1