YOUR SYSTEM IS INFECTED

Witam

Taki komunikat pojawia mi sie na pulpicie. A wszystko za sprawa choerstwa spysheriff, który mi sie niestety samoczynnie zainstalowal. Chyba udalo mi sie to usunac, ale system i tak jest zainfekowany. Skanowanie Panda online wykrylo jeszce kilka wirusów i programów szpiegowskich. Najgorsze w tym wszystkim jest to, ze wszystkie moje programy nie dzialaja. W zasadzie nic nie moge uruchomic, zmienic ustawien Windowsa itp. No i co ja mam poczac?
Czy musze przeinstalowac system?
Pomocy!

Nie mogę usunąć tych wpisów:
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net

Oprócz tego wszystko usunęłem

Logfile of HijackThis v1.99.1
Scan saved at 15:46:33, on 2005–12–19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programy\Norton AntiVirus\navapsvc.exe
C:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ProgramY\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programy\Gadu–Gadu\gg.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\Programy\Mozilla\mozilla.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mateusz\Pulpit\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400010&utm_content=leftnav&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400010&utm_content=leftnav&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Programy\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\Programy\FlashGet\jccatch.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\Programy\FlashGet\fgiebar.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Programy\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 – HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Programy\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [eDonkey2000] "C:\Programy\eDonkey2000\eDonkey2000.exe" –t
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] c:\ProgramY\PowerDVD\PDVDServ.exe
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "C:\Programy\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Steam] "c:\programy\steam\steam.exe" –silent
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: Adobe Reader Speed Launch.lnk = C:\Programy\Acrobat 7.0\Reader\reader_sl.exe
O8 – Extra context menu item: Download All by FlashGet – C:\Programy\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Programy\FlashGet\jc_link.htm
O8 – Extra context menu item: Pobierz z &BitSpirit – C:\ProgramY\BitSpirit\bsurl.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\Programy\FlashGet\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\Programy\FlashGet\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O23 – Service: AVG7 Alert Manager Server (Avg7Alrt) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 – Service: AVG7 Update Service (Avg7UpdSvc) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: Norton AntiVirus Auto–Protect Service (navapsvc) – Symantec Corporation – C:\Programy\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) – Symantec Corporation – C:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Programy\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc (SPBBCSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe

Został tylko jeden plik do usuninęcia ręcznie vxh8jkdq2.exe nie mogę go usunąc, poniewaź piszę mi takie coś : "Nie moźna usunąć vxh8jkdq2: Odmowa dostępu. Sprawdź, czy dysk nie jest zapełniony lub chroniony przed zapisem oraz, czy plik nie jest aktualnie uźywany." Jak mam to zrobić Help plz.

Moradin

Dodano: 19.12.2005 16:54:19

Najpierw tu –> http://forum.centrumxp.pl/viewtopic.php?t=37513

EL NINO

Dodano: 19.12.2005 15:05:38

Witam!Pomóźcie mój log to:

Logfile of HijackThis v1.99.1
Scan saved at 20:01:01, on 2005–12–18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programy\Norton AntiVirus\navapsvc.exe
C:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programy\D–Tools\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programy\eDonkey2000\eDonkey2000.exe
C:\ProgramY\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programy\Gadu–Gadu\gg.exe
C:\Programy\Phone\Skype.exe
C:\Programy\Mozilla\mozilla.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mateusz\Pulpit\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400010&utm_content=leftnav&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400010&utm_content=leftnav&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Programy\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 – BHO: Accoona Search Assistant – {944864A5–3916–46E2–96A9–A2E84F3F1208} – C:\Program Files\Accoona\ASearchAssist.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\Programy\FlashGet\jccatch.dll
O2 – BHO: (no name) – {B75F75B8–93F3–429D–FF34–660B206D897A} – C:\WINDOWS\system32\zolker011.dll (file missing)
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Programy\Norton AntiVirus\NavShExt.dll
O2 – BHO: ZToolbar Activator Class – {FFF5092F–7172–4018–827B–FA5868FB0478} – C:\WINDOWS\system32\ztoolb011.dll (file missing)
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\Programy\FlashGet\fgiebar.dll
O3 – Toolbar: Accoona – {364B6276–C6C1–40B6–A6D7–6C48871FD707} – C:\Program Files\Accoona\atoolbar.dll
O3 – Toolbar: ZToolbar – {A6790AA5–C6C7–4BCF–A46D–0FDAC4EA90EB} – C:\WINDOWS\system32\ztoolb011.dll (file missing)
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Programy\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 – HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Programy\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [eDonkey2000] "C:\Programy\eDonkey2000\eDonkey2000.exe" –t
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] c:\ProgramY\PowerDVD\PDVDServ.exe
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Programy\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "C:\Programy\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Steam] "c:\programy\steam\steam.exe" –silent
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – Global Startup: Adobe Reader Speed Launch.lnk = C:\Programy\Acrobat 7.0\Reader\reader_sl.exe
O8 – Extra context menu item: Download All by FlashGet – C:\Programy\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Programy\FlashGet\jc_link.htm
O8 – Extra context menu item: Pobierz z &BitSpirit – C:\ProgramY\BitSpirit\bsurl.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\Programy\FlashGet\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\Programy\FlashGet\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O10 – Hijacked Internet access by New.Net
O23 – Service: AVG7 Alert Manager Server (Avg7Alrt) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 – Service: AVG7 Update Service (Avg7UpdSvc) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: LanTool – Unknown owner – D:\LanTool\LanTool.exe (file missing)
O23 – Service: Norton AntiVirus Auto–Protect Service (navapsvc) – Symantec Corporation – C:\Programy\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) – Symantec Corporation – C:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Programy\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc (SPBBCSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe

Moradin

Dodano: 18.12.2005 21:01:36

Żółty:
kubulus:

Zostałopo tym tylko jedno– mniej więcej co 5–10 minut włączają mi się strony typu:

W przyklejonym FAQ masz linka do instrukcji usuwania tego dziadostwa (Look2Me).

Thx und dzięki

kubulus

Dodano: 29.11.2005 15:51:15

Słuchajcie mam podobny problem co inni. Co chwila przychodzi wiadomosć tzn. ramka POSŁANIEC i napisany jest magiczny tekst your system has been infected:|.
Nie mogę teź zmieniać tapety, mam niebieskie tło. Czytając posty na tym forum zrobiłem tego loga czy jak to się tam nazywa oto rezultat:

Logfile of HijackThis v1.99.1
Scan saved at 13:13:03, on 2005–11–29
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\Program Files\D–Tools\daemon.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
D:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Spyware Nuker 2004\swn2.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Tlen.pl\tlen.exe
D:\Program Files\Gadu–Gadu\gg.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\eMule\eMule.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\Program Files\Winamp\winamp.exe
D:\DOCUME~1\MACIEK~1\USTAWI~1\Temp\Rar$EX94.766\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – (no file)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "D:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 – HKLM\..\Run: [DataLayer] D:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 – HKLM\..\Run: [Nokia Tray Application] D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 – HKLM\..\Run: [lobium] D:\WINDOWS\System32\oielny.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 – HKLM\..\Run: [Vetlomd] C:\Program Files\Ksybv\Hbef.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 – HKLM\..\Run: [Spyware Nuker] D:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 – HKLM\..\Run: [SysMemory manager] d:\windows\system32\mdms.exe
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 – Extra context menu item: E&xport to Microsoft Excel – res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – D:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 – Extra button: Research – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – D:\WINDOWS\web\related.htm
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: RaptisoftGameLoader – http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 – DPF: {112857FE–03FF–11D5–9A3F–0080C8D85044} (GameDesire Solitaires) – http://67.15.101.3/g_bin/pl/solitaire_2_0_0_18.cab
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge–c18.cab
O16 – DPF: {18506D80–9B80–11D4–82C2–0080C8D7ED4A} (GameDesire Roulette) – http://67.15.101.3/g_bin/pl/roulette_2_0_0_15.cab
O16 – DPF: {1A781DED–C22D–4153–3213–A3211E29DF13} (GameDesire Card Games) – http://67.15.101.3/g_bin/pl/cards_2_0_0_65.cab
O16 – DPF: {2B6A3140–7073–11D5–8F79–0080C8D7EC11} (GameDesire Proxy) – http://gryonline.wp.pl/g_bin/ginuser_pl_2_0_0_3.cab
O16 – DPF: {33E54F7F–561C–49E6–929B–D7E76D3AFEB1} (Pool Control) – http://www.worldwinner.com/games/v45/pool/pool.cab
O16 – DPF: {37A49D66–2735–4BB9–8503–82BA5E2333D0} (MailCfg Control) – http://poczta.wp.pl/2/mailcfg.ocx
O16 – DPF: {41ACD49D–1974–791A–0981–AA9872721044} (GINBOARDS Class) – http://67.15.101.3/g_bin/pl/boards_2_0_0_20.cab
O16 – DPF: {4539348E–01D7–11D5–9A39–0080C8D85044} (GameDesire Slots 90th) – http://67.15.101.3/g_bin/pl/slots90_2_0_0_23.cab
O16 – DPF: {83AFB5CA–ED35–11D4–A452–0080C8D85045} (GameDesire Poker Games) – http://67.15.101.3/g_bin/pl/poker_2_0_0_37.cab
O16 – DPF: {8A94C905–FF9D–43B6–8708–F0F22D22B1CB} (Wwlaunch Control) – http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 – DPF: {9085316E–42BA–11D4–BAA3–0080C8D7ED4A} (GameDesire JungleHunter) – http://67.15.101.3/g_bin/pl/hunter_2_0_0_16.cab
O16 – DPF: {A1FE3DE0–CF77–11D4–8340–0080C8D7ED4A} (GameDesire Pinball Demon) – http://67.15.101.3/g_bin/pl/demon_2_0_0_18.cab
O16 – DPF: {A6212120–01D4–11D5–9A39–0080C8D85044} (GameDesire Slots 70th) – http://67.15.101.3/g_bin/pl/slots70_2_0_0_23.cab
O16 – DPF: {A854AD6D–6DB5–41FB–8044–0BD38092A007} (Ganymede Sudoku) – http://67.15.101.3/g_bin/pl/sudoku_2_0_0_6.cab
O16 – DPF: {A9ED6AA2–D9D4–4D71–9586–E293E2E3580B} (GameDesire Marbies&Diamonds) – http://67.15.101.3/g_bin/pl/marbles_2_0_0_21.cab
O16 – DPF: {AC120B1D–9411–4111–AF52–118052D85D45} (GameDesire Darts Games) – http://67.15.101.3/g_bin/pl/darts_2_0_0_31.cab
O16 – DPF: {AD7013FF–1D9A–4F36–94A6–3CD408A663F9} (GameDesire BreakOut) – http://67.15.101.3/g_bin/pl/breakout_2_0_0_18.cab
O16 – DPF: {BFA1F11D–3121–AFE1–4112–894323212DAC} (GameDesire Word Games) – http://67.15.101.3/g_bin/pl/words_2_0_0_35.cab
O16 – DPF: {E23FABEE–12E3–33DA–DA12–195DAC123984} (GameDesire Mahjong) – http://67.15.101.3/g_bin/pl/mahjong_2_0_0_18.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O16 – DPF: {E95CF138–A587–4C54–8175–3AD80997CB14} (GINSOCCER Class) – http://67.15.101.3/g_bin/pl/soccer_2_0_0_8.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C3} (GameDesire Pool 14) – http://67.15.101.3/g_bin/pl/billard14_2_0_0_21.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C4} (GameDesire Pool Training) – http://67.15.101.3/g_bin/pl/billardt_2_0_0_23.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C5} (GameDesire Snooker) – http://67.15.101.3/g_bin/pl/snooker_2_0_0_23.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C6} (GameDesire Pool 8UK) – http://67.15.101.3/g_bin/pl/billard8UK_2_0_0_21.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{0D2E32B6–76FE–4C62–8BED–32575BA1038E}: NameServer = 85.255.115.78,85.255.112.111
O17 – HKLM\System\CCS\Services\Tcpip\..\{65B013AC–BDA1–4A94–9D93–183D9623438B}: NameServer = 85.255.115.78,85.255.112.111
O17 – HKLM\System\CS1\Services\Tcpip\..\{0D2E32B6–76FE–4C62–8BED–32575BA1038E}: NameServer = 85.255.115.78,85.255.112.111
O20 – Winlogon Notify: tcpG4T – tcpG4T.dll (file missing)
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: MySql – Unknown owner – D:\Program Files\Krasnal server\usr/MYSQL/bin/mysqld.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SymWMI Service (SymWSC) – Symantec Corporation – D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

No i teraz magiczne pytanie, co dalej:P??
Z góry thx za odpowiedzi:)

macjuz

Dodano: 29.11.2005 14:14:54

kubulus:

Zostałopo tym tylko jedno– mniej więcej co 5–10 minut włączają mi się strony typu:

W przyklejonym FAQ masz linka do instrukcji usuwania tego dziadostwa (Look2Me).

Żółty

Dodano: 28.11.2005 18:21:32

Miałem ten sam problem ale sobie poradziłem.
Zostałopo tym tylko jedno– mniej więcej co 5–10 minut włączają mi się strony typu:
http://www.ez–cheap.com/normal/yyy102.html

http://www.shop–savings.com/normal/yyy102.html

http://www212.paypopup.com/networks/bconnect2.php?rurl=http%3A%2F%2Fpopunder.paypopup.com%2Fprogress.php%3Fsn%3D841133193649%26serverfile%3Dpopdirect%26siteid%3DBundleWare%26subid%3D23782%26data%3DrSe_2%25D1%25CD%25CC%25CC%25CC%25D4%25CC%25D7%25CF%25D7%25C21g%255E%255DcY%25DD%25DE%252B%2524%257B%2524%25FE%25F8%25FC–%257D%25C7q_ZcY%25DD%25CE%25CC%25D0%25D3%25CD%25BF%252B1%25E1%25283l%255Ejs2%25F0%25E8%25BF%25FB%252A%2527%2522%257E%2526%2522.%257EeO5ja%25C6%2526%252F%25DC%2521%252C%252F%25DE%25EB%2527%25FD%2521%26adsid%3D25%26adsname%3Dbconnect_prepopped

http://www.ez–savings.com/normal/yyy102.html

kubulus

Dodano: 28.11.2005 18:09:01

pula:

C:\WINDOWS\inet20096\services.exe
C:\WINDOWS\System32\leeman.exe
C:\WINDOWS\System32\rtf32.exe
C:\Program Files\sbaa\cham.exe
C:\WINDOWS\inet20096\explorer.exe
C:\WINDOWS\system32\??oolsv.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F3 – REG:win.ini: run=C:\WINDOWS\inet20096\services.exe
O2 – BHO: (no name) – {1D4DE64B–679E–5965–A2AB–72FCDF53EAAF} – C:\WINDOWS\System32\urx.dll (file missing)
O2 – BHO: (no name) – {9C7E77C9–E151–E6FF–7BE0–BC9EFB6350E7} – C:\WINDOWS\System32\ucmbt.dll
O2 – BHO: (no name) – {A0269420–A638–4509–889C–8FC3CC85DA7E} – C:\WINDOWS\drexinit.dll (file missing)
O2 – BHO: (no name) – {CB2A7798–BB57–EEFB–7BE0–BC9EFB6350E7} – C:\WINDOWS\System32\ucmbt.dll
O3 – Toolbar: YourSiteBar – {86227D9C–0EFE–4f8a–AA55–30386A3F5686} – C:\Program Files\YourSiteBar\ysb.dll (file missing)
O4 – HKLM\..\Run: [rtf32.exe] rtf32.exe
O4 – HKLM\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 – HKLM\..\Run: [xp_system] C:\WINDOWS\inet20096\services.exe
O4 – HKLM\..\RunServices: [leeman] C:\WINDOWS\System32\leeman.exe
O4 – HKCU\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 – HKCU\..\Run: [xp_system] C:\WINDOWS\inet20096\services.exe
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\nosuklc.mht!http://kazaalite.pl/stats/loud.chm::/Bridge–c139.cab
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge–c411.cab
O16 – DPF: {42F2C9BA–614F–47C0–B3E3–ECFD34EED658} (Installer Class) – ms–its:mhtml:file://c:\nosuxxxy.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – ms–its:mhtml:file://c:\nosukmt.mht!http://kazaalite.pl/stats/mta.chm::/MediaTicketsInstaller.cab
O21 – SSODL: Web Event Logger – {7CFBACFF–EE01–1231–ABDD–416592E5D639} – C:\WINDOWS\System32\Jcebgacl.dll (file missing)
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Yhm.... w cholerę syfu. Spy Sweeper albo SpyBot do skanu

O1 – Hosts: 127.0.0.5 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.5 x.full–tgp.net
O1 – Hosts: 127.0.0.5 counter.sexmaniack.com
.........

Otwierasz notatnikem plik hosts z C:\WINDOWS\system32\drivers\etc
Ctrl+H, Znajdź: 127.0.0.5, Zamień: 127.0.0.1, Zamień wszystko, Ctrl+S i Alt+F4.

Potem zastosuj sie do postu o L2M http://forum.centrumxp.pl/viewtopic.php?t=43523

Peter_l

Dodano: 17.11.2005 21:56:35

goores wywalasz:

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 – Default URLSearchHook is missing
F2 – REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 – BHO: C:\WINDOWS\adsldpbd.dll – {826B2228–BC09–49F2–B5F8–42CE26B1B712} – C:\WINDOWS\adsldpbd.dll
O4 – HKLM\..\Run: [auto__hloader__key] C:\WINDOWS\System32\hloader_exe.exe
O4 – HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 – HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 – HKLM\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
O4 – HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 – HKLM\..\Run: [Systems] C:\WINDOWS\System32\sysmon.exe
O4 – HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 – HKLM\..\RunServices: [multitran] C:\WINDOWS\System32\multitran.exe
O15 – Trusted Zone: *.coolwebsearch.com
O15 – Trusted Zone: *.searchmeup.com
O16 – DPF: {11111111–1111–1111–1111–111111111157} – ms–its:mhtml:file://C:\nosuch.mht!http://iframetraff.biz/dl/adv435/x.chm::/load. exe
O20 – Winlogon Notify: dvd4free – C:\WINDOWS\SYSTEM32\dvd4free.dll
O20 – Winlogon Notify: gs – C:\WINDOWS\adsldpbd.dll
O20 – Winlogon Notify: MS–DOS Emulation – C:\WINDOWS\system32\k4620ejoehoc0.dll
O20 – Winlogon Notify: msctl32.dll – C:\WINDOWS\System32\msctl32.dll
O20 – Winlogon Notify: st3 – C:\WINDOWS\system32\st3.dll
O21 – SSODL: SysTray.Excn2 – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – C:\WINDOWS\System32\fmmehpoo.dll (file missing)
O21 – SSODL: DJCFJFDJ – {25753999–3C65–0045–720D–3DEC2A5419FF} – C:\WINDOWS\System32\Qaejdcpa.dll
O21 – SSODL: mtklef – {4C78E826–E28E–4073–268E–C542CC792D2D} – C:\WINDOWS\System32\uxmax32.dll
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\eA\command.exe

dodatkowo:
Otwierasz notatnikem plik hosts z C:\WINDOWS\system32\drivers\etc
Ctrl+H, Znajdź: 127.0.0.5, Zamień: 127.0.0.1, Zamień wszystko, Ctrl+S i Alt+F4.

damiancore

Dodano: 17.11.2005 20:47:50

Logfile of HijackThis v1.99.1
Scan saved at 22:50:27, on 2005–11–16
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://command.adservs.com/uninstall.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – Default URLSearchHook is missing
F2 – REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O1 – Hosts: 127.0.0.5 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.5 x.full–tgp.net
O1 – Hosts: 127.0.0.5 counter.sexmaniack.com
O1 – Hosts: 127.0.0.5 autoescrowpay.com
O1 – Hosts: 127.0.0.5 www.autoescrowpay.com
O1 – Hosts: 127.0.0.5 www.awmdabest.com
O1 – Hosts: 127.0.0.5 www.sexfiles.nu
O1 – Hosts: 127.0.0.5 awmdabest.com
O1 – Hosts: 127.0.0.5 sexfiles.nu
O1 – Hosts: 127.0.0.5 allforadult.com
O1 – Hosts: 127.0.0.5 www.allforadult.com
O1 – Hosts: 127.0.0.5 www.iframe.biz
O1 – Hosts: 127.0.0.5 iframe.biz
O1 – Hosts: 127.0.0.5 www.newiframe.biz
O1 – Hosts: 127.0.0.5 newiframe.biz
O1 – Hosts: 127.0.0.5 www.vesbiz.biz
O1 – Hosts: 127.0.0.5 vesbiz.biz
O1 – Hosts: 127.0.0.5 www.pizdato.biz
O1 – Hosts: 127.0.0.5 pizdato.biz
O1 – Hosts: 127.0.0.5 www.awmcash.biz
O1 – Hosts: 127.0.0.5 awmcash.biz
O1 – Hosts: 127.0.0.5 buldog–stats.com
O1 – Hosts: 127.0.0.5 www.buldog–stats.com
O1 – Hosts: 127.0.0.5 fregat.drocherway.com
O1 – Hosts: 127.0.0.5 slutmania.biz
O1 – Hosts: 127.0.0.5 www.slutmania.biz
O1 – Hosts: 127.0.0.5 toolbarpartner.com
O1 – Hosts: 127.0.0.5 www.toolbarpartner.com
O1 – Hosts: 127.0.0.5 www.megapornix.com
O1 – Hosts: 127.0.0.5 megapornix.com
O1 – Hosts: 127.0.0.5 www.sp2fucked.biz
O1 – Hosts: 127.0.0.5 sp2fucked.biz
O1 – Hosts: 127.0.0.5 greg–tut.com
O1 – Hosts: 127.0.0.5 www.greg–tut.com
O1 – Hosts: 127.0.0.5 nylonsexy.com
O1 – Hosts: 127.0.0.5 www.nylonsexy.com
O1 – Hosts: 127.0.0.5 vparivalka.com
O1 – Hosts: 127.0.0.5 www.vparivalka.com
O1 – Hosts: 127.0.0.5 iframeprofit.com
O1 – Hosts: 127.0.0.5 www.iframeprofit.com
O1 – Hosts: 127.0.0.5 topsearch10.com
O1 – Hosts: 127.0.0.5 www.topsearch10.com
O1 – Hosts: 127.0.0.5 statscash.biz
O1 – Hosts: 127.0.0.5 www.statscash.biz
O1 – Hosts: 127.0.0.5 vxiframe.biz
O1 – Hosts: 127.0.0.5 www.vxiframe.biz
O1 – Hosts: 127.0.0.5 crazy–toolbar.com
O1 – Hosts: 127.0.0.5 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.5 topcash.biz
O1 – Hosts: 127.0.0.5 www.topcash.biz
O1 – Hosts: 127.0.0.5 loadcash.biz
O1 – Hosts: 127.0.0.5 www.loadcash.biz
O1 – Hosts: 127.0.0.5 txiframe.biz
O1 – Hosts: 127.0.0.5 www.txiframe.biz
O1 – Hosts: 127.0.0.5 procounter.biz
O1 – Hosts: 127.0.0.5 www.procounter.biz
O1 – Hosts: 127.0.0.5 advadmin.biz
O1 – Hosts: 127.0.0.5 www.advadmin.biz
O1 – Hosts: 127.0.0.5 trafficbest.net
O1 – Hosts: 127.0.0.5 www.trafficbest.net
O1 – Hosts: 127.0.0.5 besthvac.com
O1 – Hosts: 127.0.0.5 www.besthvac.com
O1 – Hosts: 127.0.0.5 traff4.com
O1 – Hosts: 127.0.0.5 www.traff4.com
O1 – Hosts: 127.0.0.5 ambush–script.com
O1 – Hosts: 127.0.0.5 www.ambush–script.com
O1 – Hosts: 127.0.0.5 beehappyy.biz
O1 – Hosts: 127.0.0.5 www.beehappyy.biz
O1 – Hosts: 127.0.0.5 tracktraff.cc
O1 – Hosts: 127.0.0.5 www.tracktraff.cc
O1 – Hosts: 127.0.0.5 allcount.net
O1 – Hosts: 127.0.0.5 www.allcount.net
O1 – Hosts: 127.0.0.5 onedayoffer.biz
O2 – BHO: C:\WINDOWS\adsldpbd.dll – {826B2228–BC09–49F2–B5F8–42CE26B1B712} – C:\WINDOWS\adsldpbd.dll
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" –t
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [auto__hloader__key] C:\WINDOWS\System32\hloader_exe.exe
O4 – HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 – HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 – HKLM\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
O4 – HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 – HKLM\..\Run: [Systems] C:\WINDOWS\System32\sysmon.exe
O4 – HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 – HKLM\..\RunServices: [multitran] C:\WINDOWS\System32\multitran.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 – Extra button: Yahoo! Services – {5BAB4B5B–68BC–4B02–94D6–2FC0DE4A7897} – C:\Program Files\Yahoo!\Common\yiesrvc.dll
O15 – Trusted Zone: *.coolwebsearch.com
O15 – Trusted Zone: *.searchmeup.com
O16 – DPF: {11111111–1111–1111–1111–111111111157} – ms–its:mhtml:file://C:\nosuch.mht!http://iframetraff.biz/dl/adv435/x.chm::/load.exe
O16 – DPF: {30528230–99f7–4bb4–88d8–fa1d4f56a2ab} (YInstStarter Class) – C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 – Winlogon Notify: dvd4free – C:\WINDOWS\SYSTEM32\dvd4free.dll
O20 – Winlogon Notify: gs – C:\WINDOWS\adsldpbd.dll
O20 – Winlogon Notify: MS–DOS Emulation – C:\WINDOWS\system32\k4620ejoehoc0.dll
O20 – Winlogon Notify: msctl32.dll – C:\WINDOWS\System32\msctl32.dll
O20 – Winlogon Notify: st3 – C:\WINDOWS\system32\st3.dll
O21 – SSODL: SysTray.Excn2 – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – C:\WINDOWS\System32\fmmehpoo.dll (file missing)
O21 – SSODL: DJCFJFDJ – {25753999–3C65–0045–720D–3DEC2A5419FF} – C:\WINDOWS\System32\Qaejdcpa.dll
O21 – SSODL: mtklef – {4C78E826–E28E–4073–268E–C542CC792D2D} – C:\WINDOWS\System32\uxmax32.dll
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\eA\command.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe

goores

Dodano: 16.11.2005 23:55:55

czy ktoś móglby mi z tym pomóc????

Logfile of HijackThis v1.99.1
Scan saved at 18:56:51, on 2005–11–11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AntiVirenKit\AVKService.exe
C:\Program Files\AntiVirenKit\AVKWCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\inet20096\services.exe
D:\Muzyka\winamp\winampa.exe
C:\WINDOWS\System32\leeman.exe
C:\WINDOWS\System32\rtf32.exe
D:\Uzytki\Gadu–Gadu\gg.exe
C:\Program Files\sbaa\cham.exe
C:\WINDOWS\inet20096\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\??oolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pulka\Pulpit\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00010.exe"
F3 – REG:win.ini: run=C:\WINDOWS\inet20096\services.exe
O1 – Hosts: 127.0.0.5 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.5 x.full–tgp.net
O1 – Hosts: 127.0.0.5 counter.sexmaniack.com
O1 – Hosts: 127.0.0.5 autoescrowpay.com
O1 – Hosts: 127.0.0.5 www.autoescrowpay.com
O1 – Hosts: 127.0.0.5 www.awmdabest.com
O1 – Hosts: 127.0.0.5 www.sexfiles.nu
O1 – Hosts: 127.0.0.5 awmdabest.com
O1 – Hosts: 127.0.0.5 sexfiles.nu
O1 – Hosts: 127.0.0.5 allforadult.com
O1 – Hosts: 127.0.0.5 www.allforadult.com
O1 – Hosts: 127.0.0.5 www.iframe.biz
O1 – Hosts: 127.0.0.5 iframe.biz
O1 – Hosts: 127.0.0.5 www.newiframe.biz
O1 – Hosts: 127.0.0.5 newiframe.biz
O1 – Hosts: 127.0.0.5 www.vesbiz.biz
O1 – Hosts: 127.0.0.5 vesbiz.biz
O1 – Hosts: 127.0.0.5 www.pizdato.biz
O1 – Hosts: 127.0.0.5 pizdato.biz
O1 – Hosts: 127.0.0.5 www.awmcash.biz
O1 – Hosts: 127.0.0.5 awmcash.biz
O1 – Hosts: 127.0.0.5 buldog–stats.com
O1 – Hosts: 127.0.0.5 www.buldog–stats.com
O1 – Hosts: 127.0.0.5 fregat.drocherway.com
O1 – Hosts: 127.0.0.5 slutmania.biz
O1 – Hosts: 127.0.0.5 www.slutmania.biz
O1 – Hosts: 127.0.0.5 toolbarpartner.com
O1 – Hosts: 127.0.0.5 www.toolbarpartner.com
O1 – Hosts: 127.0.0.5 www.megapornix.com
O1 – Hosts: 127.0.0.5 megapornix.com
O1 – Hosts: 127.0.0.5 www.sp2fucked.biz
O1 – Hosts: 127.0.0.5 sp2fucked.biz
O1 – Hosts: 127.0.0.5 greg–tut.com
O1 – Hosts: 127.0.0.5 www.greg–tut.com
O1 – Hosts: 127.0.0.5 nylonsexy.com
O1 – Hosts: 127.0.0.5 www.nylonsexy.com
O1 – Hosts: 127.0.0.5 vparivalka.com
O1 – Hosts: 127.0.0.5 www.vparivalka.com
O1 – Hosts: 127.0.0.5 iframeprofit.com
O1 – Hosts: 127.0.0.5 www.iframeprofit.com
O1 – Hosts: 127.0.0.5 topsearch10.com
O1 – Hosts: 127.0.0.5 www.topsearch10.com
O1 – Hosts: 127.0.0.5 statscash.biz
O1 – Hosts: 127.0.0.5 www.statscash.biz
O1 – Hosts: 127.0.0.5 vxiframe.biz
O1 – Hosts: 127.0.0.5 www.vxiframe.biz
O1 – Hosts: 127.0.0.5 crazy–toolbar.com
O1 – Hosts: 127.0.0.5 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.5 topcash.biz
O1 – Hosts: 127.0.0.5 www.topcash.biz
O1 – Hosts: 127.0.0.5 loadcash.biz
O1 – Hosts: 127.0.0.5 www.loadcash.biz
O1 – Hosts: 127.0.0.5 txiframe.biz
O1 – Hosts: 127.0.0.5 www.txiframe.biz
O1 – Hosts: 127.0.0.5 procounter.biz
O1 – Hosts: 127.0.0.5 www.procounter.biz
O1 – Hosts: 127.0.0.5 advadmin.biz
O1 – Hosts: 127.0.0.5 www.advadmin.biz
O1 – Hosts: 127.0.0.5 trafficbest.net
O1 – Hosts: 127.0.0.5 www.trafficbest.net
O1 – Hosts: 127.0.0.5 besthvac.com
O1 – Hosts: 127.0.0.5 www.besthvac.com
O1 – Hosts: 127.0.0.5 traff4.com
O1 – Hosts: 127.0.0.5 www.traff4.com
O1 – Hosts: 127.0.0.5 ambush–script.com
O1 – Hosts: 127.0.0.5 www.ambush–script.com
O1 – Hosts: 127.0.0.5 beehappyy.biz
O1 – Hosts: 127.0.0.5 www.beehappyy.biz
O1 – Hosts: 127.0.0.5 tracktraff.cc
O1 – Hosts: 127.0.0.5 www.tracktraff.cc
O1 – Hosts: 127.0.0.5 allcount.net
O1 – Hosts: 127.0.0.5 www.allcount.net
O1 – Hosts: 127.0.0.5 onedayoffer.biz
O1 – Hosts: 127.0.0.5 www.onedayoffer.biz
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: (no name) – {1D4DE64B–679E–5965–A2AB–72FCDF53EAAF} – C:\WINDOWS\System32\urx.dll (file missing)
O2 – BHO: (no name) – {9C7E77C9–E151–E6FF–7BE0–BC9EFB6350E7} – C:\WINDOWS\System32\ucmbt.dll
O2 – BHO: (no name) – {A0269420–A638–4509–889C–8FC3CC85DA7E} – C:\WINDOWS\drexinit.dll (file missing)
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar3.dll
O2 – BHO: (no name) – {CB2A7798–BB57–EEFB–7BE0–BC9EFB6350E7} – C:\WINDOWS\System32\ucmbt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: YourSiteBar – {86227D9C–0EFE–4f8a–AA55–30386A3F5686} – C:\Program Files\YourSiteBar\ysb.dll (file missing)
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar3.dll
O4 – HKLM\..\Run: [WinampAgent] D:\Muzyka\winamp\winampa.exe
O4 – HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe –t
O4 – HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 – HKLM\..\Run: [rtf32.exe] rtf32.exe
O4 – HKLM\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 – HKLM\..\Run: [xp_system] C:\WINDOWS\inet20096\services.exe
O4 – HKLM\..\RunServices: [leeman] C:\WINDOWS\System32\leeman.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Uzytki\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 – HKCU\..\Run: [xp_system] C:\WINDOWS\inet20096\services.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 – Extra context menu item: &Translate English Word – res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 – Extra context menu item: Download All by FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Program Files\FlashGet\jc_link.htm
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 – Extra context menu item: Translate Page into English – res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O12 – Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 – Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\nosuklc.mht!http://kazaalite.pl/stats/loud.chm::/Bridge–c139.cab
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge–c411.cab
O16 – DPF: {42F2C9BA–614F–47C0–B3E3–ECFD34EED658} (Installer Class) – ms–its:mhtml:file://c:\nosuxxxy.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – ms–its:mhtml:file://c:\nosukmt.mht!http://kazaalite.pl/stats/mta.chm::/MediaTicketsInstaller.cab
O16 – DPF: {B38870E4–7ECB–40DA–8C6A–595F0A5519FF} (MsnMessengerSetupDownloadControl Class) – http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O21 – SSODL: Web Event Logger – {7CFBACFF–EE01–1231–ABDD–416592E5D639} – C:\WINDOWS\System32\Jcebgacl.dll (file missing)
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: AVK Service (AVKService) – Unknown owner – C:\Program Files\AntiVirenKit\AVKService.exe
O23 – Service: Straźnik AVK (AVKWCtl) – Unknown owner – C:\Program Files\AntiVirenKit\AVKWCtl.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe

zbytnio sie na tym nie znam wiec licze na pomocna dlon... moj komp ledwo dziala :cry:

Anonymous

Dodano: 11.11.2005 22:14:59

Wielkie dzięki w84u! Zrobie jak poleciłeś! Fajnie, źe na świecie są jeszcze ludzie, którzy chcą pomagać innym![/img]

QuoVadiX

Dodano: 10.11.2005 15:33:03

No widzisz, jesteś prawie expert, aź przyjemnie popatrzeć na loga, porównaj z poprzednim :)
Następny krok:
– zainstaluj firewall'a
–odwiedź witrynę Windows update (support na krytyczne do czerwca 2006)
–jeźeli juź musisz uźywać uaktualnij IExplorer do nowszej wersji,
ale jeźeli ufasz opiniom uźytkowników tego forum, zmień na Opera 9 lub Firefoxa (jeszcze nie połatany w/g Secunia )
–moźesz spatchować OS uźywając SPacka z tej strony
http://nowe.pl/modules/mydownloads/viewcat.php?cid=85 a tu do pobrania. Przed instalacją przeczyść system z robali, źeby Ci się nie wykrzaczył.
–uaktualnij servery DNS, podstawowy jest martwy.
Powodzenia :)

w84u

Dodano: 10.11.2005 10:07:30

Moj log po wyczyszczeniu i przeskanowaniu Spy Sweeperem:

Logfile of HijackThis v1.99.1
Scan saved at 01:29:44, on 05–11–10
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GADU–GADU\GG.EXE
C:\WINDOWS\PULPIT\SCIAGNIETE\HIJACKTHIS\HIJACKTHIS.EXE

R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 – HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" –atboottime
O4 – HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 – HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 – HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 – HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray
O14 – IERESET.INF: SEARCH_PAGE_URL=
O14 – IERESET.INF: START_PAGE_URL=
O17 – HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.204.159.1,194.204.152.34

QuoVadiX

Dodano: 10.11.2005 02:33:34

@QuoVadiX wyczyść sobie w/g instrukcji z tematu przyklejonego:
http://forum.centrumxp.pl/viewtopic.php?t=37513
potem przeleć dyski np. Spy Sweeperem z tąd , zrób ponownie loga i tu wróć. :wink:

w84u

Dodano: 10.11.2005 00:15:24

Prosze o sprawdzenie loga:

Logfile of HijackThis v1.99.1
Scan saved at 22:10:20, on 05–11–09
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\MDMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RTF32.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\PROGRAM FILES\GADU–GADU\GG.EXE
C:\WINDOWS\TOOL2.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\TOOL2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PULPIT\SCIAGNIETE\HIJACKTHIS\HIJACKTHIS.EXE

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O1 – Hosts: 127.0.0.5 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.5 x.full–tgp.net
O1 – Hosts: 127.0.0.5 counter.sexmaniack.com
O1 – Hosts: 127.0.0.5 autoescrowpay.com
O1 – Hosts: 127.0.0.5 www.autoescrowpay.com
O1 – Hosts: 127.0.0.5 www.awmdabest.com
O1 – Hosts: 127.0.0.5 www.sexfiles.nu
O1 – Hosts: 127.0.0.5 awmdabest.com
O1 – Hosts: 127.0.0.5 sexfiles.nu
O1 – Hosts: 127.0.0.5 allforadult.com
O1 – Hosts: 127.0.0.5 www.allforadult.com
O1 – Hosts: 127.0.0.5 www.iframe.biz
O1 – Hosts: 127.0.0.5 iframe.biz
O1 – Hosts: 127.0.0.5 www.newiframe.biz
O1 – Hosts: 127.0.0.5 newiframe.biz
O1 – Hosts: 127.0.0.5 www.vesbiz.biz
O1 – Hosts: 127.0.0.5 vesbiz.biz
O1 – Hosts: 127.0.0.5 www.pizdato.biz
O1 – Hosts: 127.0.0.5 pizdato.biz
O1 – Hosts: 127.0.0.5 www.awmcash.biz
O1 – Hosts: 127.0.0.5 awmcash.biz
O1 – Hosts: 127.0.0.5 buldog–stats.com
O1 – Hosts: 127.0.0.5 www.buldog–stats.com
O1 – Hosts: 127.0.0.5 fregat.drocherway.com
O1 – Hosts: 127.0.0.5 slutmania.biz
O1 – Hosts: 127.0.0.5 www.slutmania.biz
O1 – Hosts: 127.0.0.5 toolbarpartner.com
O1 – Hosts: 127.0.0.5 www.toolbarpartner.com
O1 – Hosts: 127.0.0.5 www.megapornix.com
O1 – Hosts: 127.0.0.5 megapornix.com
O1 – Hosts: 127.0.0.5 www.sp2fucked.biz
O1 – Hosts: 127.0.0.5 sp2fucked.biz
O1 – Hosts: 127.0.0.5 greg–tut.com
O1 – Hosts: 127.0.0.5 www.greg–tut.com
O1 – Hosts: 127.0.0.5 nylonsexy.com
O1 – Hosts: 127.0.0.5 www.nylonsexy.com
O1 – Hosts: 127.0.0.5 vparivalka.com
O1 – Hosts: 127.0.0.5 www.vparivalka.com
O1 – Hosts: 127.0.0.5 iframeprofit.com
O1 – Hosts: 127.0.0.5 www.iframeprofit.com
O1 – Hosts: 127.0.0.5 topsearch10.com
O1 – Hosts: 127.0.0.5 www.topsearch10.com
O1 – Hosts: 127.0.0.5 statscash.biz
O1 – Hosts: 127.0.0.5 www.statscash.biz
O1 – Hosts: 127.0.0.5 vxiframe.biz
O1 – Hosts: 127.0.0.5 www.vxiframe.biz
O1 – Hosts: 127.0.0.5 crazy–toolbar.com
O1 – Hosts: 127.0.0.5 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.5 topcash.biz
O1 – Hosts: 127.0.0.5 www.topcash.biz
O1 – Hosts: 127.0.0.5 loadcash.biz
O1 – Hosts: 127.0.0.5 www.loadcash.biz
O1 – Hosts: 127.0.0.5 txiframe.biz
O1 – Hosts: 127.0.0.5 www.txiframe.biz
O1 – Hosts: 127.0.0.5 procounter.biz
O1 – Hosts: 127.0.0.5 www.procounter.biz
O1 – Hosts: 127.0.0.5 advadmin.biz
O1 – Hosts: 127.0.0.5 www.advadmin.biz
O1 – Hosts: 127.0.0.5 trafficbest.net
O1 – Hosts: 127.0.0.5 www.trafficbest.net
O1 – Hosts: 127.0.0.5 besthvac.com
O1 – Hosts: 127.0.0.5 www.besthvac.com
O1 – Hosts: 127.0.0.5 traff4.com
O1 – Hosts: 127.0.0.5 www.traff4.com
O1 – Hosts: 127.0.0.5 ambush–script.com
O1 – Hosts: 127.0.0.5 www.ambush–script.com
O1 – Hosts: 127.0.0.5 beehappyy.biz
O1 – Hosts: 127.0.0.5 www.beehappyy.biz
O1 – Hosts: 127.0.0.5 tracktraff.cc
O1 – Hosts: 127.0.0.5 www.tracktraff.cc
O1 – Hosts: 127.0.0.5 allcount.net
O1 – Hosts: 127.0.0.5 www.allcount.net
O1 – Hosts: 127.0.0.5 onedayoffer.biz
O1 – Hosts: 127.0.0.5 www.onedayoffer.biz
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 – HKLM\..\Run: [internat.exe] internat.exe
O4 – HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 – HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 – HKLM\..\Run: [SystemTray] SysTray.Exe
O4 – HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" –atboottime
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system\mdms.exe
O4 – HKLM\..\Run: [rtf32.exe] rtf32.exe
O4 – HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 – HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 – HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 – HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 – HKCU\..\Run: [SpySheriff] C:\PROGRAM FILES\SPYSHERIFF\SpySheriff.exe
O4 – HKCU\..\RunServices: [Gadu–Gadu] "C:\PROGRAM FILES\GADU–GADU\GG.EXE" /tray
O4 – HKCU\..\RunServices: [Windows installer] C:\winstall.exe
O4 – HKCU\..\RunServices: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 – HKCU\..\RunServices: [SpySheriff] C:\PROGRAM FILES\SPYSHERIFF\SpySheriff.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O14 – IERESET.INF: SEARCH_PAGE_URL=
O14 – IERESET.INF: START_PAGE_URL=
O17 – HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.204.159.1,194.204.152.34

QuoVadiX

Dodano: 09.11.2005 23:58:31

noris–n1, wyłączasz przywracanie i usuwasz:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O4 – HKLM\..\Run: [Userinit] C:\Program Files\Common Files\system\lsass.exe
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe

O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge–c403.cab

F2 – REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe

Otwierasz regedit, idziesz do klucza HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon
Klikasz na wartość Userinit i w danych wpisujesz takie tekst: C:\WINDOWS\system32\userinit.exe,
Zamykasz edytor rejestru

O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
...

Otwierasz notatnikiem plik hosts z C:/Windows/system32/drivers/etc i zmieniasz w tym wpisach wszystkie 127.0.0.3 na 127.0.0.1

Bobi

Dodano: 04.11.2005 14:44:27

Witam

Bardzo prosze o sprawdzenie loga bajka ta samo spysheriff którego usunąłem ale pulpit z ramką te sprawy

Logfile of HijackThis v1.99.1
Scan saved at 20:16:22, on 2005–11–03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\DrWeb\SpiderNT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Neostrada TP\taskbaricon.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\Program Files\DrWeb\spiderml.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\windows\system32\mdms.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
F2 – REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O1 – Hosts: 127.0.0.3 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.3 x.full–tgp.net
O1 – Hosts: 127.0.0.3 counter.sexmaniack.com
O1 – Hosts: 127.0.0.3 autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.autoescrowpay.com
O1 – Hosts: 127.0.0.3 www.awmdabest.com
O1 – Hosts: 127.0.0.3 www.sexfiles.nu
O1 – Hosts: 127.0.0.3 awmdabest.com
O1 – Hosts: 127.0.0.3 sexfiles.nu
O1 – Hosts: 127.0.0.3 allforadult.com
O1 – Hosts: 127.0.0.3 www.allforadult.com
O1 – Hosts: 127.0.0.3 www.iframe.biz
O1 – Hosts: 127.0.0.3 iframe.biz
O1 – Hosts: 127.0.0.3 www.newiframe.biz
O1 – Hosts: 127.0.0.3 newiframe.biz
O1 – Hosts: 127.0.0.3 www.vesbiz.biz
O1 – Hosts: 127.0.0.3 vesbiz.biz
O1 – Hosts: 127.0.0.3 www.pizdato.biz
O1 – Hosts: 127.0.0.3 pizdato.biz
O1 – Hosts: 127.0.0.3 www.aaasexypics.com
O1 – Hosts: 127.0.0.3 aaasexypics.com
O1 – Hosts: 127.0.0.3 www.virgin–tgp.net
O1 – Hosts: 127.0.0.3 virgin–tgp.net
O1 – Hosts: 127.0.0.3 www.awmcash.biz
O1 – Hosts: 127.0.0.3 awmcash.biz
O1 – Hosts: 127.0.0.3 buldog–stats.com
O1 – Hosts: 127.0.0.3 www.buldog–stats.com
O1 – Hosts: 127.0.0.3 fregat.drocherway.com
O1 – Hosts: 127.0.0.3 slutmania.biz
O1 – Hosts: 127.0.0.3 www.slutmania.biz
O1 – Hosts: 127.0.0.3 toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.toolbarpartner.com
O1 – Hosts: 127.0.0.3 www.megapornix.com
O1 – Hosts: 127.0.0.3 megapornix.com
O1 – Hosts: 127.0.0.3 www.sp2fucked.biz
O1 – Hosts: 127.0.0.3 sp2fucked.biz
O1 – Hosts: 127.0.0.3 greg–tut.com
O1 – Hosts: 127.0.0.3 www.greg–tut.com
O1 – Hosts: 127.0.0.3 nylonsexy.com
O1 – Hosts: 127.0.0.3 www.nylonsexy.com
O1 – Hosts: 127.0.0.3 vparivalka.com
O1 – Hosts: 127.0.0.3 www.vparivalka.com
O1 – Hosts: 127.0.0.3 iframeprofit.com
O1 – Hosts: 127.0.0.3 www.iframeprofit.com
O1 – Hosts: 127.0.0.3 topsearch10.com
O1 – Hosts: 127.0.0.3 www.topsearch10.com
O1 – Hosts: 127.0.0.3 statscash.biz
O1 – Hosts: 127.0.0.3 www.statscash.biz
O1 – Hosts: 127.0.0.3 vxiframe.biz
O1 – Hosts: 127.0.0.3 www.vxiframe.biz
O1 – Hosts: 127.0.0.3 crazy–toolbar.com
O1 – Hosts: 127.0.0.3 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.3 topcash.biz
O1 – Hosts: 127.0.0.3 www.topcash.biz
O1 – Hosts: 127.0.0.3 loadcash.biz
O1 – Hosts: 127.0.0.3 www.loadcash.biz
O1 – Hosts: 127.0.0.3 txiframe.biz
O1 – Hosts: 127.0.0.3 www.txiframe.biz
O1 – Hosts: 127.0.0.3 procounter.biz
O1 – Hosts: 127.0.0.3 www.procounter.biz
O1 – Hosts: 127.0.0.3 advadmin.biz
O1 – Hosts: 127.0.0.3 www.advadmin.biz
O1 – Hosts: 127.0.0.3 trafficbest.net
O1 – Hosts: 127.0.0.3 www.trafficbest.net
O1 – Hosts: 127.0.0.3 besthvac.com
O1 – Hosts: 127.0.0.3 www.besthvac.com
O1 – Hosts: 127.0.0.3 traff4.com
O1 – Hosts: 127.0.0.3 www.traff4.com
O1 – Hosts: 127.0.0.3 ambush–script.com
O1 – Hosts: 127.0.0.3 www.ambush–script.com127.0.0.1 ad.doubleclick.net
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar2.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: &Google – {2318C2B1–4965–11d4–9B18–009027A5CD4F} – c:\program files\google\googletoolbar2.dll
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe
O4 – HKLM\..\Run: [Userinit] C:\Program Files\Common Files\system\lsass.exe
O4 – HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 – HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 – HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 – Extra context menu item: &Translate English Word – res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 – Extra context menu item: Translate Page into English – res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge–c403.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{2380ED88–93A7–44E0–B241–9A8085369731}: NameServer = 69.50.188.180,195.225.176.31
O17 – HKLM\System\CCS\Services\Tcpip\..\{6B9B7970–87E8–488C–B38F–6C04ADF1124E}: NameServer = 69.50.188.180,195.225.176.31
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: SpIDer Guard for Windows NT (spidernt) – Doctor Web Ltd – C:\Program Files\DrWeb\SpiderNT.exe

noris–n1

Dodano: 03.11.2005 22:23:34

Logfile of HijackThis v1.99.1
Scan saved at 19:44:24, on 2005–10–21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\PLANET WL–8313\WLANMON.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – – (no file)
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Accoona Search Assistant – {944864A5–3916–46E2–96A9–A2E84F3F1208} – C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD–4d91–8333–CF10577473F7} – c:\program files\google\googletoolbar2.dll
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 – HKLM\..\Run: [MouseDrv] C:\DOCUME~1\Barbara\USTAWI~1\Temp\link.txt
O4 – HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe –boot
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\RunOnce: [HLcleanup] cmd /c IF EXIST "c:\progra~1\filesu~1\starnu~1.zip\hyperl~1.exe" (del /s /q "c:\progra~1\filesu~1\starnu~1.zip\hyperl~1.exe")
O4 – HKLM\..\RunOnce: [UninstallHL] C:\WINDOWS\System32\PreUninstallHL.exe –s
O4 – HKLM\..\RunOnce: [delus] C:\DOCUME~1\Andziek\USTAWI~1\Temp\delus.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: WL–8313 Configuration Utility.lnk = ?
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 – Extra context menu item: &Translate English Word – res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 – Extra context menu item: Translate Page into English – res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {205FF73B–CA67–11D5–99DD–444553540013} (CInstall Class) – http://adserver.sharewareonline.com/adserver/Install.cab
O16 – DPF: {31E68DE2–5548–4B23–88F0–C51E6A0F695E} (Microsoft PID Sniffer) – https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 – DPF: {8FCDF9D9–A28B–480F–8C3D–581F119A8AB8} – http://static.zangocash.com/cab/Zango/ie/bridge–c11.cab
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – https://www.bph.pl/pi/components/SignActivX.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{7DAA37EC–D7B7–45CC–A30A–98B7EA1C1F39}: NameServer = 10.1.4.2,194.204.159.1
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: InCD Helper (InCDsrv) – Ahead Software AG – C:\Program Files\Ahead\InCD\InCDsrv.exe

dobrze juz wszystko??;))

hexe_osw

Dodano: 21.10.2005 21:45:15

Wyłącz przywracanie i usuń:

hexe_osw:
R3 – Default URLSearchHook is missing
O4 – HKLM\..\Run: [MouseDrv] C:\DOCUME~1\Barbara\USTAWI~1\Temp\link.txt
O4 – HKLM\..\Run: [bSMqdm] C:\WINDOWS\xoemhbq.exe
O4 – HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O16 – DPF: {205FF73B–CA67–11D5–99DD–444553540013} (CInstall Class) – http://adserver.sharewareonline.com/adserver/Install.cab
O16 – DPF: {8FCDF9D9–A28B–480F–8C3D–581F119A8AB8} – http://static.zangocash.com/cab/Zango/ie/bridge–c11.cab

Opróźnij Temp, odinstaluj fałszywkę AdwareAlert, aby odblokować moźliwośc zmiany tapety usun wart. Wallpaper z rejestru w kluczu HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
O tym juź było.

Bobi

Dodano: 21.10.2005 16:48:10

YOUR SYSTEM IS INFECTED

Odpowiedzi: 20