YOUR SYSTEM IS INFECTED
Witam
Taki komunikat pojawia mi sie na pulpicie. A wszystko za sprawa choerstwa spysheriff, który mi sie niestety samoczynnie zainstalowal. Chyba udalo mi sie to usunac, ale system i tak jest zainfekowany. Skanowanie Panda online wykrylo jeszce kilka wirusów i programów szpiegowskich. Najgorsze w tym wszystkim jest to, ze wszystkie moje programy nie dzialaja. W zasadzie nic nie moge uruchomic, zmienic ustawien Windowsa itp. No i co ja mam poczac?
Czy musze przeinstalowac system?
Pomocy!
Taki komunikat pojawia mi sie na pulpicie. A wszystko za sprawa choerstwa spysheriff, który mi sie niestety samoczynnie zainstalowal. Chyba udalo mi sie to usunac, ale system i tak jest zainfekowany. Skanowanie Panda online wykrylo jeszce kilka wirusów i programów szpiegowskich. Najgorsze w tym wszystkim jest to, ze wszystkie moje programy nie dzialaja. W zasadzie nic nie moge uruchomic, zmienic ustawien Windowsa itp. No i co ja mam poczac?
Czy musze przeinstalowac system?
Pomocy!
Odpowiedzi: 20
hey ! mialem wczesniej wolna chwile i poradzilem sobie z usunieciem tej uslugi –> dokladnie w ten sam sposob co podales. przystapilem wiec do dalszych krokow tj. restart w trybie awaryjnym i usuniecie wpisow poprez HJT + usuniecie manualne SID'a ktory podales. zaowocowalo to tym ze system pracuje stabilnie a to najwazniejsze – ale jeszcze czasem podczas pracy pojawiaja sie okienka reklamowe + pseudo–windowsowe komunikaty :/ no i dalej nie dziala kazaa nawet po reinstalce –> strasznie to badziewie podatne na infekcje –> skonczy sie na e–donkey :) no ale mowie –> najwazniejsze ze system juz nie idzie w buraki !
ponizej masz ! Wielki Czlowieku ! aktualny log z HJT. zwroc uwage ze znowu sie pojawiaja te wpisy typu R1 wiec costam chyba musi jeszcze byc + ten wpis 023 –> sdkws32.exe nadal sie odnawia z tymze z adnotacja ze "file missing" wiec raczej usunalem ! :)
mfcou.exe tez sie pojawilo –> a pare godzin temu bylo juz tak pieknie ! :/
przejrzyj prosze ten log i powiedz co tam jeszcze –> sprawa w sumie pilna bo wiadomo –> za moment sytuacja znowu moze wygladac zupelnie inaczej :/
powiedz co jeszcze teraz usunac bo widze ze juz sie troche badziewia pozbylem no ale jak widac costam zostalo....
co do tej komendy ktora podales –> nic sie nie dzieje po wklejeniu w uruchom –> chyba ze ten log sie gdzies tam stworzyl tylko nie wiem gdzie –> tak czy inaczej po wylaczeniu tej uslugi to juz chyba i tak nie potrzebne :)
Logfile of HijackThis v1.99.1
Scan saved at 17:53:20, on 2005–09–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\apibv.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\WINDOWS\system32\mfcou.exe
C:\PROGRA~1\SONYER~1\MOBILE~1\DbgOut.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\malarz\Pulpit\wirus\hijack\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Class – {7E4E0ADA–4189–6454–35CE–5091BC0DCDBA} – C:\WINDOWS\atlht.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [mfcou.exe] C:\WINDOWS\system32\mfcou.exe
O4 – HKLM\..\RunOnce: [apibv.exe] C:\WINDOWS\apibv.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
––––––––––––––––––––––––––––––––––––––––––––––––––
PS – widze ze ta usluga znow jest wlaczona jako automatyczna ! poprzednio sie udalo wykasowac w trybie awaryjnym ale po ponownym uruchomieniu kompa teraz – znowu jest :/ !!!!! czekam na rozkazy ...
––––––––––––––––––––––––––––––––––––––––––––––
ponizej masz ! Wielki Czlowieku ! aktualny log z HJT. zwroc uwage ze znowu sie pojawiaja te wpisy typu R1 wiec costam chyba musi jeszcze byc + ten wpis 023 –> sdkws32.exe nadal sie odnawia z tymze z adnotacja ze "file missing" wiec raczej usunalem ! :)
mfcou.exe tez sie pojawilo –> a pare godzin temu bylo juz tak pieknie ! :/
przejrzyj prosze ten log i powiedz co tam jeszcze –> sprawa w sumie pilna bo wiadomo –> za moment sytuacja znowu moze wygladac zupelnie inaczej :/
powiedz co jeszcze teraz usunac bo widze ze juz sie troche badziewia pozbylem no ale jak widac costam zostalo....
co do tej komendy ktora podales –> nic sie nie dzieje po wklejeniu w uruchom –> chyba ze ten log sie gdzies tam stworzyl tylko nie wiem gdzie –> tak czy inaczej po wylaczeniu tej uslugi to juz chyba i tak nie potrzebne :)
Logfile of HijackThis v1.99.1
Scan saved at 17:53:20, on 2005–09–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\apibv.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\WINDOWS\system32\mfcou.exe
C:\PROGRA~1\SONYER~1\MOBILE~1\DbgOut.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\malarz\Pulpit\wirus\hijack\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vogss.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Class – {7E4E0ADA–4189–6454–35CE–5091BC0DCDBA} – C:\WINDOWS\atlht.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [mfcou.exe] C:\WINDOWS\system32\mfcou.exe
O4 – HKLM\..\RunOnce: [apibv.exe] C:\WINDOWS\apibv.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
––––––––––––––––––––––––––––––––––––––––––––––––––
PS – widze ze ta usluga znow jest wlaczona jako automatyczna ! poprzednio sie udalo wykasowac w trybie awaryjnym ale po ponownym uruchomieniu kompa teraz – znowu jest :/ !!!!! czekam na rozkazy ...
––––––––––––––––––––––––––––––––––––––––––––––
Czyste juź macie te logi, ale na miłosć boską przejrzyjcie tematy w tym dziale. Troszkę nizej macie o tym samym.
to samo co powyzej(nie moge zmienic tapety) z tym ze u mnie wszystkie wskazane przez ciebie logi udalo mi sie wywalic
o opcji zmien nie wiedzialem bo jestem zielony
Logfile of HijackThis v1.97.7
Scan saved at 17:23:47, on 2005–09–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\K–litePro\K–litePro.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Program Files\kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\kerio\Personal Firewall 4\kpf4gui.exe
c:\program files\internet explorer\iexplore.exe
D:\Ściągnięte\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.tkdami.net/daminet.pac
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 – win.ini: load=d:\progra~1\YPD\watch.exe
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {C08DF07A–3E49–4E25–9AB0–D3882835F153} – C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Shareaza] "C:\Program Files\K–litePro\K–litePro.exe" –tray
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://active.macromedia.com/flash2/cabs/swflash.cab
o opcji zmien nie wiedzialem bo jestem zielony
Logfile of HijackThis v1.97.7
Scan saved at 17:23:47, on 2005–09–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\K–litePro\K–litePro.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Program Files\kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\kerio\Personal Firewall 4\kpf4gui.exe
c:\program files\internet explorer\iexplore.exe
D:\Ściągnięte\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.tkdami.net/daminet.pac
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 – win.ini: load=d:\progra~1\YPD\watch.exe
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {C08DF07A–3E49–4E25–9AB0–D3882835F153} – C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Shareaza] "C:\Program Files\K–litePro\K–litePro.exe" –tray
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://active.macromedia.com/flash2/cabs/swflash.cab
nie do końca rozwiązałeś problem, gdyź ciągle nie wiem jak zmienić tapetę... Większość (tylko ebay sie broni) pousuwałem tak jak kazałeś jednak tapetka cały czas zablokowana.
Aha jaki lepszy antywirus: noton 2003 czy mks_vir 2005??
Oto moje aktuialne logi:]
Logfile of HijackThis v1.99.1
Scan saved at 17:09:49, on 2005–09–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\MKS\Bin\mks_menu.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MKS\Bin\mks_scan.exe
C:\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/strona%20startowa/start.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: bho2gr Class – {31FF080D–12A3–439A–A2EF–4BA95A3148E8} – C:\Program Files\GetRight\xx2gr.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: GetRight – Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: eBay – Homepage – {EF79EAC5–3452–4E02–B8BD–BA4C89F1AC7A} – C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O15 – Trusted Zone: www.allegro.pl
O15 – Trusted Zone: www.betandwin.com
O15 – Trusted Zone: www.gazeta.pl
O15 – Trusted Zone: www.interia.pl
O15 – Trusted Zone: www.mbank.pl
O15 – Trusted Zone: www.wislakrakow.com
O15 – Trusted Zone: *.www.wp.pl
O17 – HKLM\System\CCS\Services\Tcpip\..\{768271A9–4D2A–467E–A7F0–CE94975E5C60}: NameServer = 85.255.113.122,85.255.112.13
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – C:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – C:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – C:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
Aha jaki lepszy antywirus: noton 2003 czy mks_vir 2005??
Oto moje aktuialne logi:]
Logfile of HijackThis v1.99.1
Scan saved at 17:09:49, on 2005–09–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\MKS\Bin\mks_menu.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MKS\Bin\mks_scan.exe
C:\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/strona%20startowa/start.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: bho2gr Class – {31FF080D–12A3–439A–A2EF–4BA95A3148E8} – C:\Program Files\GetRight\xx2gr.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: GetRight – Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: eBay – Homepage – {EF79EAC5–3452–4E02–B8BD–BA4C89F1AC7A} – C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O15 – Trusted Zone: www.allegro.pl
O15 – Trusted Zone: www.betandwin.com
O15 – Trusted Zone: www.gazeta.pl
O15 – Trusted Zone: www.interia.pl
O15 – Trusted Zone: www.mbank.pl
O15 – Trusted Zone: www.wislakrakow.com
O15 – Trusted Zone: *.www.wp.pl
O17 – HKLM\System\CCS\Services\Tcpip\..\{768271A9–4D2A–467E–A7F0–CE94975E5C60}: NameServer = 85.255.113.122,85.255.112.13
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – C:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – C:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – C:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
Ludzie, dzięki wszystkim za to forum. Dwa dni temu znajomy zgłosił się do mnie ze SpySheriff'em. Pogrzebałem trochę w rejestrze, zeskanowałem antywirusem i Ad–aware i nic to nie dało, więc skończyło się na formacie dysku (to umię najlepiej :D ). Ale jakie było moje przeraźenie, gdy wczoraj zobaczyłem u siebie na pulpicie niebieski ekran z czarnym prostokątem "Your computer is infected" a nie mogłem sobie pozwolić na format. Usunąłem (chyba)ten syf z dysku, co prawda inaczej niź powyźsze opisy. Jak? Nie pytajcie, dokładnie sam nie wiem. Wszystko ubiłem ręcznie (tool1,2,3,4,5.exe; winstall.exe; ibm00001.exe; mdms.exe i miałem jeszcze takie coś polo.exe).
Teraz chciałbym zastosować Waszą metodę tylko trochę nie jarzę. Uruchamiam program–>Scan, wywala mi .log w notatniku. W programie zaznaczam wpisy, które chcę usunąć i Fix. I tu nie mogę się połapać co dalej. Chcę usunąć pogrubione pozycje.
Logfile of HijackThis v1.99.1
Scan saved at 15:46:58, on 2005–09–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\System32\LXSUPMON.EXE
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\SlimBrowser\sbrowser.exe
D:\Documents and Settings\Stasio\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 – HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [StillImageMonitor] D:\W
O4 – HKLM\..\Run: [ScanRegistry] D:\W
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – Startup: PeerGuardian.lnk = D:\Program Files\PeerGuardian2\pg2.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 – Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 – Extra context menu item: Download All by FlashGet – D:\PROGRA~1\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\PROGRA~1\FlashGet\jc_link.htm
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FlashGet\flashget.exe (file missing)
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 – HKLM\System\CCS\Services\Tcpip\..\{F35279E6–F101–43C2–A562–F5843301BD03}: NameServer = 10.0.10.1
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – D:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Netropa NHK Server (nhksrv) – Unknown owner – D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs Inc. – D:\WINDOWS\system32\ZoneLabs\vsmon.exe
Tych rzeczy nie ma na dysku. Ręczne usuwanie wpisów z rejestru nic nie daje bo się odbudowuje.
Moźe ktoś wytłumaczyć z tym logiem nieco jaśniej, który zapisać jako .reg i jak i gdzie wczytać w trybie awaryjnym?
Z góry dziękuje za dobrą wolę.
Teraz chciałbym zastosować Waszą metodę tylko trochę nie jarzę. Uruchamiam program–>Scan, wywala mi .log w notatniku. W programie zaznaczam wpisy, które chcę usunąć i Fix. I tu nie mogę się połapać co dalej. Chcę usunąć pogrubione pozycje.
Logfile of HijackThis v1.99.1
Scan saved at 15:46:58, on 2005–09–28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\System32\LXSUPMON.EXE
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\SlimBrowser\sbrowser.exe
D:\Documents and Settings\Stasio\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – D:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [LXSUPMON] D:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 – HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 – HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [StillImageMonitor] D:\W
O4 – HKLM\..\Run: [ScanRegistry] D:\W
O4 – HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 – Startup: PeerGuardian.lnk = D:\Program Files\PeerGuardian2\pg2.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 – Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 – Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 – Extra context menu item: Download All by FlashGet – D:\PROGRA~1\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – D:\PROGRA~1\FlashGet\jc_link.htm
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – D:\PROGRA~1\FlashGet\flashget.exe (file missing)
O12 – Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 – HKLM\System\CCS\Services\Tcpip\..\{F35279E6–F101–43C2–A562–F5843301BD03}: NameServer = 10.0.10.1
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – D:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Netropa NHK Server (nhksrv) – Unknown owner – D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – D:\WINDOWS\System32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs Inc. – D:\WINDOWS\system32\ZoneLabs\vsmon.exe
Tych rzeczy nie ma na dysku. Ręczne usuwanie wpisów z rejestru nic nie daje bo się odbudowuje.
Moźe ktoś wytłumaczyć z tym logiem nieco jaśniej, który zapisać jako .reg i jak i gdzie wczytać w trybie awaryjnym?
Z góry dziękuje za dobrą wolę.
malarz, wservices.msc powinieneś znaleźć usługę widoczną jako "Network Security Service (NSS)"
Zatrzymasz ją i tryb uruchamiania ustawisz na wyłaczony
Następnie zrestartujesz system do awaryjntego i spróbujesz zaznaczyć i sfixowac odpowiednia wpis 023.
Jeśli się nie uda trzeba będzie ręcznie wywalic zarejestrowane klucze services.
W uruchom wpiszesz: regedit /e log2.txt HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services i pokaźesz mi jgo zawartosć załaczajac do posta plik txt.
mooman3000, powtarzam juź setny raz, wiesz do czego słuźy przycisk "ZMIEŃ" w rogu wysłanego posta ?
Zacznij go uźywać jeśli chcesz coś dopisać do poprzedniego. Ostatnie dwa posty połączyłem.
Do wywalenia:
Zatrzymasz ją i tryb uruchamiania ustawisz na wyłaczony
Następnie zrestartujesz system do awaryjntego i spróbujesz zaznaczyć i sfixowac odpowiednia wpis 023.
Jeśli się nie uda trzeba będzie ręcznie wywalic zarejestrowane klucze services.
W uruchom wpiszesz: regedit /e log2.txt HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services i pokaźesz mi jgo zawartosć załaczajac do posta plik txt.
mooman3000, powtarzam juź setny raz, wiesz do czego słuźy przycisk "ZMIEŃ" w rogu wysłanego posta ?
Zacznij go uźywać jeśli chcesz coś dopisać do poprzedniego. Ostatnie dwa posty połączyłem.
Do wywalenia:
O1 – Hosts: 127.0.0.4 www.sexfiles.nu
O4 – HKLM\..\Run: [Services] C:\WINDOWS\services.exe $
O4 – HKLM\..\Run: [combop.exe] combop.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
OK OK
Dałem rade :D
a oto mój log
Logfile of HijackThis v1.97.7
Scan saved at 15:52:05, on 2005–09–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Ściągnięte\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.tkdami.net/daminet.pac
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 – win.ini: load=d:\progra~1\YPD\watch.exe
O1 – Hosts: 127.0.0.4 www.sexfiles.nu
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {C08DF07A–3E49–4E25–9AB0–D3882835F153} – C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [Services] C:\WINDOWS\services.exe $
O4 – HKLM\..\Run: [combop.exe] combop.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Shareaza] "C:\Program Files\K–litePro\K–litePro.exe" –tray
O4 – HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://active.macromedia.com/flash2/cabs/swflash.cab
co robić??
Dałem rade :D
a oto mój log
Logfile of HijackThis v1.97.7
Scan saved at 15:52:05, on 2005–09–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Ściągnięte\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.tkdami.net/daminet.pac
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 – win.ini: load=d:\progra~1\YPD\watch.exe
O1 – Hosts: 127.0.0.4 www.sexfiles.nu
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {C08DF07A–3E49–4E25–9AB0–D3882835F153} – C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [Services] C:\WINDOWS\services.exe $
O4 – HKLM\..\Run: [combop.exe] combop.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Shareaza] "C:\Program Files\K–litePro\K–litePro.exe" –tray
O4 – HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://active.macromedia.com/flash2/cabs/swflash.cab
co robić??
pewnie mnie wysmiejecie
jak uruchomic kompa w trybie awaryjnym?? :oops:
jak uruchomic kompa w trybie awaryjnym?? :oops:
pewnie mnie wysmiejecie
jak uruchomic kompa w trybie awaryjnym?? :oops:
jak uruchomic kompa w trybie awaryjnym?? :oops:
okay – sdkws.32.exe juz prawdopodobnie u mnie nie istnieje :)
teraz co do tej uslugi – jak pisales w gre wchodzi HJT lub zatrzymanie jej poprzez services.msc
moje pytanie jest zasadniczne –> co to jest za usluga ktorej mam sie pozbyc bo te nazwy co sie wyswietlaja maja sie nijak do "11F#`I"
mow duzymi literkami i na okraglo :)
juz jest blisko –> tylko to przeskocze jakos i juz bede mogl szalec w trybie awaryjnym –> mam nadzieje ze nic nowego sie nie pojawi...
teraz co do tej uslugi – jak pisales w gre wchodzi HJT lub zatrzymanie jej poprzez services.msc
moje pytanie jest zasadniczne –> co to jest za usluga ktorej mam sie pozbyc bo te nazwy co sie wyswietlaja maja sie nijak do "11F#`I"
mow duzymi literkami i na okraglo :)
juz jest blisko –> tylko to przeskocze jakos i juz bede mogl szalec w trybie awaryjnym –> mam nadzieje ze nic nowego sie nie pojawi...
Dobra więc po kolei.
Malarz, sprawdzałes czy tego pliku rzeczywiście nie masz na dysku ? W opcjach folderów zaznacz pokazywanie plików ukrytych i sytemowych i dopiero wtedy go poszukaj.
Dla spokoju moźesz uruchomić konsole odzyskiwania i poleceniem del skasowac ten plik, skłądnię tego polecenia jak równieź opis startu w konsoli odzyskiwania znajdziesz na forum, było wiele takich pytań.
Co do usługi to znajdź ją w services.msc, ustaw tryb uruchamiania na wyączony i zatrzymaj ją, zresetuj system, otówrz Hijacka i spróbuj zaznaczyć i sfixować ten wpis najzwyczajniej w swiecie.
konrad_w4,
– wyłącz przywracanie
– odinstaluj iMesh'a
– zakończ proces:
sysvcs.exe
Do usnięcia:
Widze, źe samodzielnie dodawales jakieś strony do zaufanych, uciałem te które wg mie dodawałeś sam, zostały te badziewne. Jesli widzisz wsród wpisó 015 swoje strony nie usuwaj.
To Twoje numery DNSów dostarczone przez providera internetowego ?
Mam tu wątpliwosć bo w logu widac trojana Flush.F, który manipulujhe tymi ustawieniami.
P.S. Z Krakowa nie jestem, ale niedaleko mam. Nie wiem czy po jadno piwko opłaca mi sie przyjeźdzać :mrgreen:
depechegreg
– przywracsanie wylaczyć
– procesy zamknąć:
NTCommLib3.exe
cmdtel.exe
– usunąć:
O braku transparentności i Repsamo masz wyźej.
Malarz, sprawdzałes czy tego pliku rzeczywiście nie masz na dysku ? W opcjach folderów zaznacz pokazywanie plików ukrytych i sytemowych i dopiero wtedy go poszukaj.
Dla spokoju moźesz uruchomić konsole odzyskiwania i poleceniem del skasowac ten plik, skłądnię tego polecenia jak równieź opis startu w konsoli odzyskiwania znajdziesz na forum, było wiele takich pytań.
Co do usługi to znajdź ją w services.msc, ustaw tryb uruchamiania na wyączony i zatrzymaj ją, zresetuj system, otówrz Hijacka i spróbuj zaznaczyć i sfixować ten wpis najzwyczajniej w swiecie.
konrad_w4,
– wyłącz przywracanie
– odinstaluj iMesh'a
– zakończ proces:
sysvcs.exe
Do usnięcia:
O4 – HKLM\..\Run: [Checkdisk] C:\WINDOWS\System32\mscas.exe
O4 – HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 – HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 – HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 – HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 – HKCU\..\Run: [Lree] C:\Program Files\onsm\nara.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 – Extra button: eBay – Homepage – {EF79EAC5–3452–4E02–B8BD–BA4C89F1AC7A} – C:\Program Files\IrfanView\Ebay\Ebay.htm
O15 – Trusted Zone: *.asdbiz.biz
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.www.wp.pl
O15 – Trusted Zone: *.asdbiz.biz (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: 67.19.178.84 (HKLM)
Widze, źe samodzielnie dodawales jakieś strony do zaufanych, uciałem te które wg mie dodawałeś sam, zostały te badziewne. Jesli widzisz wsród wpisó 015 swoje strony nie usuwaj.
O17 – HKLM\System\CCS\Services\Tcpip\..\{768271A9–4D2A–467E–A7F0–CE94975E5C60}: NameServer = 85.255.113.122,85.255.112.13
To Twoje numery DNSów dostarczone przez providera internetowego ?
Mam tu wątpliwosć bo w logu widac trojana Flush.F, który manipulujhe tymi ustawieniami.
P.S. Z Krakowa nie jestem, ale niedaleko mam. Nie wiem czy po jadno piwko opłaca mi sie przyjeźdzać :mrgreen:
depechegreg
– przywracsanie wylaczyć
– procesy zamknąć:
NTCommLib3.exe
cmdtel.exe
– usunąć:
O4 – HKLM\..\Run: [NTCommLib3] F:\WINDOWS\System32\NTCommLib3.exe
O4 – HKLM\..\Run: [CPU Watcher] rundll32.exe F:\WINDOWS\cpu.dll,load
O4 – HKLM\..\Run: [SysMemory manager] f:\windows\system32\mdms.exe
O15 – Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 – Winlogon Notify: tcpG4T – F:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 – SSODL: SysTray.Excn – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – blank (file missing)
O21 – SSODL: SysTray.Exsn – {2368D1FC–2F5C–4f1b–B124–E67214FC78E2} – blank (file missing)
O21 – SSODL: Internet Explorer – {F28A40D7–AD0E–034A–C651–5F0ED76232E6} – blank (file missing)
O23 – Service: Loading Outpost Connections (KDE) – Unknown owner – F:\WINDOWS\System32\cmdtel.exe
O braku transparentności i Repsamo masz wyźej.
Mam identyczny problem, trochę juz jednak pokasowałem, ale andal mam błędy z niektórymi rzeczami w XP i podpisy pod plikami i ikonami na pulpicie nie są transparentne !
CO mam skasować ???
Z góry dzięki za pomoc :)
Logfile of HijackThis v1.99.1
Scan saved at 02:19:24, on 05–09–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
F:\WINDOWS\System32\NTCommLib3.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\ctfmon.exe
E:\Programy\Skype\Phone\Skype.exe
F:\WINDOWS\System32\CTsvcCDA.exe
F:\WINDOWS\System32\cmdtel.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\UAService7.exe
F:\WINDOWS\System32\MsPMSPSv.exe
E:\PROGRAMY\RegCleaner\RegCleanr.exe
E:\PROGRAMY\Mozilla Firefox\firefox.exe
G:\Programy\Winamp\Winamp.exe
E:\PROGRAMY\Gadu–Gadu\gg.exe
E:\PROGRAMY\Instalki nowe, DVD itd\HijackThis.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – E:\Programy\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – F:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 – HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 – HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 – HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [MSPY2002] F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 – HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [WheelMouse] F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 – HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [NTCommLib3] F:\WINDOWS\System32\NTCommLib3.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [CPU Watcher] rundll32.exe F:\WINDOWS\cpu.dll,load
O4 – HKLM\..\Run: [SysMemory manager] f:\windows\system32\mdms.exe
O4 – HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\PROGRAMY\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "E:\Programy\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – Global Startup: Adobe Reader Speed Launch.lnk = E:\PROGRAMY\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 – Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 – Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 – Winlogon Notify: tcpG4T – F:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 – SSODL: SysTray.Excn – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – blank (file missing)
O21 – SSODL: SysTray.Exsn – {2368D1FC–2F5C–4f1b–B124–E67214FC78E2} – blank (file missing)
O21 – SSODL: Internet Explorer – {F28A40D7–AD0E–034A–C651–5F0ED76232E6} – blank (file missing)
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – F:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – F:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – F:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: Loading Outpost Connections (KDE) – Unknown owner – F:\WINDOWS\System32\cmdtel.exe
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – F:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Sony DADC Austria AG. – F:\WINDOWS\System32\UAService7.exe
CO mam skasować ???
Z góry dzięki za pomoc :)
Logfile of HijackThis v1.99.1
Scan saved at 02:19:24, on 05–09–28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
F:\WINDOWS\System32\NTCommLib3.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\ctfmon.exe
E:\Programy\Skype\Phone\Skype.exe
F:\WINDOWS\System32\CTsvcCDA.exe
F:\WINDOWS\System32\cmdtel.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\UAService7.exe
F:\WINDOWS\System32\MsPMSPSv.exe
E:\PROGRAMY\RegCleaner\RegCleanr.exe
E:\PROGRAMY\Mozilla Firefox\firefox.exe
G:\Programy\Winamp\Winamp.exe
E:\PROGRAMY\Gadu–Gadu\gg.exe
E:\PROGRAMY\Instalki nowe, DVD itd\HijackThis.exe
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – E:\Programy\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – F:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 – HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 – HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 – HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [MSPY2002] F:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 – HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\Run: [WheelMouse] F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 – HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [NTCommLib3] F:\WINDOWS\System32\NTCommLib3.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [CPU Watcher] rundll32.exe F:\WINDOWS\cpu.dll,load
O4 – HKLM\..\Run: [SysMemory manager] f:\windows\system32\mdms.exe
O4 – HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\PROGRAMY\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "E:\Programy\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – Global Startup: Adobe Reader Speed Launch.lnk = E:\PROGRAMY\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 – Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 – Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 – Winlogon Notify: tcpG4T – F:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 – SSODL: SysTray.Excn – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – blank (file missing)
O21 – SSODL: SysTray.Exsn – {2368D1FC–2F5C–4f1b–B124–E67214FC78E2} – blank (file missing)
O21 – SSODL: Internet Explorer – {F28A40D7–AD0E–034A–C651–5F0ED76232E6} – blank (file missing)
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – F:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – F:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – F:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: Loading Outpost Connections (KDE) – Unknown owner – F:\WINDOWS\System32\cmdtel.exe
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – F:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Sony DADC Austria AG. – F:\WINDOWS\System32\UAService7.exe
u mnie to samo ... :(
Logfile of HijackThis v1.99.1
Scan saved at 23:51:16, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\MKS\Bin\mks_menu.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MKS\Bin\mks_scan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\konrad\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/strona%20startowa/start.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: DownloadRedirect Class – {00000000–6CB0–410C–8C3D–8FA8D2011D0A} – C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: bho2gr Class – {31FF080D–12A3–439A–A2EF–4BA95A3148E8} – C:\Program Files\GetRight\xx2gr.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – e:\Spybot – Search & Destroy\SDHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [Checkdisk] C:\WINDOWS\System32\mscas.exe
O4 – HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 – HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 – HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 – HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Lree] C:\Program Files\onsm\nara.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – Global Startup: GetRight – Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: eBay – Homepage – {EF79EAC5–3452–4E02–B8BD–BA4C89F1AC7A} – C:\Program Files\IrfanView\Ebay\Ebay.htm
O15 – Trusted Zone: www.allegro.pl
O15 – Trusted Zone: *.asdbiz.biz
O15 – Trusted Zone: www.betandwin.com
O15 – Trusted Zone: www.ebay.com
O15 – Trusted Zone: www.ebay.pl
O15 – Trusted Zone: www.gazeta.pl
O15 – Trusted Zone: www.interia.pl
O15 – Trusted Zone: www.mbank.pl
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: www.wislakrakow.com
O15 – Trusted Zone: *.www.wp.pl
O15 – Trusted Zone: *.asdbiz.biz (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: 67.19.178.84 (HKLM)
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – http://www.bph.pl/static/demo/demo_sezam/components/SignActivX.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{768271A9–4D2A–467E–A7F0–CE94975E5C60}: NameServer = 85.255.113.122,85.255.112.13
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – C:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – C:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – C:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
będę niesamowicie wdzięczny, osobom które mi pomogą gwarantuję postawienie pifka, na terenie krakowa...
a z poza krakowa moge te 3 złote wysłać pocztą... ;)
Logfile of HijackThis v1.99.1
Scan saved at 23:51:16, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\MKS\Bin\mks_menu.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\WINDOWS\System32\sysvcs.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MKS\Bin\mks_scan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\konrad\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/strona%20startowa/start.html
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: DownloadRedirect Class – {00000000–6CB0–410C–8C3D–8FA8D2011D0A} – C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: bho2gr Class – {31FF080D–12A3–439A–A2EF–4BA95A3148E8} – C:\Program Files\GetRight\xx2gr.dll
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – e:\Spybot – Search & Destroy\SDHelper.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1033
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 – HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 – HKLM\..\Run: [Checkdisk] C:\WINDOWS\System32\mscas.exe
O4 – HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 – HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 – HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 – HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Lree] C:\Program Files\onsm\nara.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – Global Startup: GetRight – Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: eBay – Homepage – {EF79EAC5–3452–4E02–B8BD–BA4C89F1AC7A} – C:\Program Files\IrfanView\Ebay\Ebay.htm
O15 – Trusted Zone: www.allegro.pl
O15 – Trusted Zone: *.asdbiz.biz
O15 – Trusted Zone: www.betandwin.com
O15 – Trusted Zone: www.ebay.com
O15 – Trusted Zone: www.ebay.pl
O15 – Trusted Zone: www.gazeta.pl
O15 – Trusted Zone: www.interia.pl
O15 – Trusted Zone: www.mbank.pl
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: www.wislakrakow.com
O15 – Trusted Zone: *.www.wp.pl
O15 – Trusted Zone: *.asdbiz.biz (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted IP range: 67.19.178.84
O15 – Trusted IP range: 67.19.178.84 (HKLM)
O16 – DPF: {92ECE6FA–AC2E–4042–BFAE–0C8608E52A43} (SignActivX Control) – http://www.bph.pl/static/demo/demo_sezam/components/SignActivX.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{768271A9–4D2A–467E–A7F0–CE94975E5C60}: NameServer = 85.255.113.122,85.255.112.13
O23 – Service: ArcaBit NetMonitor (ABNetMon) – ArcaBit sp. z o.o. – C:\Program Files\MKS\Bin\NetMonSV.exe
O23 – Service: MkSUpdateInt – MkS Sp. z o. o. – C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 – Service: MkS_Vir Monitor (MksVirMonSvc) – Unknown owner – C:\Program Files\MKS\Bin\mksmonsv.exe
O23 – Service: MkS_Scan – Unknown owner – C:\Program Files\MKS\Bin\mks_scan.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
będę niesamowicie wdzięczny, osobom które mi pomogą gwarantuję postawienie pifka, na terenie krakowa...
a z poza krakowa moge te 3 złote wysłać pocztą... ;)
ok – pierwsza dobra wiadomosc – podpisy pod ikonkami sa znowu transparentne (juz nie kolorowe)
zrobilem scan tym calym busterem. HSRemove tez cos tam wykryl.
problem sie zaczal z PocketKillboxem: podalem mu sciezke dostepu do tego sdkws32.exe. – delete on reboot – wtedy program pyta sie czy restartowac teraz czy pozniej. za pierwszym razem wybralem opcje teraz –> wyskoczyl komunikat w stylu " PendingFile RenamedOperationsRegistryDataHasBeenRenamedByExternalProcess" –> czyli znowu sie maskuje chyba :/ powtorzylem proces z opcja reboot later i chyba programik go w koncu skasowal ?
przeszedlem do HJT –> config itd. i wpisalem te smieszne znaczki – > zglosil ze nie ma procesu NT o takiej nazwie :/ skad mam wziac poprawny adres ?
takze do trybu awaryjnego w celu dobicia resztek nie doszedlem bo na razie nie ma po co... uhhhh
zrobilem scan tym calym busterem. HSRemove tez cos tam wykryl.
problem sie zaczal z PocketKillboxem: podalem mu sciezke dostepu do tego sdkws32.exe. – delete on reboot – wtedy program pyta sie czy restartowac teraz czy pozniej. za pierwszym razem wybralem opcje teraz –> wyskoczyl komunikat w stylu " PendingFile RenamedOperationsRegistryDataHasBeenRenamedByExternalProcess" –> czyli znowu sie maskuje chyba :/ powtorzylem proces z opcja reboot later i chyba programik go w koncu skasowal ?
przeszedlem do HJT –> config itd. i wpisalem te smieszne znaczki – > zglosil ze nie ma procesu NT o takiej nazwie :/ skad mam wziac poprawny adres ?
takze do trybu awaryjnego w celu dobicia resztek nie doszedlem bo na razie nie ma po co... uhhhh
Na początek zrób skan programammi About:Buster i HSRemove, to na tego trojana CWS i jego usługę.
Sciagasz Pocket Killbox, wpisujesz w pole: C:\WINDOWS\sdkws32.exe zznaczasz "on reboot" i resetujesz system.
Otwierasz następnie HJT, potem Config – Misc Tools – Delete an NT service, w okno wpisujesz te chińskie znaczki czyli: 11F#`I i równiez resettujesz system. Po resecie przełączasz się do awaryjnego i dobijasz resztki.
W rejestrze usun tego sida: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E941EAD–53B9–55DF–E4FA–374FA8F16993}
Sciagasz Pocket Killbox, wpisujesz w pole: C:\WINDOWS\sdkws32.exe zznaczasz "on reboot" i resetujesz system.
Otwierasz następnie HJT, potem Config – Misc Tools – Delete an NT service, w okno wpisujesz te chińskie znaczki czyli: 11F#`I i równiez resettujesz system. Po resecie przełączasz się do awaryjnego i dobijasz resztki.
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R3 – Default URLSearchHook is missing
O2 – BHO: Class – {BCB99081–0AC4–8206–BF74–BD55E631D60D} – C:\WINDOWS\crby32.dll
O4 – HKLM\..\Run: [mfcou.exe] C:\WINDOWS\system32\mfcou.exe
W rejestrze usun tego sida: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E941EAD–53B9–55DF–E4FA–374FA8F16993}
Jesli chodzi o tlo to porady nie pomogly :/ chyba ze zrestartuje kompa ale to narazie musi poczekac.
naprawilem gg instalujac wczesniejsza wersje. kazaa dalej lezy – mam nadzieje ze wszystko bedzie dobrze jak najszybciej bo naprawde nie moge sobie pozwolic na reinastalke systemu . nie teraz !(30 GB backupu :(
co do pana szeryfa i reszty : wykasowalem wszystkie wpisy ktore podales – lacznie z plikami – oprocz sdkws.exe –> ten caly czas sie laduje w system i tworzy w dodatku jakies dodatkowe o podobnej nazwie. usuniecie tamtych tez nic chyba nie dalo bo widze ze tworza sie inne w to miejsce. zrobilem to tak ze np usuwalem fizycznie pliki – pozniej same wpisy.
ponizej masz wszystko o co potrzebne:
hijacker log:
Logfile of HijackThis v1.99.1
Scan saved at 20:15:40, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\SONYER~1\MOBILE~1\DbgOut.exe
C:\Documents and Settings\malarz\Pulpit\pieronek\hijack\HijackThis.exe
C:\WINDOWS\system32\mfcou.exe
C:\WINDOWS\sdkws32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Class – {BCB99081–0AC4–8206–BF74–BD55E631D60D} – C:\WINDOWS\crby32.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [mfcou.exe] C:\WINDOWS\system32\mfcou.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
–––––––––––––––––––––––––––––––––––––––––––––––––––––
SilentRunners
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WOOWATCH" = "C:\PROGRA~1\Wanadoo\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" ["France Tlcom R&D"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" –atboottime" ["Apple Computer, Inc."]
"mfcou.exe" = "C:\WINDOWS\system32\mfcou.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21–C1B6–4629–986C–E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{BCB99081–0AC4–8206–BF74–BD55E631D60D}\(Default) = "Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\crby32.dll" [null data]
{BDF3E430–B101–42AD–A544–FADC6B084872}\(Default) = "NAV Helper"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{57C51AF9–DEF7–11D3–A801–00C04F163490}" = "Ghost Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Eksplorator pulpitów"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{AB77609F–2178–4E6F–9C4B–44AC179D937A}" = "a Context Menu Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Enabled Wallpaper and Active Desktop:
–––––––––––––––––––––––––––––––––––––
Active Desktop is disabled.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\malarz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "malarz" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe /W" [empty string]
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]
"Microtek Scanner Finder" –> shortcut to: "C:\WINDOWS\twain_32\ScanWiz5\SDII.exe" [empty string]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"Norton AntiVirus – Scan my computer" –> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" –> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6}"
–> {CLSID}\(Default) = "Norton AntiVirus"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6}"
–> {CLSID}\(Default) = "Norton AntiVirus"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0–4FCB–11CF–AAA5–00401C608501}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE" ["Symantec Corporation"]
Network Security Service (NSS), 11F*#`I (unwritable string), "C:\WINDOWS\sdkws32.exe /s" [file not found]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
––––––––––
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
––––––––––
Regsrch :
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "sdkws32" 2005–09–27 20:08:18
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E941EAD–53B9–55DF–E4FA–374FA8F16993}\LocalServer32]
@="C:\\WINDOWS\\sdkws32.exe"
[HKEY_USERS\S–1–5–21–329068152–1580436667–1060284298–1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="sdkws32.exe"
[HKEY_USERS\S–1–5–21–329068152–1580436667–1060284298–1003\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="sdkws32.exe"
naprawilem gg instalujac wczesniejsza wersje. kazaa dalej lezy – mam nadzieje ze wszystko bedzie dobrze jak najszybciej bo naprawde nie moge sobie pozwolic na reinastalke systemu . nie teraz !(30 GB backupu :(
co do pana szeryfa i reszty : wykasowalem wszystkie wpisy ktore podales – lacznie z plikami – oprocz sdkws.exe –> ten caly czas sie laduje w system i tworzy w dodatku jakies dodatkowe o podobnej nazwie. usuniecie tamtych tez nic chyba nie dalo bo widze ze tworza sie inne w to miejsce. zrobilem to tak ze np usuwalem fizycznie pliki – pozniej same wpisy.
ponizej masz wszystko o co potrzebne:
hijacker log:
Logfile of HijackThis v1.99.1
Scan saved at 20:15:40, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\SONYER~1\MOBILE~1\DbgOut.exe
C:\Documents and Settings\malarz\Pulpit\pieronek\hijack\HijackThis.exe
C:\WINDOWS\system32\mfcou.exe
C:\WINDOWS\sdkws32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vuzmj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Class – {BCB99081–0AC4–8206–BF74–BD55E631D60D} – C:\WINDOWS\crby32.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [mfcou.exe] C:\WINDOWS\system32\mfcou.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
–––––––––––––––––––––––––––––––––––––––––––––––––––––
SilentRunners
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WOOWATCH" = "C:\PROGRA~1\Wanadoo\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" ["France Tlcom R&D"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" –atboottime" ["Apple Computer, Inc."]
"mfcou.exe" = "C:\WINDOWS\system32\mfcou.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21–C1B6–4629–986C–E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{BCB99081–0AC4–8206–BF74–BD55E631D60D}\(Default) = "Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\crby32.dll" [null data]
{BDF3E430–B101–42AD–A544–FADC6B084872}\(Default) = "NAV Helper"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{57C51AF9–DEF7–11D3–A801–00C04F163490}" = "Ghost Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Eksplorator pulpitów"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{AB77609F–2178–4E6F–9C4B–44AC179D937A}" = "a Context Menu Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Enabled Wallpaper and Active Desktop:
–––––––––––––––––––––––––––––––––––––
Active Desktop is disabled.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\malarz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "malarz" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe /W" [empty string]
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]
"Microtek Scanner Finder" –> shortcut to: "C:\WINDOWS\twain_32\ScanWiz5\SDII.exe" [empty string]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"Norton AntiVirus – Scan my computer" –> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" –> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6}"
–> {CLSID}\(Default) = "Norton AntiVirus"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6}"
–> {CLSID}\(Default) = "Norton AntiVirus"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0–4FCB–11CF–AAA5–00401C608501}"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE" ["Symantec Corporation"]
Network Security Service (NSS), 11F*#`I (unwritable string), "C:\WINDOWS\sdkws32.exe /s" [file not found]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
––––––––––
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
––––––––––
Regsrch :
REGEDIT4
; RegSrch.vbs Bill James
; Registry search results for string "sdkws32" 2005–09–27 20:08:18
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E941EAD–53B9–55DF–E4FA–374FA8F16993}\LocalServer32]
@="C:\\WINDOWS\\sdkws32.exe"
[HKEY_USERS\S–1–5–21–329068152–1580436667–1060284298–1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="sdkws32.exe"
[HKEY_USERS\S–1–5–21–329068152–1580436667–1060284298–1003\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="sdkws32.exe"
Powracają tamte i tworza się nowe. Wpisy miales usunać wszystkie ktore wymieniłem, wyboldowałem pliki które masz usunąć recznie z dysku.
– wyłącz przywracanie systemu
– zakończ procesy w task menadzerze
msak.exe
sdkws32.exe
Usun wpisy i wyboldowane pliki.
Otwierasz regedit, przechodzi do klucza HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer i usuwasz z prawej strony wartosci NoActiveDesktop oraz ClassicShell.
Jeśli się nie poprawi z pulpitem zrób taki sam trick w uruchom tyle ze na początku klucza ma być HKEY_LOCAL_MACHINE
Chcę jeszcze dwie rzeczy:
– koniecznie log ze skryptu Silent Runners, podejrzewam źe na stówkę jakiś regenerator musi być.
– ściągnij RegSrch, uruchom ten skrypt i przeprowadź szukanie na słowo sdkws32. Wyniki ze skanu dołącz do posta.
Oba plik sciągnij przez Zapisz element docelowy...
– wyłącz przywracanie systemu
– zakończ procesy w task menadzerze
msak.exe
sdkws32.exe
Usun wpisy i wyboldowane pliki.
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R3 – Default URLSearchHook is missing
O2 – BHO: Class – {D476537E–C0E5–C50A–B9A8–D1A270851827} – C:\WINDOWS\ipoe.dll
O2 – BHO: Class – {E0C6A56C–057F–10A8–CCCE–E08536783965} – C:\WINDOWS\system32\atlkc.dll
O4 – HKLM\..\Run: [winrj.exe] C:\WINDOWS\winrj.exe
O4 – HKLM\..\Run: [msak.exe] C:\WINDOWS\msak.exe
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe
Otwierasz regedit, przechodzi do klucza HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer i usuwasz z prawej strony wartosci NoActiveDesktop oraz ClassicShell.
Jeśli się nie poprawi z pulpitem zrób taki sam trick w uruchom tyle ze na początku klucza ma być HKEY_LOCAL_MACHINE
Chcę jeszcze dwie rzeczy:
– koniecznie log ze skryptu Silent Runners, podejrzewam źe na stówkę jakiś regenerator musi być.
– ściągnij RegSrch, uruchom ten skrypt i przeprowadź szukanie na słowo sdkws32. Wyniki ze skanu dołącz do posta.
Oba plik sciągnij przez Zapisz element docelowy...
wracajac do tematu rejestru – rozumiem ze mam usunac wpisy wyboldowane :) tak patrze np na trmfo.dll – jest od groma wiec czemu tylko to pierwsze :/ druga sprawa – wpisy ktore usunalem wracaja :(( ponizej moj obecny log:
Logfile of HijackThis v1.99.1
Scan saved at 19:05:39, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sdkws32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Documents and Settings\malarz\Pulpit\pieronek\hijack\HijackThis.exe
C:\PROGRA~1\SONYER~1\MOBILE~1\DbgOut.exe
C:\WINDOWS\msak.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 – BHO: Class – {D476537E–C0E5–C50A–B9A8–D1A270851827} – C:\WINDOWS\ipoe.dll
O2 – BHO: Class – {E0C6A56C–057F–10A8–CCCE–E08536783965} – C:\WINDOWS\system32\atlkc.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [winrj.exe] C:\WINDOWS\winrj.exe
O4 – HKLM\..\Run: [msak.exe] C:\WINDOWS\msak.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
co do tego o co prosiles to chyba to :
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:0000005f
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
pzdr !
Logfile of HijackThis v1.99.1
Scan saved at 19:05:39, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sdkws32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Documents and Settings\malarz\Pulpit\pieronek\hijack\HijackThis.exe
C:\PROGRA~1\SONYER~1\MOBILE~1\DbgOut.exe
C:\WINDOWS\msak.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qmarj.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 – BHO: Class – {D476537E–C0E5–C50A–B9A8–D1A270851827} – C:\WINDOWS\ipoe.dll
O2 – BHO: Class – {E0C6A56C–057F–10A8–CCCE–E08536783965} – C:\WINDOWS\system32\atlkc.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [winrj.exe] C:\WINDOWS\winrj.exe
O4 – HKLM\..\Run: [msak.exe] C:\WINDOWS\msak.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
co do tego o co prosiles to chyba to :
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:0000005f
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
pzdr !
malarz:jak zrobic zeby tlo pod ikonkami bylo przezroczyste a nie jakiestam kolorowe ?
http://forum.centrumxp.pl/viewtopic.php?t=34968
Mój drugi post, punkt 4.
W uruchom wpisz: regedit /e policies.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
W katalogu Twojego profilu powstanie plik tekstowy, chciałbym zobaczyć jego zawartość.
dzieki za szybka reakcje. zobacze co sie bedize dzialo po dodatkowych zmianach. martwi mnie tylko dlaczego nie dziala mi kazaa i gg – reinstalacja nie pomaga – mialem juz ten problem na poprzednim kompie ale przeciez nie bede reinstalowal systemu tylko dlatego :O ps. dalem rade z tapeta – chyba :) drobnt szczegol – jak zrobic zeby tlo pod ikonkami bylo przezroczyste a nie jakiestam kolorowe ?