Elektroda.pl
Elektroda.pl
X

Search our partners

Find the latest content on electronic components. Datasheets.com
Please add exception to AdBlock for elektroda.pl.
If you watch the ads, you support portal and users.

Wirus mnie wykańcza;)

GATEKEEPER 10 May 2005 15:47 2045 6
  • #1
    GATEKEEPER
    Level 2  
    [color=blue]Witam.
    Od pewnego czasu zauważyłem ,że mój komputer zaczął chodzić coraz wolniej a w katalogu windows i system32 pojawiaja sie dziesiątki plików exe o dziwnych nazwach i zawsze wielkości 0k np: addad.exe,addck32.exe i mnóstwo innych. Poza tym zanim zainstalowałem firefoxa wyskakiwalo mi okienko about:blank, wiem ,że juz było głośno na forum o tym wirusie about:blank lecz mimo kasowania wpisów w rejestrze ciągle są one dopisywane nawet jeżeli wyłącze przywracanie systemu. Od czasu do czasu monitor mks_vir 2005 dostrzega u mnie któryś z tych plików exe i kasuje ale tylko pojedyńcze i tylko gdy uruchamiałem ie lub zamykałem oraz gdy wchodziłem i wychodziłem w Mój Komputer.
    Prosze pomóżcie bo już nie mam sił z walczyć z tym czymś.Oto mój log:
    Logfile of HijackThis v1.99.1
    Scan saved at 15:25:10, on 2005-05-10
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)



    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    G:\mks\Bin\NetMonSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    G:\mks\Bin\mksmonsv.exe
    E:\nav\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    E:\nav\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    G:\vdrive\vdtask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    G:\winamp5.04 strata\Winamp\winampa.exe
    G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    G:\mks\Bin\mks_menu.exe
    G:\mks\Bin\ABregmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\mks\Bin\mks_scan.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    G:\Mozilla\firefox.exe
    G:\adobe\Reader\AcroRd32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\rundll32.exe
    G:\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.202.254:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {5F01EA97-8CAF-C431-C7E3-98529F1ECE5B} - C:\WINDOWS\system32\netmc.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\nav\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\nav\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] G:\vdrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] G:\winamp5.04 strata\Winamp\winampa.exe
    O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
    O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=010505 serial=ES02WBD-0090061-FBU
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [MKS_MENU] G:\mks\Bin\mks_menu.exe
    O4 - HKLM\..\Run: [ABREGMON] G:\mks\Bin\ABregmon.exe
    O4 - HKLM\..\Run: [ntah32.exe] C:\WINDOWS\ntah32.exe
    O4 - HKCU\..\Run: [a-squared] "g:\antytrojan\a2guard.exe"
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Office2000\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - G:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O12 - Plugin for .com: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .rar: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: G:\opera\PLUGINS\NPFgc1.dll
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD6333-DE8B-49B3-A90E-92074AB04A28}: NameServer = 62.244.133.4
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - G:\mks\Bin\NetMonSV.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - G:\mks\bin\MkSUpdateInt.exe
    O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - G:\mks\Bin\mksmonsv.exe
    O23 - Service: MkS_Scan - Unknown owner - G:\mks\Bin\mks_scan.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\nav\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - E:\nav\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • #2
    Pavel81
    Level 17  
    Siemka. Na początek wejdź na www.mks.com.pl i tam jest skaner On-line. Przeskanuj całego kompa tym skanerem. Po 2 wyczyść rejestr i niepotrzebne pliki programem easy cleaner. Jeśli to nie pomoże będziemy myśleć dalej :). Pozdrawiam
  • #3
    Krzycho2612
    Level 16  
    proponuje usunac system i wgrac odnowa
  • Helpful post
    #4
    aren
    Level 28  
    krzycho2612 takie rady to zaprzeproszeniem moze dac mu jego babcia. jestesmy tu po to zeby pomagac naprawic blad, urzadzenia a nie formatowac, i kupowac nowe bo cos sie zepsulo.

    Przedewszystkim brakuje tobie sp1 i sp2 dlatego lapiesz tyle drobnoustroi. co do loga to wejdz tutaj http://www.hijackthis.de/logfiles/f49dd7424fe4875264db364896e3b03f.html i usun wszystkie zaznaczone na czerowono. Potem zapusc ad-aware, spy bota, i jakiegos antywira. Poinforumuj nas o efektach.
  • Helpful post
    #5
    Kolobos
    IT specialist
    Najpierw uzyj tego:
    http://www.trojaner-info.de/files/SpSeHjfix112.exe
    http://www.malwarebytes.biz/AboutBuster.zip

    Odinstaluj:
    StopSignStatus

    Nastepnie w hijackthis zaznacz te wpisy:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {5F01EA97-8CAF-C431-C7E3-98529F1ECE5B} - C:\WINDOWS\system32\netmc.dll
    O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [ntah32.exe] C:\WINDOWS\ntah32.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


    Sciagnij:
    http://www.downloads.subratam.org/KillBox.zip
    zaznacz delete on reboot i skasuj nim te pliki:

    C:\WINDOWS\ntah32.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\system32\netmc.dll
    C:\WINDOWS\system32\wgqpi.dll

    Najlepiej wszystkie za jednym razem, bez resetu.Dopiero jak dodasz wszystkie to reset i wklej nowy log z hijackthis.
  • #6
    GATEKEEPER
    Level 2  
    Hejka.Zrobiłem to co mi poradziliście, oprócz formatki ;), po skasowaniu tych plików dll przestalo mi sie dopisywać do rejestru te bzdety "search assistant"
    ,ale wciaż tam siedza z resztą dołączam log. Co do tych setek dziwnych plików exe o wielkości 0 i znajdujacych się w windows i system32, zauważyłem pewną rzecz otóż co pewien czas mks wykrywal dodawanie wpisu do tych plikow w rejestrze sprawdzilem to i dany plik zmieniał swoja wielkość na 34k i automatycznie był uruchamiany jako bieżący proces.Spakowalem taki plik co ma 34k rarem jak ktoś chce sie temu przyjrzec moge wysłac ,ale tylko na jego odpowiedzialność;).Pozdrawiam.
    Oto log:

    Logfile of HijackThis v1.99.1
    Scan saved at 02:17:24, on 2005-05-12
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    G:\mks\Bin\NetMonSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    G:\mks\Bin\mksmonsv.exe
    G:\vdrive\vdtask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    E:\nav\navapsvc.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    G:\winamp5.04 strata\Winamp\winampa.exe
    G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    G:\mks\Bin\mks_menu.exe
    G:\mks\Bin\ABregmon.exe
    G:\antytrojan\a2guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    E:\nav\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\mks\Bin\mks_scan.exe
    G:\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.202.254:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {5F01EA97-8CAF-C431-C7E3-98529F1ECE5B} - C:\WINDOWS\system32\netmc.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\nav\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\nav\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] G:\vdrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] G:\winamp5.04 strata\Winamp\winampa.exe
    O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=010505 serial=ES02WBD-0090061-FBU
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [MKS_MENU] G:\mks\Bin\mks_menu.exe
    O4 - HKLM\..\Run: [ABREGMON] G:\mks\Bin\ABregmon.exe
    O4 - HKLM\..\Run: [addbh32.exe] C:\WINDOWS\system32\addbh32.exe
    O4 - HKLM\..\Run: [addao.exe] C:\WINDOWS\system32\addao.exe
    O4 - HKCU\..\Run: [a-squared] "g:\antytrojan\a2guard.exe"
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Office2000\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - G:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O12 - Plugin for .com: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .rar: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: G:\opera\PLUGINS\NPFgc1.dll
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD6333-DE8B-49B3-A90E-92074AB04A28}: NameServer = 62.244.133.4
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - G:\mks\Bin\NetMonSV.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - G:\mks\bin\MkSUpdateInt.exe
    O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - G:\mks\Bin\mksmonsv.exe
    O23 - Service: MkS_Scan - Unknown owner - G:\mks\Bin\mks_scan.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\nav\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - E:\nav\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Dodano po 11 [minuty]:

    Ups wkleiłem złego loga ten jest aktualny.Wszystko zaczyna wygladać coraz lepiej z Wasza pomocą:).Nie wiem jeszcze co zrobić z wszystkimi tymi plikami exe.

    Oto log:
    Logfile of HijackThis v1.99.1
    Scan saved at 02:36:52, on 2005-05-12
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    G:\mks\Bin\NetMonSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    G:\mks\Bin\mksmonsv.exe
    G:\vdrive\vdtask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    E:\nav\navapsvc.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    G:\winamp5.04 strata\Winamp\winampa.exe
    G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    G:\mks\Bin\mks_menu.exe
    G:\mks\Bin\ABregmon.exe
    G:\antytrojan\a2guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    E:\nav\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\mks\Bin\mks_scan.exe
    G:\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.202.254:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\nav\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\nav\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] G:\vdrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] G:\winamp5.04 strata\Winamp\winampa.exe
    O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=010505 serial=ES02WBD-0090061-FBU
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [MKS_MENU] G:\mks\Bin\mks_menu.exe
    O4 - HKLM\..\Run: [ABREGMON] G:\mks\Bin\ABregmon.exe
    O4 - HKCU\..\Run: [a-squared] "g:\antytrojan\a2guard.exe"
    O4 - Global Startup: Microsoft Office.lnk = G:\Office2000\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - G:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O12 - Plugin for .com: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .rar: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: G:\opera\PLUGINS\NPFgc1.dll
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD6333-DE8B-49B3-A90E-92074AB04A28}: NameServer = 62.244.133.4
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - G:\mks\Bin\NetMonSV.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - G:\mks\bin\MkSUpdateInt.exe
    O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - G:\mks\Bin\mksmonsv.exe
    O23 - Service: MkS_Scan - Unknown owner - G:\mks\Bin\mks_scan.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\nav\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - E:\nav\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • #7
    Kolobos
    IT specialist
    Opis usuwania strony startowej masz tutaj:
    http://www.searchengines.pl/phpbb203/index.php?showtopic=14185&st=50&#entry87957
    Widze, ze juz jej nie ma ale zostaly po niej resztki w logu, wiec poczytaj cale i zrob to co tam jest opisane :-)

    Co do dziwnych plikow to tez sa one z tego CWS'a mozesz je usunac, najlpiej najpierw przeskanuj system tym:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.windowsecurity.com/trojanscan/
    http://www.pandasoftware.com/activescan/pol/activescan_principal.htm
    Do tego:
    http://www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D -> przeskanuj i wlacz ochrone przegladarki
    http://www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz ochrone przegladarki
    http://www.wilderssecurity.net/spywareguard.html <- SpywareGuard