Elektroda.pl
Elektroda.pl
X

Wyszukiwarki naszych partnerów

Wyszukaj w ofercie 200 tys. produktów TME
Europejski lider sprzedaży techniki i elektroniki.
Proszę, dodaj wyjątek elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Wirus mnie wykańcza;)

GATEKEEPER 10 Maj 2005 15:47 1742 6
  • #1 10 Maj 2005 15:47
    GATEKEEPER
    Poziom 2  

    [color=blue]Witam.
    Od pewnego czasu zauważyłem ,że mój komputer zaczął chodzić coraz wolniej a w katalogu windows i system32 pojawiaja sie dziesiątki plików exe o dziwnych nazwach i zawsze wielkości 0k np: addad.exe,addck32.exe i mnóstwo innych. Poza tym zanim zainstalowałem firefoxa wyskakiwalo mi okienko about:blank, wiem ,że juz było głośno na forum o tym wirusie about:blank lecz mimo kasowania wpisów w rejestrze ciągle są one dopisywane nawet jeżeli wyłącze przywracanie systemu. Od czasu do czasu monitor mks_vir 2005 dostrzega u mnie któryś z tych plików exe i kasuje ale tylko pojedyńcze i tylko gdy uruchamiałem ie lub zamykałem oraz gdy wchodziłem i wychodziłem w Mój Komputer.
    Prosze pomóżcie bo już nie mam sił z walczyć z tym czymś.Oto mój log:
    Logfile of HijackThis v1.99.1
    Scan saved at 15:25:10, on 2005-05-10
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    G:\mks\Bin\NetMonSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    G:\mks\Bin\mksmonsv.exe
    E:\nav\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    E:\nav\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    G:\vdrive\vdtask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    G:\winamp5.04 strata\Winamp\winampa.exe
    G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    G:\mks\Bin\mks_menu.exe
    G:\mks\Bin\ABregmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\mks\Bin\mks_scan.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    G:\Mozilla\firefox.exe
    G:\adobe\Reader\AcroRd32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\rundll32.exe
    G:\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank




    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.202.254:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {5F01EA97-8CAF-C431-C7E3-98529F1ECE5B} - C:\WINDOWS\system32\netmc.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\nav\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\nav\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] G:\vdrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] G:\winamp5.04 strata\Winamp\winampa.exe
    O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
    O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=010505 serial=ES02WBD-0090061-FBU
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [MKS_MENU] G:\mks\Bin\mks_menu.exe
    O4 - HKLM\..\Run: [ABREGMON] G:\mks\Bin\ABregmon.exe
    O4 - HKLM\..\Run: [ntah32.exe] C:\WINDOWS\ntah32.exe
    O4 - HKCU\..\Run: [a-squared] "g:\antytrojan\a2guard.exe"
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Office2000\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - G:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O12 - Plugin for .com: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .rar: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: G:\opera\PLUGINS\NPFgc1.dll
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD6333-DE8B-49B3-A90E-92074AB04A28}: NameServer = 62.244.133.4
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - G:\mks\Bin\NetMonSV.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - G:\mks\bin\MkSUpdateInt.exe
    O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - G:\mks\Bin\mksmonsv.exe
    O23 - Service: MkS_Scan - Unknown owner - G:\mks\Bin\mks_scan.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\nav\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - E:\nav\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    0 6
  • #2 10 Maj 2005 16:38
    Pavel81
    Poziom 17  

    Siemka. Na początek wejdź na www.mks.com.pl i tam jest skaner On-line. Przeskanuj całego kompa tym skanerem. Po 2 wyczyść rejestr i niepotrzebne pliki programem easy cleaner. Jeśli to nie pomoże będziemy myśleć dalej :). Pozdrawiam

    0
  • #3 10 Maj 2005 16:54
    Krzycho2612
    Poziom 16  

    proponuje usunac system i wgrac odnowa

    0
  • Pomocny post
    #4 10 Maj 2005 18:20
    aren
    Poziom 28  

    krzycho2612 takie rady to zaprzeproszeniem moze dac mu jego babcia. jestesmy tu po to zeby pomagac naprawic blad, urzadzenia a nie formatowac, i kupowac nowe bo cos sie zepsulo.

    Przedewszystkim brakuje tobie sp1 i sp2 dlatego lapiesz tyle drobnoustroi. co do loga to wejdz tutaj http://www.hijackthis.de/logfiles/f49dd7424fe4875264db364896e3b03f.html i usun wszystkie zaznaczone na czerowono. Potem zapusc ad-aware, spy bota, i jakiegos antywira. Poinforumuj nas o efektach.

    0
  • Pomocny post
    #5 11 Maj 2005 04:47
    Kolobos
    Spec od komputerów

    Najpierw uzyj tego:
    http://www.trojaner-info.de/files/SpSeHjfix112.exe
    http://www.malwarebytes.biz/AboutBuster.zip

    Odinstaluj:
    StopSignStatus

    Nastepnie w hijackthis zaznacz te wpisy:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {5F01EA97-8CAF-C431-C7E3-98529F1ECE5B} - C:\WINDOWS\system32\netmc.dll
    O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [ntah32.exe] C:\WINDOWS\ntah32.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


    Sciagnij:
    http://www.downloads.subratam.org/KillBox.zip
    zaznacz delete on reboot i skasuj nim te pliki:

    C:\WINDOWS\ntah32.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\system32\netmc.dll
    C:\WINDOWS\system32\wgqpi.dll

    Najlepiej wszystkie za jednym razem, bez resetu.Dopiero jak dodasz wszystkie to reset i wklej nowy log z hijackthis.

    0
  • #6 12 Maj 2005 03:00
    GATEKEEPER
    Poziom 2  

    Hejka.Zrobiłem to co mi poradziliście, oprócz formatki ;), po skasowaniu tych plików dll przestalo mi sie dopisywać do rejestru te bzdety "search assistant"
    ,ale wciaż tam siedza z resztą dołączam log. Co do tych setek dziwnych plików exe o wielkości 0 i znajdujacych się w windows i system32, zauważyłem pewną rzecz otóż co pewien czas mks wykrywal dodawanie wpisu do tych plikow w rejestrze sprawdzilem to i dany plik zmieniał swoja wielkość na 34k i automatycznie był uruchamiany jako bieżący proces.Spakowalem taki plik co ma 34k rarem jak ktoś chce sie temu przyjrzec moge wysłac ,ale tylko na jego odpowiedzialność;).Pozdrawiam.
    Oto log:

    Logfile of HijackThis v1.99.1
    Scan saved at 02:17:24, on 2005-05-12
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    G:\mks\Bin\NetMonSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    G:\mks\Bin\mksmonsv.exe
    G:\vdrive\vdtask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    E:\nav\navapsvc.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    G:\winamp5.04 strata\Winamp\winampa.exe
    G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    G:\mks\Bin\mks_menu.exe
    G:\mks\Bin\ABregmon.exe
    G:\antytrojan\a2guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    E:\nav\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\mks\Bin\mks_scan.exe
    G:\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wgqpi.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.202.254:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {5F01EA97-8CAF-C431-C7E3-98529F1ECE5B} - C:\WINDOWS\system32\netmc.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\nav\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\nav\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] G:\vdrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] G:\winamp5.04 strata\Winamp\winampa.exe
    O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=010505 serial=ES02WBD-0090061-FBU
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [MKS_MENU] G:\mks\Bin\mks_menu.exe
    O4 - HKLM\..\Run: [ABREGMON] G:\mks\Bin\ABregmon.exe
    O4 - HKLM\..\Run: [addbh32.exe] C:\WINDOWS\system32\addbh32.exe
    O4 - HKLM\..\Run: [addao.exe] C:\WINDOWS\system32\addao.exe
    O4 - HKCU\..\Run: [a-squared] "g:\antytrojan\a2guard.exe"
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = G:\Office2000\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - G:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O12 - Plugin for .com: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .rar: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: G:\opera\PLUGINS\NPFgc1.dll
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://www.mir3europe.com/nProtect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD6333-DE8B-49B3-A90E-92074AB04A28}: NameServer = 62.244.133.4
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - G:\mks\Bin\NetMonSV.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - G:\mks\bin\MkSUpdateInt.exe
    O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - G:\mks\Bin\mksmonsv.exe
    O23 - Service: MkS_Scan - Unknown owner - G:\mks\Bin\mks_scan.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\nav\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - E:\nav\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Dodano po 11 [minuty]:

    Ups wkleiłem złego loga ten jest aktualny.Wszystko zaczyna wygladać coraz lepiej z Wasza pomocą:).Nie wiem jeszcze co zrobić z wszystkimi tymi plikami exe.

    Oto log:
    Logfile of HijackThis v1.99.1
    Scan saved at 02:36:52, on 2005-05-12
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    G:\mks\Bin\NetMonSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    G:\mks\Bin\mksmonsv.exe
    G:\vdrive\vdtask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    E:\nav\navapsvc.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    G:\winamp5.04 strata\Winamp\winampa.exe
    G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    G:\mks\Bin\mks_menu.exe
    G:\mks\Bin\ABregmon.exe
    G:\antytrojan\a2guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    E:\nav\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\mks\Bin\mks_scan.exe
    G:\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default.asp?productid=NSW2003&langid=ie&venid=sym
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.202.254:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\nav\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\FlashGet\fgiebar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\nav\NavShExt.dll
    O4 - HKLM\..\Run: [VirtualDrive] G:\vdrive\vdtask.exe /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] G:\winamp5.04 strata\Winamp\winampa.exe
    O4 - HKLM\..\Run: [CorelDRAW ESSENTIALS14] C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Register\Registration.exe /title="CorelDRAW ESSENTIALS" /date=010505 serial=ES02WBD-0090061-FBU
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] G:\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    O4 - HKLM\..\Run: [MKS_MENU] G:\mks\Bin\mks_menu.exe
    O4 - HKLM\..\Run: [ABREGMON] G:\mks\Bin\ABregmon.exe
    O4 - HKCU\..\Run: [a-squared] "g:\antytrojan\a2guard.exe"
    O4 - Global Startup: Microsoft Office.lnk = G:\Office2000\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - G:\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\FlashGet\flashget.exe
    O12 - Plugin for .com: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .exe: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .rar: G:\opera\PLUGINS\NPFgc1.dll
    O12 - Plugin for .zip: G:\opera\PLUGINS\NPFgc1.dll
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://defender.veloz.com/pub/download/oo_t4c...odlz_download%26oo_index&ver=online&n=d_oodlz
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CEFD6333-DE8B-49B3-A90E-92074AB04A28}: NameServer = 62.244.133.4
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·şÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslj.exe (file missing)
    O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - G:\mks\Bin\NetMonSV.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - G:\mks\bin\MkSUpdateInt.exe
    O23 - Service: MkS_Vir Monitor (MksVirMonSvc) - Unknown owner - G:\mks\Bin\mksmonsv.exe
    O23 - Service: MkS_Scan - Unknown owner - G:\mks\Bin\mks_scan.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\nav\navapsvc.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - E:\nav\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    0
  • #7 12 Maj 2005 03:04
    Kolobos
    Spec od komputerów

    Opis usuwania strony startowej masz tutaj:
    http://www.searchengines.pl/phpbb203/index.php?showtopic=14185&st=50&#entry87957
    Widze, ze juz jej nie ma ale zostaly po niej resztki w logu, wiec poczytaj cale i zrob to co tam jest opisane :-)

    Co do dziwnych plikow to tez sa one z tego CWS'a mozesz je usunac, najlpiej najpierw przeskanuj system tym:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.windowsecurity.com/trojanscan/
    http://www.pandasoftware.com/activescan/pol/activescan_principal.htm
    Do tego:
    http://www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D -> przeskanuj i wlacz ochrone przegladarki
    http://www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz ochrone przegladarki
    http://www.wilderssecurity.net/spywareguard.html <- SpywareGuard

    0
TME logo Szukaj w ofercie
Zamknij 
Wyszukaj w ofercie 200 tys. produktów TME
TME Logo