proszę o sprawdzenie loga

**Posty:** 33 · przez **umberto78** 30 Sie 2006, 12:04

Na jednym z kont użytkowników, na moim komputerze jest proble z włączaniem się stanu wstrzymania co kilka minut. System sprawdziłem różnymi antyvirami i nie nie wykryto. Ostatnio też pojawił się problem z ponownym zalogowaniem się na konto, pojawia się błąd hasła i wyskakuje jakiś błąd wewnętrznej aplikacji. Pomaga dopiero ponowne uruchomienie komputera.

Logfile of HijackThis v1.99.1
Scan saved at 14:20:07, on 2006-08-29
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Registry Defragmentation\RegManServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\fbvccxktb.exe
C:\WINDOWS\System32\fbvccxktb.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Umberto\Moje dokumenty\instalki\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Winsockett] fbvccxktb.exe
O4 - HKLM\..\RunServices: [Winsockett] fbvccxktb.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105623554632
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O21 - SSODL: ABBYY FineReader 5.0 Office - {6B27DC98-5DB1-EDE0-6F77-F0070BABA958} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Registry Defragmentation\RegManServ.exe

przez **jeff** 30 Sie 2006, 12:23

wyłącz przywracanie systemu, wejdź w tryb awaryjny i kasujesz wpisy w Hijacku

O4 - HKLM\..\Run: [Winsockett] fbvccxktb.exe
O4 - HKLM\..\RunServices: [Winsockett] fbvccxktb.exe

a nastepnie usuń pogrubiony plik który znajduje sie w C:\WINDOWS\System32

**Posty:** 566 · przez **Bieniol** 30 Sie 2006, 12:24

Przepraszam, że się wtrącę, ale kosmetycznie możesz skasować te wpisy:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

**Posty:** 33 · przez **umberto78** 31 Sie 2006, 12:30

Zroiłem tak jak napisał "detektyw" ale problem wciąż pozostał. Stan wstrzymania włącza się co kilka minut. Usunięte logi znów są tylko troche zmienione.

Logfile of HijackThis v1.99.1
Scan saved at 12:14:20, on 2006-08-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\lhnuavhwn.exe
C:\WINDOWS\System32\lhnuavhwn.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Registry Defragmentation\RegManServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Umberto\Moje dokumenty\instalki\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Winsockett] lhnuavhwn.exe
O4 - HKLM\..\RunServices: [Winsockett] lhnuavhwn.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105623554632
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll
O21 - SSODL: ABBYY FineReader 5.0 Office - {6B27DC98-5DB1-EDE0-6F77-F0070BABA958} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Registry Defragmentation\RegManServ.exe

**Posty:** 18165 · przez **wojtas** 31 Sie 2006, 12:32

wyłącz przywracanie systemu, wejdź w tryb awaryjny i kasujesz wpisy w Hijacku

O4 - HKLM\..\Run: [Winsockett] lhnuavhwn.exe
O4 - HKLM\..\RunServices: [Winsockett] lhnuavhwn.exe

usun wpisy w hj potem pogrubiony do kosza

**Posty:** 33 · przez **umberto78** 31 Sie 2006, 13:08

i znów to samo, po usunięciu logów (w trybie awaryjnym z wyłączonym przywracaniem systemu), logi O4 powracają tylko o innejnazwie.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Winsockett] hzhspckar.exe
O4 - HKLM\..\RunServices: [Winsockett] hzhspckar.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

**Posty:** 566 · przez **Bieniol** 31 Sie 2006, 13:51

Ściągnij GMERa --> odpal --> rootkit --> szukaj --> kopiuj i wklej tutaj

Dodatkowo log z Silent Runners (prawy przycisk myszy --> zapisz element docelowy jako --> włączasz --> klikasz NO --> czekasz, aż się pojawi że log jest skończony

**Posty:** 33 · przez **umberto78** 04 Wrz 2006, 14:09

Przeszukałem gmer'em i to znalazło:

GMER 1.0.10.10122 - http://www.gmer.net

Rootkit 2006-09-04 13:51:59
Windows 5.1.2600 Dodatek Service Pack. 1

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E979-E325-11CE-BFC1-08002BE10318}@InfPath

---- EOF - GMER 1.0.10 ----

**Posty:** 8694 · przez **Red** 04 Wrz 2006, 16:27

Prosze dołaczyc jeszcze jeden log:
http://download.bleepingcomputer.com/sUBs/combofix.exe

Sciagnij programik ,kliknij dwa razy na niego ,wybierz "Y" i enter.Czekasz na działanie i loga ktory sie wygeneruje,wklejasz go tu na forum do sprawdzenia ...

**Posty:** 33 · przez **umberto78** 04 Wrz 2006, 16:35

Andzia - 06-09-04 16:21:02,99
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Andzia.LENCZEWSKI\Pulpit

Microsoft Windows XP [Wersja 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Andzia.LENCZEWSKI\Dane aplikacji\Install.dat

((((((((((((((((((((((((((((((( Files Created from 2006-08-04 to 2006-09-04 ))))))))))))))))))))))))))))))))))

2006-09-04 15:37 671,744 -r-hs---- C:\WINDOWS\system32\nqfgaaesh.exe
2006-09-02 20:25 671,744 -r-hs---- C:\WINDOWS\system32\yfiyyezap.exe
2006-08-31 12:51 671,744 -r-hs---- C:\WINDOWS\system32\hzhspckar.exe
2006-08-31 12:42 671,744 -r-hs---- C:\WINDOWS\system32\aogszewal.exe
2006-08-30 23:31 671,744 -r-hs---- C:\WINDOWS\system32\lhnuavhwn.exe
2006-08-30 13:24 8,628 --a------ C:\WINDOWS\system32\mszsrn32.dll
2006-08-30 12:56 671,744 -r-hs---- C:\WINDOWS\system32\hwgpcllng.exe
2006-08-29 20:05 671,744 -r-hs---- C:\WINDOWS\system32\reezgpqge.exe
2006-08-29 13:34 671,744 -r-hs---- C:\WINDOWS\system32\fbvccxktb.exe
2006-08-26 13:12 671,744 -ra------ C:\WINDOWS\system32\jjeuskkie.exe
2006-08-26 13:12 671,744 -r-hs---- C:\WINDOWS\system32\omecztrox.exe
2006-08-26 12:57 171,520 --a------ C:\WINDOWS\system32\LXAESUI.DLL
2006-08-26 12:55 221,696 --a------ C:\WINDOWS\system32\qmgr.dll
2006-08-26 12:55 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-08-26 12:54 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-08-26 12:54 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-08-26 12:54 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-08-26 12:54 56,832 --a------ C:\WINDOWS\system32\colbact.dll
2006-08-26 12:54 495,616 --a------ C:\WINDOWS\system32\comuid.dll
2006-08-26 12:54 494,592 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-08-26 12:54 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-08-26 12:54 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-08-26 12:54 215,040 --a------ C:\WINDOWS\system32\catsrv.dll
2006-08-26 12:54 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-08-26 12:54 114,968 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-08-26 12:54 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-08-26 12:54 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-08-26 12:54 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-08-26 12:46 51,200 --a------ C:\WINDOWS\system32\sfman32.dll
2006-08-26 12:46 495,616 --a------ C:\WINDOWS\system32\sblfx.dll
2006-08-26 12:46 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll
2006-08-26 12:46 256,512 --a------ C:\WINDOWS\system32\devcon32.dll
2006-08-26 12:46 24,064 --a------ C:\WINDOWS\system32\devldr32.exe
2006-08-26 12:44 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-08-26 12:44 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-08-15 14:21 274,432 --a------ C:\WINDOWS\system32\imon.dll
2006-08-04 16:37 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 16:37 196,608 --a------ C:\WINDOWS\system32\dtu100.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-04 15:09 -------- d-------- C:\Program Files\Warez
2006-09-04 15:09 -------- d-------- C:\Documents and Settings\Andzia.LENCZEWSKI\Dane aplikacji\Warez
2006-08-29 19:50 -------- d-------- C:\Program Files\Spik
2006-08-26 18:57 -------- d-------- C:\Program Files\URUSoft
2006-08-26 18:35 -------- d-------- C:\Program Files\SubEdit-Player
2006-08-26 12:54 -------- d-------- C:\Program Files\Messenger
2006-08-25 12:37 -------- d-------- C:\Program Files\Codec
2006-08-25 12:07 -------- d-------- C:\Program Files\XP Codec Pack
2006-08-15 14:21 502368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-07-27 03:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-13 10:51 700184 --a------ C:\WINDOWS\system32\SkanerOnline.dll
2006-07-03 22:40 620180 --a------ C:\WINDOWS\system32\divx.dll
2006-06-29 15:14 69944 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe
2006-06-28 16:11 675 --a------ C:\fix.reg
2006-06-21 11:43 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-06-21 11:42 1044480 --a------ C:\WINDOWS\system32\libdivx.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"Winsockett"="nqfgaaesh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Warez"="\"C:\\Program Files\\Warez\\Warez.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"msvcc25"="svcchost.exe"
"Winsockett"="nqfgaaesh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.tapety4u.pl/albums/krajobrazy/national_geographic/normal_126.jpg"
"SubscribedURL"="http://www.tapety4u.pl/albums/krajobrazy/national_geographic/normal_126.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,98,00,00,00,00,00,00,00,e8,03,00,00,42,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,98,00,00,00,00,00,00,00,e8,03,00,00,42,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieżąca strona główna"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,72,03,00,00,23,00,00,00,fc,00,00,00,f2,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,72,03,00,00,23,00,00,00,fc,00,00,00,f2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^abcHood Pager 1.0.lnk]
"backup"="C:\\WINDOWS\\pss\\abcHood Pager 1.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ScannerU\\PageABC\\abcPager\\abcPager.exe -loadstatus -hide"
"item"="abcHood Pager 1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk]
"backup"="C:\\WINDOWS\\pss\\Action Manager 32.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ScannerU\\AM32.exe "
"item"="Action Manager 32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kalendarz XP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart\\Kalendarz XP.lnk"
"backup"="C:\\WINDOWS\\pss\\Kalendarz XP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\KALEND~1\\KALEND~1.EXE "
"item"="Kalendarz XP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^TV Remote Control.lnk]
"backup"="C:\\WINDOWS\\pss\\TV Remote Control.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AVACSM~1\\TV88XU~1\\C8XRCtl.exe "
"item"="TV Remote Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\bme91d0e]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bme91d0e"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msvcc25]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svcchost"
"hkey"="HKLM"
"command"="svcchost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PowerS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PowerS"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Preview AdService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrevAdServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vxh8jkdq2"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\vxh8jkdq2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="winlogon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\inet20004\\winlogon.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\salm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="salm"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Speed racer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTSRReg"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spik]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Spik"
"hkey"="HKLM"
"command"="C:\\Program Files\\Spik\\Spik.exe -autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Updreg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Warez]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Warez"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Warez\\Warez.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"command"="C:\\winstall.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Winsockett]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yfiyyezap"
"hkey"="HKLM"
"command"="yfiyyezap.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xp_system]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\inet20004\\winlogon.exe"
"inimapping"="0"

Completion time: 2006-09-04 16:21:30.13
ComboFix.txt

**Posty:** 8694 · przez **Red** 04 Wrz 2006, 17:04

otwierasz notatnik windowsa i wklejasz w nim to co ponizej:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winsockett"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"msvcc25"=-
"Winsockett"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]
"command"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Winsockett]
"command"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xp_system]
"command"=-

w notatniku u góry>>>plik zapisz jako>>>Zmienić rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisać pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

Otwórz Notatnik i wklej w nim:

C:\WINDOWS\system32

ATTRIB -R -S -H nqfgaaesh.exe
ATTRIB -R -S -H yfiyyezap.exe
ATTRIB -R -S -H hzhspckar.exe
ATTRIB -R -S -H aogszewal.exe
ATTRIB -R -S -H lhnuavhwn.exe
ATTRIB -R -S -H mszsrn32.dll
ATTRIB -R -S -H hwgpcllng.exe
ATTRIB -R -S -H reezgpqge.exe
ATTRIB -R -S -H fbvccxktb.exe
ATTRIB -R -S -H jjeuskkie.exe
ATTRIB -R -S -H omecztrox.exe

DEL nqfgaaesh.exe
DEL yfiyyezap.exe
DEL hzhspckar.exe
DEL aogszewal.exe
DEL lhnuavhwn.exe
DEL mszsrn32.dll
DEL hwgpcllng.exe
DEL reezgpqge.exe
DEL fbvccxktb.exe
DEL jjeuskkie.exe
DEL omecztrox.exe

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na Wszystkie pliki >>> Zapisz jako FIX.BAT = Plik koniecznie wsadzić do folderu C:\WINDOWS

Uruchom linię komend Start >>> Uruchom >>> cmd i wprowadz komende:BATCH FIX.BAT

Nastepnie sciagasz :
http://www.bleepingcomputer.com/files/killbox.php

odpalasz Killboxa zaznacz opcję Delete on Reboot + All Files następnie w polu Full Path of File to Delete wklej scieżki:
C:\WINDOWS\system32\nqfgaaesh.exe
C:\WINDOWS\system32\yfiyyezap.exe
C:\WINDOWS\system32\hzhspckar.exe
C:\WINDOWS\system32\aogszewal.exe
C:\WINDOWS\system32\lhnuavhwn.exe
C:\WINDOWS\system32\mszsrn32.dll
C:\WINDOWS\system32\hwgpcllng.exe
C:\WINDOWS\system32\reezgpqge.exe
C:\WINDOWS\system32\fbvccxktb.exe
C:\WINDOWS\system32\jjeuskkie.exe
C:\WINDOWS\system32\omecztrox.exe
wciskasz x
następnie program będzie pytał o restart-potwierdzasz

**Posty:** 33 · przez **umberto78** 05 Wrz 2006, 15:18

po wpisaniu komendy

BATCH FIX.BAT

wyświetla się poniższa inf.

C:\Documents and Settings\Andzia.LENCZEWSKI>batch fix.bat
Nazwa 'batch' nie jest rozpoznawana jako polecenie wewnętrzne lub zewnętrzne,
program wykonywalny lub plik wsadowy.

jeszcze raz wklejam log do wglądu,

Logfile of HijackThis v1.99.1
Scan saved at 15:05, on 06-09-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Registry Defragmentation\RegManServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Andzia.LENCZEWSKI\Pulpit\RootkitRevealer\RootkitRevealer.exe
C:\DOCUME~1\ANDZIA~1.LEN\USTAWI~1\Temp\ZZUZNGFNDKYFH.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Umberto\Moje dokumenty\instalki\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.warez.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105623554632
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll
O21 - SSODL: ABBYY FineReader 5.0 Office - {6B27DC98-5DB1-EDE0-6F77-F0070BABA958} - (no file)
O23 - Service: BUVA - Unknown owner - C:\DOCUME~1\ANDZIA~1.LEN\USTAWI~1\Temp\BUVA.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: FZGGXZECD - Unknown owner - C:\DOCUME~1\ANDZIA~1.LEN\USTAWI~1\Temp\FZGGXZECD.exe (file missing)
O23 - Service: HJMPGQJWY - Unknown owner - C:\DOCUME~1\ANDZIA~1.LEN\USTAWI~1\Temp\HJMPGQJWY.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Registry Defragmentation\RegManServ.exe
O23 - Service: SCOACUTNTKYPPYDVR - Unknown owner - C:\DOCUME~1\ANDZIA~1.LEN\USTAWI~1\Temp\SCOACUTNTKYPPYDVR.exe (file missing)
O23 - Service: ZZUZNGFNDKYFH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ANDZIA~1.LEN\USTAWI~1\Temp\ZZUZNGFNDKYFH.exe

**Posty:** 8694 · przez **Red** 05 Wrz 2006, 20:26

umberto78 daj jeszcze log z combofix do kontroli

**Posty:** 33 · przez **umberto78** 08 Wrz 2006, 10:30

oto log z combofix:

Andzia - 06-09-08 10:13:38.71
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Andzia.LENCZEWSKI\Pulpit

Microsoft Windows XP [Wersja 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-05 to 2006-09-05 ))))))))))))))))))))))))))))))))))

2006-09-06 17:23 37,828 --a------ C:\WINDOWS\system32\mszsrn32.dll
2006-09-05 15:50 671,744 -ra------ C:\WINDOWS\system32\jjeuskkie.exe
2006-09-05 15:50 671,744 -r-hs---- C:\WINDOWS\system32\krhhfzvve.exe
2006-09-05 09:28 571 --a------ C:\WINDOWS\fix.bat
2006-08-26 12:57 171,520 --a------ C:\WINDOWS\system32\LXAESUI.DLL
2006-08-26 12:55 221,696 --a------ C:\WINDOWS\system32\qmgr.dll
2006-08-26 12:55 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-08-26 12:54 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-08-26 12:54 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-08-26 12:54 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-08-26 12:54 56,832 --a------ C:\WINDOWS\system32\colbact.dll
2006-08-26 12:54 495,616 --a------ C:\WINDOWS\system32\comuid.dll
2006-08-26 12:54 494,592 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-08-26 12:54 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-08-26 12:54 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-08-26 12:54 215,040 --a------ C:\WINDOWS\system32\catsrv.dll
2006-08-26 12:54 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-08-26 12:54 114,968 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-08-26 12:54 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-08-26 12:54 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-08-26 12:54 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-08-26 12:46 51,200 --a------ C:\WINDOWS\system32\sfman32.dll
2006-08-26 12:46 495,616 --a------ C:\WINDOWS\system32\sblfx.dll
2006-08-26 12:46 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll
2006-08-26 12:46 256,512 --a------ C:\WINDOWS\system32\devcon32.dll
2006-08-26 12:46 24,064 --a------ C:\WINDOWS\system32\devldr32.exe
2006-08-26 12:44 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-08-26 12:44 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-08-15 14:21 274,432 --a------ C:\WINDOWS\system32\imon.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-04 15:09 -------- d-------- C:\Documents and Settings\Andzia.LENCZEWSKI\Dane aplikacji\Warez
2006-08-29 19:50 -------- d-------- C:\Program Files\Spik
2006-08-26 18:57 -------- d-------- C:\Program Files\URUSoft
2006-08-26 18:35 -------- d-------- C:\Program Files\SubEdit-Player
2006-08-26 12:54 -------- d-------- C:\Program Files\Messenger
2006-08-25 12:37 -------- d-------- C:\Program Files\Codec
2006-08-25 12:07 -------- d-------- C:\Program Files\XP Codec Pack
2006-08-15 14:21 502368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-08-04 16:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 16:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-27 03:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-13 10:51 700184 --a------ C:\WINDOWS\system32\SkanerOnline.dll
2006-07-03 22:40 620180 --a------ C:\WINDOWS\system32\divx.dll
2006-06-29 15:14 69944 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe
2006-06-28 16:11 675 --a------ C:\fix.reg
2006-06-21 11:43 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-06-21 11:42 1044480 --a------ C:\WINDOWS\system32\libdivx.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"Winsockett"="krhhfzvve.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"msvcc25"="svcchost.exe"
"Winsockett"="krhhfzvve.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.tapety4u.pl/albums/krajobrazy/national_geographic/normal_126.jpg"
"SubscribedURL"="http://www.tapety4u.pl/albums/krajobrazy/national_geographic/normal_126.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,98,00,00,00,00,00,00,00,e8,03,00,00,42,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,98,00,00,00,00,00,00,00,e8,03,00,00,42,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieżąca strona główna"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,72,03,00,00,23,00,00,00,fc,00,00,00,f2,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,72,03,00,00,23,00,00,00,fc,00,00,00,f2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^abcHood Pager 1.0.lnk]
"backup"="C:\\WINDOWS\\pss\\abcHood Pager 1.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ScannerU\\PageABC\\abcPager\\abcPager.exe -loadstatus -hide"
"item"="abcHood Pager 1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Action Manager 32.lnk]
"backup"="C:\\WINDOWS\\pss\\Action Manager 32.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ScannerU\\AM32.exe "
"item"="Action Manager 32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Kalendarz XP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart\\Kalendarz XP.lnk"
"backup"="C:\\WINDOWS\\pss\\Kalendarz XP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\KALEND~1\\KALEND~1.EXE "
"item"="Kalendarz XP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^TV Remote Control.lnk]
"backup"="C:\\WINDOWS\\pss\\TV Remote Control.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AVACSM~1\\TV88XU~1\\C8XRCtl.exe "
"item"="TV Remote Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\bme91d0e]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bme91d0e"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msvcc25]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svcchost"
"hkey"="HKLM"
"command"="svcchost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PowerS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PowerS"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Preview AdService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrevAdServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vxh8jkdq2"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\vxh8jkdq2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="winlogon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\inet20004\\winlogon.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\salm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="salm"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Speed racer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTSRReg"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spik]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Spik"
"hkey"="HKLM"
"command"="C:\\Program Files\\Spik\\Spik.exe -autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Updreg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Warez]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Warez"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Warez\\Warez.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Winsockett]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="krhhfzvve"
"hkey"="HKLM"
"inimapping"="0"
"command"="krhhfzvve.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xp_system]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogon"
"hkey"="HKCU"
"inimapping"="0"

Completion time: 2006-09-08 10:14:26.59
ComboFix3.txt
ComboFix2.txt
ComboFix.txt

**Posty:** 8694 · przez **Red** 08 Wrz 2006, 13:14

Otwierasz linię komend Start >>> Uruchom >>> cmd i wpisujesz komendy:

C:\WINDOWS\system32

ATTRIB -R -S -H mszsrn32.dll
DEL mszsrn32.dll
ATTRIB -R -S -H jjeuskkie.exe
DEL jjeuskkie.exe
ATTRIB -R -S -H krhhfzvve.exe
DEL krhhfzvve.exe

enter

otwierasz notatnik windowsa i wklejasz w nim to co ponizej:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winsockett"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"msvcc25"=-
"Winsockett"=-

w notatniku u góry>>>plik zapisz jako>>>Zmienić rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisać pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....

killboxem usuniesz te sciezki:

C:\WINDOWS\system32\mszsrn32.dll
C:\WINDOWS\system32\jjeuskkie.exe
C:\WINDOWS\system32\krhhfzvve.exe

Restartujesz kompa i daj raz jeszcze logi do kontroli.

**Posty:** 33 · przez **umberto78** 12 Wrz 2006, 14:13

Oto log po powyższysz operacjach

Logfile of HijackThis v1.99.1
Scan saved at 13:58:12, on 2006-09-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Registry Defragmentation\RegManServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Umberto\Moje dokumenty\instalki\hijackthis\HijackThis.exe
C:\WINDOWS\system32\jjeuskkie.exe
C:\WINDOWS\system32\jjeuskkie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.warez.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105623554632
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll
O21 - SSODL: ABBYY FineReader 5.0 Office - {6B27DC98-5DB1-EDE0-6F77-F0070BABA958} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Registry Defragmentation\RegManServ.exe

**Posty:** 8694 · przez **Red** 12 Wrz 2006, 14:16

Otwierasz linię komend Start >>> Uruchom >>> cmd i wpisujesz komendy:

C:\WINDOWS\system32

ATTRIB -R -S -H jjeuskkie.exe
DEL jjeuskkie.exe

EXIT

i daj log do kontroli

**Posty:** 33 · przez **umberto78** 12 Wrz 2006, 14:28

zrobiłem, (po kilku minutach pracy systemu znów pojawiają się logi w O4)

Logfile of HijackThis v1.99.1
Scan saved at 14:12:46, on 2006-09-12
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Registry Defragmentation\RegManServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Umberto\Moje dokumenty\instalki\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.warez.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Winsockett] yizxzqaac.exe
O4 - HKLM\..\RunServices: [Winsockett] yizxzqaac.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105623554632
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll
O21 - SSODL: ABBYY FineReader 5.0 Office - {6B27DC98-5DB1-EDE0-6F77-F0070BABA958} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Registry Defragmentation\RegManServ.exe

**Posty:** 8694 · przez **Red** 12 Wrz 2006, 14:34

Sciagnij:

http://www.firewallleaktester.com/tools/wwdc.exe

pozamykaj porty jak na screnie:

http://forum.programosy.pl/prosze-o-sprawdzenie-loga-vt27554.html?highlight=enable

i pozbadz sie :

Wylacz w menedzerze zadan te procesy i usun wpisy z hijacka

O4 - HKLM\..\Run: [Winsockett] yizxzqaac.exe
O4 - HKLM\..\RunServices: [Winsockett] yizxzqaac.exe

**Posty:** 33 · przez **umberto78** 12 Wrz 2006, 14:53

za bardzo nie wiem jak pozamykać te porty aby było jak na screnie??

proszę o sprawdzenie loga

Proszę o sprawdzenie loga

Kto jest na forum