agobot_lh

29.09.04, 15:27
PC-cillin oznajmil ze mam w pliku netsvcs worm_agobot_lh i ze nie moze go ani
usunąć ani zostawić w kwarantannie. ściągnąłem z symanteca FxGaobot ale nic
nie znalazł (ale ściągnąłem wcześniej jak mi jeszcze chodziła ta strona)
co robić?

Logfile of HijackThis v1.97.7
Scan saved at 15:20:02, on 2004-09-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\1\Moje dokumenty\eDonkey2000
Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.gazeta.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
\Pop3trap.exe"
O4 - HKLM\..\Run: [Video Process] netsvcs.exe
O4 - HKLM\..\RunServices: [Sasser Patch v1 ] msconf.exe
O4 - HKLM\..\RunServices: [MSR] msr.exe
O4 - HKLM\..\RunServices: [Video Process] netsvcs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0 CE\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
Plus\Driver\WATCH.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded
Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded
Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded
Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
toolbar.google.com/data/pl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38140.1073726852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87BE236E-3E48-4551-8719-
F8A64A8DBA86}: NameServer = 212.87.224.2,212.87.224.66

    • netsec Re: agobot_lh 29.09.04, 16:00
      Wykonaj raz jeszcze log, ale najnowszym HiJack
      www.zerosrealm.com/downloads/hjt.zip
      • imrahil_ij Re: agobot_lh 30.09.04, 10:42
        oto log:


        Logfile of HijackThis v1.97.7
        Scan saved at 10:41:17, on 2004-09-30
        Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\system32\netsvcs.exe
        C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
        C:\Program Files\Gadu-Gadu\gg.exe
        C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe
        C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
        C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
        C:\WINDOWS\System32\gearsec.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
        C:\Program Files\Outlook Express\msimn.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
        C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
        C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
        C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
        C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
        C:\WINDOWS\explorer.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Documents and Settings\1\Moje dokumenty\Odebrane pliki\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.gazeta.pl/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
        C:\WINDOWS\Downloaded Program Files\googlenav.dll
        O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
        \pccguide.exe"
        O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
        \PCCClient.exe"
        O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
        \Pop3trap.exe"
        O4 - HKLM\..\Run: [Video Process] netsvcs.exe
        O4 - HKLM\..\RunServices: [Sasser Patch v1 ] msconf.exe
        O4 - HKLM\..\RunServices: [MSR] msr.exe
        O4 - HKLM\..\RunServices: [Video Process] netsvcs.exe
        O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
        Destroy\TeaTimer.exe
        O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
        O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0
        CE\Distillr\AcroTray.exe
        O4 - Global Startup: Microsoft Office.lnk = E:\Office\OSA9.EXE
        O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
        Plus\Driver\WATCH.exe
        O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone
        Labs\ZoneAlarm\zonealarm.exe
        O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded
        Program Files\googlenav.dll/cmsearch.html
        O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded
        Program Files\googlenav.dll/cmbacklinks.html
        O8 - Extra context menu item: Cac&hed Snapshot of Page -
        res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
        O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
        res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
        O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded
        Program Files\googlenav.dll/cmsimilar.html
        O9 - Extra button: Messenger (HKLM)
        O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
        O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
        a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
        O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
        a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
        O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
        toolbar.google.com/data/pl/big/1.1.62-big/GoogleNav.cab
        O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
        v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38140.1073726852
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
        download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
        O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
        www.bundleware.com/activeX/BM2/BM2.cab
        O17 - HKLM\System\CCS\Services\Tcpip\..\{87BE236E-3E48-4551-8719-F8A64A8DBA86}:
        NameServer = 212.87.224.2,212.87.224.66

        • kalinowski11 Re: agobot_lh 30.09.04, 10:54
          imrahil_ij napisał:

          > oto log:
          >
          >
          > Logfile of HijackThis v1.97.7

          Ściągnij najnowszą wersję "v1.98.2"

          209.133.47.12/~merijn/files/HijackThis.exe
          www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

          I wklej log :)

          Pozdrawiam .
          • imrahil_ij Re: agobot_lh 30.09.04, 11:14
            sorry za tamtą ale coś mi się pomyliło,
            oto log:

            Logfile of HijackThis v1.98.2
            Scan saved at 11:13:50, on 2004-09-30
            Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
            MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\SOUNDMAN.EXE
            C:\WINDOWS\system32\netsvcs.exe
            C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
            C:\Program Files\Gadu-Gadu\gg.exe
            C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe
            C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
            C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
            C:\WINDOWS\System32\gearsec.exe
            C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\ZoneLabs\vsmon.exe
            C:\Program Files\Outlook Express\msimn.exe
            C:\Program Files\Messenger\msmsgs.exe
            C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
            C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
            C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
            C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
            C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
            C:\WINDOWS\explorer.exe
            C:\Program Files\Internet Explorer\iexplore.exe
            C:\Documents and Settings\1\Moje dokumenty\Odebrane pliki\crack\HijackThis.exe

            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
            www.gazeta.pl/
            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
            O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
            C:\WINDOWS\Downloaded Program Files\googlenav.dll
            O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
            O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
            O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
            \pccguide.exe"
            O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
            \PCCClient.exe"
            O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
            \Pop3trap.exe"
            O4 - HKLM\..\Run: [Video Process] netsvcs.exe
            O4 - HKLM\..\RunServices: [Sasser Patch v1 ] msconf.exe
            O4 - HKLM\..\RunServices: [MSR] msr.exe
            O4 - HKLM\..\RunServices: [Video Process] netsvcs.exe
            O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
            Destroy\TeaTimer.exe
            O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
            O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0
            CE\Distillr\AcroTray.exe
            O4 - Global Startup: Microsoft Office.lnk = E:\Office\OSA9.EXE
            O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
            Plus\Driver\WATCH.exe
            O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone
            Labs\ZoneAlarm\zonealarm.exe
            O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded
            Program Files\googlenav.dll/cmsearch.html
            O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded
            Program Files\googlenav.dll/cmbacklinks.html
            O8 - Extra context menu item: Cac&hed Snapshot of Page -
            res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
            O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
            res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
            O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded
            Program Files\googlenav.dll/cmsimilar.html
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
            C:\Program Files\Messenger\msmsgs.exe
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
            00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
            a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
            O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
            a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
            O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
            toolbar.google.com/data/pl/big/1.1.62-big/GoogleNav.cab
            O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
            www.bundleware.com/activeX/BM2/BM2.cab
            O17 - HKLM\System\CCS\Services\Tcpip\..\{87BE236E-3E48-4551-8719-F8A64A8DBA86}:
            NameServer = 212.87.224.2,212.87.224.66

            • netsec Re: agobot_lh 30.09.04, 12:55
              imrahil_ij napisał:

              > sorry za tamtą ale coś mi się pomyliło,
              > oto log:
              >
              > Logfile of HijackThis v1.98.2
              > Scan saved at 11:13:50, on 2004-09-30
              > Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
              > MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

              Wyłącz przywracanie systemu (tylko XP i Me)
              support.microsoft.com/default.aspx?scid=kb;pl;310405
              Uruchom komputer w trybie awaryjnym:
              support.microsoft.com/default.aspx?scid=KB;PL;315222
              Uruchom ponownie HijackTHis, wykonaj SCAN i zaznacz dokładnie te pozycje:

              O4 - HKLM\..\Run: [Video Process] netsvcs.exe
              O4 - HKLM\..\RunServices: [Sasser Patch v1 ] msconf.exe
              O4 - HKLM\..\RunServices: [MSR] msr.exe
              O4 - HKLM\..\RunServices: [Video Process] netsvcs.exe
              O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
              www.bundleware.com/activeX/BM2/BM2.cab

              Po zaznaczeniu wykonaj FIX CHECKED i potwierdź TAK/OK.

              Znajdź i usuń pliki netsvcs.exe, msconf.exe, msr.exe
              Pliki mogą mieć atrybut tylko do odczytu, stąd przed usunięciem
              trzeb go zmienić.
              Tu masz wiecej o usuwaniu ręcznym:
              forum.gazeta.pl/forum/72,2.html?f=23618&w=16127597&wv.x=1&a=16127597
              W Panel Sterowania =>Opcje Internetowe usuń
              Tymczasowe pliki Internetowe (Wszystkie) i Cooki.

              Odinstaluj w Panelu sterowania Dodaj/Usuń programy wszystkie
              programy, co do których nie masz pewności, że Ci są potrzebne.

              Uruchom komputer w normalnym trybie.

              Sprawdź czy Twój PC-cillin poprawnie się aktualizuje i przeskanuj cały system.

              Po wszystkim wklej nowy log.
              • imrahil_ij Re: agobot_lh 30.09.04, 15:11
                gotowe
                plików msconf i msr nie było bo je usunąłem już wcześniej
                PC-cillin znalazł dwa wirusy i wziął do kwarantanny (Troj_RVP.D i Sasser.A)
                żadnych śladów w rejestrach nie odnalazłem
                oto nowy log:

                Logfile of HijackThis v1.98.2
                Scan saved at 15:06:01, on 2004-09-30
                Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
                MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                Running processes:
                C:\WINDOWS\System32\smss.exe
                C:\WINDOWS\system32\winlogon.exe
                C:\WINDOWS\system32\services.exe
                C:\WINDOWS\system32\lsass.exe
                C:\WINDOWS\system32\svchost.exe
                C:\WINDOWS\System32\svchost.exe
                C:\WINDOWS\system32\spoolsv.exe
                C:\WINDOWS\Explorer.EXE
                C:\WINDOWS\SOUNDMAN.EXE
                C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
                C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
                C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
                C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
                C:\Program Files\Gadu-Gadu\gg.exe
                C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe
                C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
                C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
                C:\WINDOWS\System32\gearsec.exe
                C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
                C:\WINDOWS\System32\svchost.exe
                C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
                C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
                C:\Documents and Settings\1\Moje dokumenty\Odebrane pliki\HijackThis.exe

                R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                www.gazeta.pl/
                R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
                C:\WINDOWS\Downloaded Program Files\googlenav.dll
                O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
                O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
                \pccguide.exe"
                O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
                \PCCClient.exe"
                O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002
                \Pop3trap.exe"
                O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
                Destroy\TeaTimer.exe
                O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
                O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0
                CE\Distillr\AcroTray.exe
                O4 - Global Startup: Microsoft Office.lnk = E:\Office\OSA9.EXE
                O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
                Plus\Driver\WATCH.exe
                O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone
                Labs\ZoneAlarm\zonealarm.exe
                O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded
                Program Files\googlenav.dll/cmsearch.html
                O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded
                Program Files\googlenav.dll/cmbacklinks.html
                O8 - Extra context menu item: Cac&hed Snapshot of Page -
                res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
                O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
                res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded
                Program Files\googlenav.dll/cmsimilar.html
                O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
                C:\Program Files\Messenger\msmsgs.exe
                O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
                00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
                a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
                O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
                a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
                O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -
                toolbar.google.com/data/pl/big/1.1.62-big/GoogleNav.cab
                O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
                O17 - HKLM\System\CCS\Services\Tcpip\..\{87BE236E-3E48-4551-8719-F8A64A8DBA86}:
                NameServer = 212.87.224.2,212.87.224.66

                • netsec Re: agobot_lh 30.09.04, 15:21
                  imrahil_ij napisał:

                  > gotowe
                  > plików msconf i msr nie było bo je usunąłem już wcześniej
                  > PC-cillin znalazł dwa wirusy i wziął do kwarantanny (Troj_RVP.D i Sasser.A)
                  > żadnych śladów w rejestrach nie odnalazłem
                  > oto nowy log:

                  To chyba po problemie ;)
                  Zaktualizuj ZoneAlarm do najnowszej wersji, potrafi dobrze działać w środowisku SP2.
                  Rekomenduje zmianę PC-cillin 2002 na coś bardziej skutecznego, chyba nawet AVAST
                  ma lepsze osiągi.
                  • imrahil_ij Re: agobot_lh 30.09.04, 15:37
                    serdeczne dzięki (:
Pełna wersja