ahh te wirusy :P

IP: *.k1.isko.net.pl 06.05.05, 22:18
Komputerek dziala no ale widac ze nie tak jak zawsze prosze o sprawdzenie
loga i prosilbym o polecenie mi jakis antyvirosow :( z gory dziekuje
Logfile of HijackThis v1.99.1
Scan saved at 22:18:21, on 2005-05-06
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\Services\{125FA1E9-621A-4198-8E52-346BCE65DFDC}
\SVCHOST.EXE
C:\Program Files\Media Access\MediaAccK.exe
C:\temp\salm.exe
C:\WINDOWS\whuhgvcn.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\mcamgmts.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\DOCUME~1\Tomek\USTAWI~1\Temp\shop1004.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\YDP\YdpDict\Watch.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\WebSiteViewer\125019.dlr
C:\Program Files\Gadu-Gadu\gg.exe
c:\windows\system32\ynotseq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
E:\ForumGazeta.pl\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
www.websearch.com/ie.aspx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 10.4.0.50:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pi..to.biz
O1 - Hosts: 127.0.0.3 pi..to.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2fucked.biz
O1 - Hosts: 127.0.0.3 sp2fucked.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3 www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3 www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3 www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.3 topcash.biz
O1 - Hosts: 127.0.0.3 www.topcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program
Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -
C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1
\Toolbar\toolbar.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-
3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} -
C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost
2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security
iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{125FA1E9-621A-
4198-8E52-346BCE65DFDC}\SVCHOST.EXE
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\R
    • Gość: Tomek Re: ahh te wirusy :P IP: *.k1.isko.net.pl 06.05.05, 22:52
      :( plis pomozcie ten komputer jest mi naprawde potrzebny
      • neder Re: ahh te wirusy :P 07.05.05, 00:39
        uruchamiasz komputer w trybia awaryjnym, usuwasz:

        - poprzez dodaj/usuń programy:
        > MediaAccess
        > AutoUpdate
        > CxtPls
        > WebSiteViewer
        > BullsEye Network
        > TheSearchAccelerator


        - dalej:
        > whuhgvcn.exe -> z C:\WINDOWS\
        > isrvs -> z C:\WINDOWS\
        > paytime.exe -> z C:\WINDOWS\System32\
        > mcamgmts.exe -> z C:\WINDOWS\System32\
        > ynotseq.exe -> z C:\WINDOWS\System32\

        - opróżniasz temp -> Start > uruchom > wpisujesz %temp% i czyścisz wszystko co tam jest

        usuwanie tego:
        C:\Program Files\Common Files\WinTools\WToolsA.exe
        C:\Program Files\Common Files\WinTools\WSup.exe
        masz tutaj:
        www.faqfarm.com/Q/How_do_you_remove_WSUP.exe_and_WTOOLSA.exe

        Poza tym nie wiem czy masz świadomość, że log nie zmieścił się cały bo tyle masz syfu ;/ Na razie uruchom HJ wybierz "do a system scan only" i zaznaczasz (praktycznie wszystko co wkleiłeś jest do wywalenia):

        > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
        www.websearch.com/ie.aspx?tb_id=50162
        > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        81.222.131.49/index.php
        > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
        www.websearch.com/ie.aspx?tb_id=50162
        > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
        res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
        > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        81.222.131.49/index.php
        > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        www.websearch.com/ie.aspx?tb_id=50162
        > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
        res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
        > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        > F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
        > O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
        > O1 - Hosts: 127.0.0.3 x.full-tgp.net
        > O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
        > O1 - Hosts: 127.0.0.3 autoescrowpay.com
        > O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
        > O1 - Hosts: 127.0.0.3 www.awmdabest.com
        > O1 - Hosts: 127.0.0.3 www.sexfiles.nu
        > O1 - Hosts: 127.0.0.3 awmdabest.com
        > O1 - Hosts: 127.0.0.3 sexfiles.nu
        > O1 - Hosts: 127.0.0.3 allforadult.com
        > O1 - Hosts: 127.0.0.3 www.allforadult.com
        > O1 - Hosts: 127.0.0.3 www.iframe.biz
        > O1 - Hosts: 127.0.0.3 iframe.biz
        > O1 - Hosts: 127.0.0.3 www.newiframe.biz
        > O1 - Hosts: 127.0.0.3 newiframe.biz
        > O1 - Hosts: 127.0.0.3 www.vesbiz.biz
        > O1 - Hosts: 127.0.0.3 vesbiz.biz
        > O1 - Hosts: 127.0.0.3 www.pi..to.biz
        > O1 - Hosts: 127.0.0.3 pi..to.biz
        > O1 - Hosts: 127.0.0.3 www.aaasexypics.com
        > O1 - Hosts: 127.0.0.3 aaasexypics.com
        > O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
        > O1 - Hosts: 127.0.0.3 virgin-tgp.net
        > O1 - Hosts: 127.0.0.3 www.awmcash.biz
        > O1 - Hosts: 127.0.0.3 awmcash.biz
        > O1 - Hosts: 127.0.0.3 buldog-stats.com
        > O1 - Hosts: 127.0.0.3 www.buldog-stats.com
        > O1 - Hosts: 127.0.0.3 fregat.drocherway.com
        > O1 - Hosts: 127.0.0.3 slutmania.biz
        > O1 - Hosts: 127.0.0.3 www.slutmania.biz
        > O1 - Hosts: 127.0.0.3 toolbarpartner.com
        > O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
        > O1 - Hosts: 127.0.0.3 www.megapornix.com
        > O1 - Hosts: 127.0.0.3 megapornix.com
        > O1 - Hosts: 127.0.0.3 www.sp2fucked.biz
        > O1 - Hosts: 127.0.0.3 sp2fucked.biz
        > O1 - Hosts: 127.0.0.3 greg-tut.com
        > O1 - Hosts: 127.0.0.3 www.greg-tut.com
        > O1 - Hosts: 127.0.0.3 nylonsexy.com
        > O1 - Hosts: 127.0.0.3 www.nylonsexy.com
        > O1 - Hosts: 127.0.0.3 vparivalka.com
        > O1 - Hosts: 127.0.0.3 www.vparivalka.com
        > O1 - Hosts: 127.0.0.3 iframeprofit.com
        > O1 - Hosts: 127.0.0.3 www.iframeprofit.com
        > O1 - Hosts: 127.0.0.3 topsearch10.com
        > O1 - Hosts: 127.0.0.3 www.topsearch10.com
        > O1 - Hosts: 127.0.0.3 statscash.biz
        > O1 - Hosts: 127.0.0.3 www.statscash.biz
        > O1 - Hosts: 127.0.0.3 vxiframe.biz
        > O1 - Hosts: 127.0.0.3 www.vxiframe.biz
        > O1 - Hosts: 127.0.0.3 crazy-toolbar.com
        > O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
        > O1 - Hosts: 127.0.0.3 topcash.biz
        > O1 - Hosts: 127.0.0.3 www.topcash.biz
        > O1 - Hosts: 127.0.0.3 loadcash.biz
        > O1 - Hosts: 127.0.0.3 www.loadcash.biz
        > O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program
        > Files\CxtPls\cxtpls.dll
        > O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -
        > C:\WINDOWS\isrvs\sysupd.dll
        > O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
        > \COMMON~1\WinTools\WToolsB.dll
        > O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1
        > \Toolbar\toolbar.dll
        > O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
        > C:\WINDOWS\System32\msbe.dll
        > O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-
        > 3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
        > O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} -
        > C:\PROGRA~1\Toolbar\toolbar.dll

        wybierasz Fix checked

        Jak widzisz chyba łatwiej by było napisać jakie wpisy w logu masz zostawić ;p

        Przeskanuj po tym wszystkim tym co masz tutaj (najpierw ściągnij i dokonaj aktualizacji, potem dopiero w awaryjnym skanuj):
        forum.gazeta.pl/forum/72,2.html?f=430&w=14530041

        Restart i wklejasz nowy log, tylko tym razem sprawdź czy zmieścił się cały.
    • Gość: Tomek Re: ahh te wirusy :P IP: *.k1.isko.net.pl 07.05.05, 10:02
      praktycznie nic nawet w trybie awaryjnym sie niechcialo powywalac ciagle nekaja
      mnie te strony to moje logu po tej operacji :) nie wiem czy sie cos zmienilo
      chyba nie Logfile of HijackThis v1.99.1
      Scan saved at 10:01:57, on 2005-05-07
      Platform: Windows XP (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 (6.00.2600.0000)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.exe
      C:\Program Files\Common Files\WinTools\WToolsA.exe
      C:\Program Files\Common Files\WinTools\WSup.exe
      C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
      C:\WINDOWS\System32\CTsvcCDA.exe
      C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
      C:\WINDOWS\System32\nvsvc32.exe
      C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe
      C:\WINDOWS\System32\MsPMSPSv.exe
      C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
      C:\Program Files\Common Files\Real\Update_OB\realsched.exe
      C:\WINDOWS\System32\Services\{125FA1E9-621A-4198-8E52-346BCE65DFDC}\SVCHOST.EXE
      C:\WINDOWS\System32\paytime.exe
      C:\DOCUME~1\Tomek\USTAWI~1\Temp\shop1004.exe
      C:\WINDOWS\System32\mcamgmts.exe
      c:\windows\system32\erynfv.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\WINDOWS\System32\paytime.exe
      C:\Program Files\YDP\YdpDict\Watch.exe
      C:\Program Files\WebSiteViewer\125019.dlr
      C:\Program Files\AutoUpdate\AutoUpdate.exe
      C:\Program Files\Testy gimnazjalne\data\fscommand\flashEx.exe
      c:\125019.exe
      C:\WINDOWS\System32\tibs.exe
      c:\125019.exe
      C:\Program Files\Gadu-Gadu\gg.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      E:\ForumGazeta.pl\hijackthis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      81.222.131.49/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      81.222.131.49/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      81.222.131.49/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      81.222.131.49/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
      C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
      Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
      \COMMON~1\WinTools\WToolsB.dll
      O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} -
      C:\WINDOWS\drexinit.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
      C:\WINDOWS\System32\msdxm.ocx
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [Jet Detection] "C:\Program
      Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost
      2003\GhostStartTrayApp.exe
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
      Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security
      iGuard.exe
      O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{125FA1E9-621A-
      4198-8E52-346BCE65DFDC}\SVCHOST.EXE
      O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
      O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
      O4 - HKLM\..\Run: [whuhgvcn] C:\WINDOWS\whuhgvcn.exe
      O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
      O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
      O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
      O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
      O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Tomek\USTAWI~1\Temp\shop1004.exe run
      O4 - HKLM\..\Run: [ps3f32W] mcamgmts.exe
      O4 - HKLM\..\Run: [lmtufa] c:\windows\system32\erynfv.exe
      O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{125FA1E9-621A-
      4198-8E52-346BCE65DFDC}\SECURITY.EXE
      O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
      O4 - HKCU\..\Run: [Skype] "C:\Program
      Files\Skype\Phone\Skype.exe" /nosplash /minimized
      O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
      O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
      Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Aktywacja Testera.lnk = C:\Program
      Files\YDP\YdpDict\Watch.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
      Office\Office10\OSA.EXE
      O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
      res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
      O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
      static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c6.cab
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
      Validation Tool) - go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
      O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) -
      www.180searchassistant.com/180saax.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{C3547571-9223-4C76-8EF2-49E45879292B}:
      NameServer = 195.136.250.200,195.136.250.201
      O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
      C:\WINDOWS\isrvs\mfiltis.dll
      O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
      O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32
      \DRIVERS\CDANTSRV.EXE
      O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
      C:\WINDOWS\System32\CTsvcCDA.exe
      O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1
      \Symantec\NORTON~1\GHOSTS~2.EXE
      O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program
      Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
      O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
      C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: System Startup Service (SvcProc) - Unknown owner -
      C:\WINDOWS\svcproc.exe
      O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology
      by Sony DADC (UserAccess) - Unknown owner - C:\Program Files\Common
      Files\YDP\UserAccessManager\useraccess.exe
      O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

      • Gość: Kolobos Re: ahh te wirusy :P IP: *.warszawa.sdi.tpnet.pl 07.05.05, 10:34
        Opis usuwania iSearch "Desktop Search" masz tutaj:
        www.searchengines.pl/phpbb203/index.php?
        showtopic=12510&st=0&p=109496&#entry135478

        Backdoor.Haxdoor masz tutaj:
        www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&p=109496&#entry132561

        W hijackthis usun te wpisy:

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        81.222.131.49/index.php
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        81.222.131.49/index.php
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
        O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
        \COMMON~1\WinTools\WToolsB.dll
        O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} -
        C:\WINDOWS\drexinit.dll
        O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{125FA1E9-621A-
        4198-8E52-346BCE65DFDC}\SVCHOST.EXE
        O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
        O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
        O4 - HKLM\..\Run: [whuhgvcn] C:\WINDOWS\whuhgvcn.exe
        O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
        O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
        O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
        O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
        O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Tomek\USTAWI~1\Temp\shop1004.exe run
        O4 - HKLM\..\Run: [ps3f32W] mcamgmts.exe
        O4 - HKLM\..\Run: [lmtufa] c:\windows\system32\erynfv.exe
        O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{125FA1E9-621A-
        4198-8E52-346BCE65DFDC}\SECURITY.EXE
        O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
        O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
        O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
        static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c6.cab
        O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) -
        www.180searchassistant.com/180saax.cab
        O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
        C:\WINDOWS\isrvs\mfiltis.dll
        O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
        O23 - Service: System Startup Service (SvcProc) - Unknown owner -
        C:\WINDOWS\svcproc.exe
        O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


        Nastepnie sciagnij:
        www.downloads.subratam.org/KillBox.zip
        Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam/a nie
        szukaj tylko wklejaj gotowa) i naciskaj czerwony przycik ale na pytanie o reset
        odpowiadaj nie i tak zrob z tymi plikami:

        C:\WINDOWS\svcproc.exe
        C:\WINDOWS\isrvs\mfiltis.dll <- po wszystkim usun isrvs (zreszta na gorze masz
        opis co i jak)
        C:\WINDOWS\SYSTEM32\drct16.dll
        C:\WINDOWS\System32\paytime.exe
        C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe <- po wszystkim wywal katalog WinTools
        C:\WINDOWS\System32\Services\{125FA1E9-621A-4198-8E52-346BCE65DFDC}\SECURITY.EXE
        C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
        C:\Program Files\Media Access\MediaAccK.exe <- po wszystkim wywal katalog Media
        Access
        C:\WINDOWS\Nail.exe
        C:\WINDOWS\drexinit.dll
        C:\WINDOWS\System32\Services\{125FA1E9-621A-
        4198-8E52-346BCE65DFDC}\SVCHOST.EXE
        c:\temp\salm.exe
        C:\WINDOWS\whuhgvcn.exe
        C:\WINDOWS\isrvs\desktop.exe
        C:\WINDOWS\isrvs\ffisearch.exe
        C:\WINDOWS\System32\spoolsrv32.exe
        c:\windows\system32\erynfv.exe
        C:\DOCUME~1\Tomek\USTAWI~1\Temp\shop1004.exe
        C:\Program Files\AutoUpdate\AutoUpdate.exe <- tu tez katalog
        C:\WINDOWS\System32\mcamgmts.exe

        Wszystkie dodaj za jednym razem bez resetowania, jak dodasz juz wszystkie to
        reset i wklej nowy log do tego zainstaluj:
        www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D ->
        przeskanuj i wlacz ochrone przegladarki
        www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz
        ochrone przegladarki
        www.wilderssecurity.net/spywareguard.html <- SpywareGuard

        I nie klikaj juz Yes na roznych stronach, najlepiej w ogole na nie nie wchodz
        jak nie wiesz co robisz bo zaraz bedziesz mial to samo.
        • Gość: Tomek Re: ahh te wirusy :P IP: *.k1.isko.net.pl 07.05.05, 13:47
          kurde duzo tych plikow niema ktorych mi kazales usunac i tego desktop tez niema
          napisane jak to usunac to moje logo :( gdzie kolwiek wejde pojawia mi sie ta
          strona ledwo nawet na to forum wchodze ipassist.biz/index.php?id=186
          Logfile of HijackThis v1.99.1
          Scan saved at 13:47:04, on 2005-05-07
          Platform: Windows XP (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 (6.00.2600.0000)

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\Explorer.exe
          C:\Program Files\Common Files\WinTools\WToolsA.exe
          C:\Program Files\Common Files\WinTools\WSup.exe
          C:\WINDOWS\System32\CTsvcCDA.exe
          C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
          C:\WINDOWS\System32\nvsvc32.exe
          C:\Program Files\Common Files\YDP\UserAccessManager\useraccess.exe
          C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
          C:\Program Files\Common Files\Real\Update_OB\realsched.exe
          C:\WINDOWS\System32\Services\{125FA1E9-621A-4198-8E52-346BCE65DFDC}\SVCHOST.EXE
          C:\WINDOWS\System32\ctfmon.exe
          C:\Program Files\YDP\YdpDict\Watch.exe
          C:\WINDOWS\System32\MsPMSPSv.exe
          c:\windows\system32\obblbfb.exe
          C:\Program Files\Gadu-Gadu\gg.exe
          C:\Program Files\Internet Explorer\iexplore.exe
          C:\WINDOWS\System32\dwwin.exe
          E:\ForumGazeta.pl\hijackthis\HijackThis.exe

          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
          81.222.131.49/index.php
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          ipassist.biz/index.php?id=186
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
          81.222.131.49/index.php
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
          81.222.131.49/index.php
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
          81.222.131.49/index.php
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
          81.222.131.49/index.php
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
          F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
          C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
          O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
          Files\Spybot - Search & Destroy\SDHelper.dll
          O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1
          \COMMON~1\WinTools\WToolsB.dll
          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
          C:\WINDOWS\System32\msdxm.ocx
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
          O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
          O4 - HKLM\..\Run: [Jet Detection] "C:\Program
          Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
          O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
          O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost
          2003\GhostStartTrayApp.exe
          O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
          Files\Real\Update_OB\realsched.exe" -osboot
          O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security
          iGuard.exe
          O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
          O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
          O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{125FA1E9-621A-
          4198-8E52-346BCE65DFDC}\SVCHOST.EXE
          O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
          O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{125FA1E9-621A-
          4198-8E52-346BCE65DFDC}\SECURITY.EXE
          O4 - HKLM\..\Run: [wihrbx] c:\windows\system32\obblbfb.exe
          O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
          O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
          O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
          O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
          O4 - HKCU\..\Run: [Skype] "C:\Program
          Files\Skype\Phone\Skype.exe" /nosplash /minimized
          O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
          O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
          Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
          O4 - Global Startup: Aktywacja Testera.lnk = C:\Program
          Files\YDP\YdpDict\Watch.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
          Office\Office10\OSA.EXE
          O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
          res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
          O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
          O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
          Validation Tool) - go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
          O17 - HKLM\System\CCS\Services\Tcpip\..\{C3547571-9223-4C76-8EF2-49E45879292B}:
          NameServer = 195.136.250.200,195.136.250.201
          O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
          O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
          C:\WINDOWS\System32\CTsvcCDA.exe
          O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1
          \Symantec\NORTON~1\GHOSTS~2.EXE
          O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program
          Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
          O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
          C:\WINDOWS\System32\nvsvc32.exe
          O23 - Service: System Startup Service (SvcProc) - Unknown owner -
          C:\WINDOWS\svcproc.exe
          O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology
          by Sony DADC (UserAccess) - Unknown owner - C:\Program Files\Common
          Files\YDP\UserAccessManager\useraccess.exe



          to co kazales z log mi zrobic zrobilem ale nadal jest to samo chyba
          • Gość: Kolobos Re: ahh te wirusy :P IP: *.warszawa.sdi.tpnet.pl 07.05.05, 16:22
            Wszystko co podalem jest, ale nie miales tego szukac tylko wklejac gotowe
            sciezki do killbox'a do tego wlacz sobie pokazywanie plikow ukrytych oraz
            systemowych w opcjach folderow w panelu sterownia i tam zakladka widok.
            I jeszcze raz usun tego backdoor'a oraz iSearch bo dalej je masz.
            Masz to robic tyle razy, az zrobisz dobrze i nie bedzie tego co wymienilem.
Pełna wersja