proszę o pomoc

[Gość: xxx]

hello!
Jestem raczej komputerową "nogą", mój mąż w delegacji, a mi pojawia się
problem, otóż:
po włączeniu komp. pojawia mi się komunikat: system Windows nie moze odnaleźć
pliku "changeme.exe"
pojawiają się czarne okna - windows/system32/cmd.exe.
Po otwieraniu jakiejkolwiek strony www, pojawia się komunikat - obecne
ustawienia zabezpieczeń uniemożliwiają uruchamianie formantów activex na tej
stronie. W wyniku tego strona może być wyświetlana niepoprawnie. (i tak się
dzieje, np. nie mogę przez internet wejść na swoje konto mail-owe, nie mogę
się zarejstrować jako użytkownik forumitp.)
Ponadto otwiera się stronka: http// empands.com/servlet/ajrotator....
Bardzo proszę o rozpoznanie problemu,
z góry dzięki za pomoc

[Gość: Kolobos]

www.mgregor.republika.pl/

[Gość: xxx]

Dziękuję za odzew :-)

Pojawił się problem z pobraniem pliku (krok 3). wywala mi komunikat - bieżące
ustawienia zabezpieczeń nie zezwalają na pobranie tego pliku.
Proszę o radę

[Gość: Kolobos]

Sprobuj zmienic Internet Explorer->Narzedzia->Opcje Internetowe->Zabezpieczenia-
>Poziom domyslny i moze bedzie sie dalo pobrac, pewnie jakis trojan Ci to
zmienil.

[Gość: xxx]

Logfile of HijackThis v1.99.1
Scan saved at 10:03:20, on 06/03/2005
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\mxx.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winpadg.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\temp\salm.exe
C:\WINDOWS\System32\gah95on6.exe
C:\Program Files\Knwesh\Rsqypl.exe
C:\WINDOWS\System32\wuampkd.exe
C:\WINDOWS\System32\wuamkp.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\System32\compqed.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\NA\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\FRE7TRA6\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wp.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
F2 - REG:system.ini: Shell=Explorer.exe changeme.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital
Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Konfigurator] C:\WINDOWS\mxx.exe --start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner
AQ3
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [abyh] C:\WINDOWS\abyh.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
Optimizer\optimize.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [Ofzrizuq] C:\Program Files\Knwesh\Rsqypl.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\Run: [Microsoft Windows Updates] wuamkp.exe
O4 - HKLM\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefjh32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\Poland.exe -N
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updates] wuamkp.exe
O4 - HKLM\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKCU\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4DCC1E8-687D-4BD3-8CA0-290C47BCC3F4}:
NameServer = 217.30.129.149,217.30.137.200
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner -
C:\WINDOWS\System32\hwclock.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation

[Gość: xxx]

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1
\SPEEDD~1\nopdb.exe

nie wiem czemu, tej końcówki nie wkleiło

[Gość: Kolobos]

Troche smietkow podlapalas :-)

Odinstaluj:
SpySpotter
Internet Optimizer
Media Access

Sciagnij sobie:
www.simplytech.it/ETRemover/ETRemoverV120.zip
www.downloads.subratam.org/KillBox.zip
Uruchom windows w trybie awaryjnym (F5 lub F8 przy starcie systemu)
uzyj ETRemover

W hijackthis wybierasz scan only i zaznaczasz te wpisy:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wp.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
searchmiracle.com/sp.php
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
F2 - REG:system.ini: Shell=Explorer.exe changeme.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Konfigurator] C:\WINDOWS\mxx.exe --start
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [abyh] C:\WINDOWS\abyh.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
Optimizer\optimize.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [Ofzrizuq] C:\Program Files\Knwesh\Rsqypl.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\Run: [Microsoft Windows Updates] wuamkp.exe
O4 - HKLM\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefjh32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\Poland.exe -N
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updates] wuamkp.exe
O4 - HKLM\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - HKCU\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKCU\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner -
C:\WINDOWS\System32\hwclock.exe

I Fix Checked.

Uruchom killbox'a zaznacz Delete file on reboot wklej sciezke do pliku (sam/a
nie szukaj tylko wklejaj gotowa) i naciskaj czerwony przycisk ale na pytanie o
reset odpowiadaj nie i tak zrob z tymi plikam:

C:\WINDOWS\System32\hwclock.exe
C:\Program Files\Common Files\GMT\GMT.exe <- po resecie usun katalog GMT
C:\windows\system32\compqed.exe
C:\windows\system32\wuamkp.exe
C:\windows\system32\wuampkd.exe
C:\windows\system32\winpadg.exe
C:\windows\system32\scvhost.exe
C:\WINDOWS\System32\Poland.exe
C:\windows\system32\elitefjh32.exe
C:\Program Files\Knwesh\Rsqypl.exe
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll <- i tutaj katalog do
kasacji
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
C:\Program Files\Common Files\CMEII\CMESys.exe <- po resecie usuwasz katalog
CMEII
C:\WINDOWS\mxx.exe
C:\Program Files\Media Access\MediaAccK.exe <- tutaj tez katalog do kasacji
c:\temp\salm.exe
C:\WINDOWS\abyh.exe
C:\Program Files\Internet Optimizer\optimize.exe <- po resecie usuwasz katalog
C:\WINDOWS\System32\gah95on6.exe

Nastepnie uruchom regedit przejdz do:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
i usun tam ten wpis:
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Po resecie przeskanuj system tym:
download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe
I usun co znajdzie oraz tym:
www.windowsecurity.com/trojanscan/
Po wszystkim wklej nowy log z hijackthis :-)

Do kontrolnego sprawdzenia

[Gość: xxx]

ależ tych trojanów mi się pojawiło, możesz zerknąć poniżej ;-)

Logfile of HijackThis v1.99.1
Scan saved at 23:06:52, on 06/03/2005
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\NA\Ustawienia lokalne\Temporary Internet
Files\Content.IE5\1ELOQREJ\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.wp.pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital
Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner
AQ3
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4DCC1E8-687D-4BD3-8CA0-290C47BCC3F4}:
NameServer = 217.30.129.149,217.30.137.200
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1
\SPEEDD~1\nopdb.exe

[Gość: xxx]

aha zapomniałam jeszcze dopisać, po włączeniu komp. znowu mi się pojawiły dwa
czarne okna - windows/system32/cmd.exe ??? a coż to jest?

[Gość: xxx]

a i jeszcze jedno, nie mogłam wejśc do rejestru systemu przez regedit,
pojawiała się ramka i w ułamku sekundy znikała...

[Gość: Kolobos]

Dalej masz smiecie, w hijackthis to:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Compaqed Service Drivers] compqed.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKCU\..\Run: [Compaqed Service Drivers] compqed.exe
O4 - HKCU\..\RunServices: [Compaqed Service Drivers] compqed.exe

Killbox'em to:

compqed.exe
wuampkd.exe

Poszukaj tych plikow w Start->Wyszukaj czy jak to sie zwie i usun oba
killbox'em za jednym razem.


A co do cmd to konsola (taki tryb msdos) i co Ci sie wyswietla w tym oknie?

[Gość: xxx]

w tym oknie cmd nic mi się nie wyświetla, jest puste.

Po odpaleniu komp. uruchamia mi się okno: A 2 IDS a wnim: C:\WINDOWS\System32
\scvhost.exe
Found a possible LAN bypass backdoor or spyware
While executing the program a˛ detected a possible malicious behavior. The
program tries to invisibly send data to the internet. If you are sure you want
that program to continue its invisible datatransfers allow it. If you are
unsure or you don't know that programm terminate it and send it in for further
analysis.
??????

Możesz zerknąć czy już jest OK

Logfile of HijackThis v1.99.1
Scan saved at 08:43:53, on 06/04/2005
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\System32\wuampkd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\NA\Pulpit\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.wp.pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital
Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner
AQ3
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4DCC1E8-687D-4BD3-8CA0-290C47BCC3F4}:
NameServer = 217.30.129.149,217.30.137.200
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1
\SPEEDD~1\nopdb.exe

[Gość: Kolobos]

Troche lepiej ale dalej nie wszystko:

To w hijackthis:
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe

A te dwa pliki killbox'em:
C:\WINDOWS\System32\scvhost.exe
C:\Windows\system32\wuampkd.exe

I nie chce nowych logow jezeli dalej to w nich bedzie, dopiero jak usuniesz oba
pliki to wklej nowy log.

[Gość: xxx]

Mam nadzieję, że masz jeszcze jakieś zapasy cierpliwości :-)
Trochę miałam problem z tym C:\WINDOWS\System32\scvhost.exe, często te pliki po
zrestartowaniu komputera pojawiały się spowrotem :-(



Logfile of HijackThis v1.99.1
Scan saved at 22:05:22, on 06/04/2005
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\cfmon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\NA\Pulpit\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.wp.pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital
Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-
Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner
AQ3
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4DCC1E8-687D-4BD3-8CA0-290C47BCC3F4}:
NameServer = 217.30.129.149,217.30.137.200
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner -
C:\WINDOWS\System32\cfmon.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1
\SPEEDD~1\nopdb.exe

[Gość: xxx]

Aha i jeszcze jedno - nie mogę się zalogować na moje konto mailowe na gazecie,
po wpisaniu loginu i hasła i wciśnięciu enter, znika wszystko i nie mogę się
tam dostać

[Gość: Kolobos]

Juz wyglada ok.

Dla pewnosci przeskanuj jeszcze raz przy pomocy Microsoft AntiSpyware oraz:
housecall.trendmicro.com/housecall/start_corp.asp
www.windowsecurity.com/trojanscan/
www.pandasoftware.com/activescan/pol/activescan_principal.htm

[Gość: Kolobos]

Jeszcze jedno zostalo do usuniecia.
Start->Uruchom->services.msc
odszukaj tam Sound Sservice Driver (Sound Service)
wejdz w jego wlasciwosci nacisnij zatrzymaj oraz zmien tryb uruchomienia na
zatrzymany.
Nastepnie w hijackthis wybierz Open Misc Tools i Delete NT Service i wpisz tam:
Sound Service
i ok.
Dodaj do killbox'a ten plik:
C:\WINDOWS\System32\cfmon.exe

Co do konta na gazecie to nie wiem.

[Gość: xxx]

Wielkie dzięki za pomoc! ... są jeszcze dobrzy ludzie na tym świecie :-)