pomocy!

[Gość: ewka]

Logfile of HijackThis v1.99.1
Scan saved at 14:32:39, on 2005-06-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\win32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Właściciel\Pulpit\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
yoursearch.ws/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
yoursearch.ws/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
yoursearch.ws/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
yoursearch.ws/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
yoursearch.ws/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
yoursearch.ws/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
yoursearch.ws/browser/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = proxy.zetosa.pl/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} -
C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} -
C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32
\nsr187.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program
Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program
Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program
Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [Wxp4] C:\WINDOWS\System32\Norton Update.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [VM3gPPmA] C:\WINDOWS\chaxb.exe
O4 - HKLM\..\Run: [Tzmlm] C:\Program Files\Wdffsu\Lozspz.exe
O4 - HKLM\..\Run: [V÷h$ćĹőö/ŘG%)ßfĎNbC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\chaxb.exe
O4 - HKLM\..\Run: [bO˛
ůđ\×y-ŻŚ] C:\WINDOWS\chaxb.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [yhwx] C:\WINDOWS\yhwx.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1A83B1AA-0374-
40A9-9BFB-AD03EFCCC7BA}\SVCHOST.EXE
O4 - HKLM\..\Run: [_Cat2] C:\WINDOWS\nmstt.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security
iGuard.exe
O4 - HKLM\..\Run: [jkulvv] c:\windows\system32\hejycs.exe
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program
Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [IncrediMail] C:\Program
Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} -
C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-
C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Microsoft AntiSpyware helper - {FCB753C7-56C2-4B8A-AD43-
D894486E0C73} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FCB753C7-56C2-
4B8A-AD43-D894486E0C73} - (no file) (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O

[Gość: Kolobos]

Odinstaluj:
Media Access
Security iGuard

Tutaj masz opis usuniecia iSearch "Desktop Search":
www.searchengines.pl/phpbb203/index.php?
showtopic=12510&st=0&p=109496&#entry135478

Sciagnij to:
www.firewallleaktester.com/tools/wwdc.exe
I zamknij tym wszystkie porty.

Nastepnie to:
download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe
I przeskanuj system, a to co znajdzie usun.

Na koniec jeszcze tym:
housecall.trendmicro.com/housecall/start_corp.asp
www.windowsecurity.com/trojanscan/
Sciagnij tez:
users.pandora.be/bluepatchy/nailfix.zip
www.downloads.subratam.org/KillBox.zip
Uruchamiasz windows w trybie awaryjnym, uzywasz nailfix
w hijackthis kasujesz to:

> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
> yoursearch.ws/browser/
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> 195.95.218.172/index.php
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
> yoursearch.ws/browser/
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> yoursearch.ws/browser/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> 195.95.218.172/index.php
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
> yoursearch.ws/browser/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> yoursearch.ws/browser/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> 195.95.218.172/index.php
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
> yoursearch.ws/browser/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
> yoursearch.ws/browser/
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> 195.95.218.172/index.php
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> 195.95.218.172/index.php
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} -
> C:\WINDOWS\System32\vbrundll.dll
> O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} -
> C:\WINDOWS\SYSTEM\Loader.dll (file missing)
> O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32
> \nsr187.dll
> O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
> O4 - HKLM\..\Run: [Wxp4] C:\WINDOWS\System32\Norton Update.exe
> O4 - HKLM\..\Run: [VM3gPPmA] C:\WINDOWS\chaxb.exe
> O4 - HKLM\..\Run: [Tzmlm] C:\Program Files\Wdffsu\Lozspz.exe
> O4 - HKLM\..\Run: [V÷h$ćĹőö/ŘG%)ßfĎNbC:\Program Files\ISTsvc\istsvc.exe]
> C:\WINDOWS\chaxb.exe
> O4 - HKLM\..\Run: [bO˛
ůđ\×y-ŻŚ] C:\WINDOWS\chaxb.exe
> O4 - HKLM\..\Run: [yhwx] C:\WINDOWS\yhwx.exe
> O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
> O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
> O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
> O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
> O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
> O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1A83B1AA-0374-
> 40A9-9BFB-AD03EFCCC7BA}\SVCHOST.EXE
> O4 - HKLM\..\Run: [_Cat2] C:\WINDOWS\nmstt.exe
> O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security
> iGuard.exe
> O4 - HKLM\..\Run: [jkulvv] c:\windows\system32\hejycs.exe
> O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
> O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
> O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
> O9 - Extra button: Microsoft AntiSpyware helper - {FCB753C7-56C2-4B8A-AD43-
> D894486E0C73} - (no file) (HKCU)
> O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FCB753C7-56C2-
> 4B8A-AD43-D894486E0C73} - (no file) (HKCU)

Oraz wszystkie O15

Te pliki kasujesz killbox'em z zaznaczona opcja delete on reboot, ale dodajesz
wszystkie, bez resetu:

C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\vbrundll.dll
C:\WINDOWS\SYSTEM\Loader.dll (file missing)
C:\WINDOWS\System32\nsr187.dll
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\System32\Norton Update.exe
C:\Program Files\Wdffsu\Lozspz.exe
C:\WINDOWS\chaxb.exe
C:\WINDOWS\yhwx.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\regsync.exe
C:\WINDOWS\System32\Services\{1A83B1AA-0374-40A9-9BFB-AD03EFCCC7BA}\SVCHOST.EXE
C:\WINDOWS\nmstt.exe
C:\Program Files\Security iGuard\Security iGuard.exe
c:\windows\system32\hejycs.exe
C:\WINDOWS\System32\paytime.exe
c:\bsw.exe
C:\WINDOWS\System32\win32.exe

Jak juz to wszystko zrobisz to reset i po resecie wklej nowy log z hijackthis.

[Gość: ewka]

serdeczne dzieki za pomoc! ale mam pytanie - w jaki sposob odinstalowac media
access i security iguard ? nie moge ich nigdzie znalezc

[Gość: Kolobos]

Panel Sterownia->Dodaj-usun programy o ile oczywiscie tam sa, jak nie to rob
dalej to co napisalem :-)

[Gość: ewka]

wlasnie nie ma :)) dlatego zglupialam, dzieki za odp :))

[Gość: ewka]

kiedy probuje wejsc na www.searchengines.pl/phpbb203/index.php?
showtopic=12510&st=0&p=109496&#entry135478
wyswietla mi sie to :

The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.

--------------------------------------------------------------------------------

Please try the following:


Choose your topic of interest:

Cars Movies Software
Cheap Flights Health Travel
Computers Jobs Vegas
Entertainment MP3 Spyware
Windows Real Estate Shopping

:[

[Gość: Kolobos]

Jakbys nie miala tego spywareu itd to pewnie by sie otwierala, ale to nic rob
wszystko dalej i nie pisz co chwile, pozniej to sobie usuniesz jak juz moze
zacznie sie otwierac.

[Gość: Kolobos]

Albo sobie tak otworz:
216.239.59.104/search?sourceid=navclient-menuext&ie=UTF-8&oe=UTF-
8&q=cache:http%3A%2F%2Fwww.searchengines.pl%2Fphpbb203%2Findex.php%3Fshowtopic%
3D12510

Link sie polamie wiec sobie sklej zeby byl w jednej linijce, odszukaj tam
iSearch Desktop i usun tak jak to jest tam opisane.

[Gość: ewka]

zrobilam wszystko, tak, jak radziles
oto nowy log:

Logfile of HijackThis v1.99.1
Scan saved at 17:54:28, on 2005-06-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\WINDOWS\srkewg.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Właściciel\Pulpit\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program
Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program
Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1A83B1AA-0374-
40A9-9BFB-AD03EFCCC7BA}\SVCHOST.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft
AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program
Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} -
C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-
C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109163090920
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -
updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {81E688E8-36A4-4FEF-B70B-8B0A1C5C1308} (WebLauncherX Control) -
www.cadprojekt.com.pl/netdesign/launcher.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
217.117.128.162/activex/AxisCamControl.cab
O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire
Marbies&Diamonds) - 67.15.101.3/g_bin/pl/marbles_2_0_0_21.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O16 - DPF: {FBFF6F10-A2FC-9544-832F-A1F75A0501AE} - www.italian-
toplist.com/cart/gs/gsa0122.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B144D6EC-3EF9-42F9-9BB6-630D33865D7F}:
NameServer = 212.160.238.2,80.85.224.50
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: zVJgdVn - {6CCB1F5D-C661-B5F7-BA5C-744A7FFB9280} -
C:\WINDOWS\System32\zgphs.dll
O21 - SSODL: System - {1F4F276A-DAA0-4E68-B42D-86EA81B408B9} - vr_sys.dll (file
missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE

[Gość: ewa]

ahh bylabytm zapomniala, na pulpicie dalej mam tapete 'security warning' ktorej
nie moge zmienic poniewaz we wlasciwosciach ekranu nie ma zadnych opcji

[Gość: Kolobos]

No i teraz widac caly log i reszte smieci.

Opis naprawy tapety masz tutaj:
216.239.59.104/search?sourceid=navclient-menuext&ie=UTF-8&oe=UTF-
8&q=cache:http%3A%2F%2Fwww.searchengines.pl%2Fphpbb203%2Findex.php%3Fshowtopic%
3D31936

W poprzednim poscie dalem CI link i w nim odszukaj jeszcze:
Backdoor.Haxdoor wariant C oraz jeszcze raz iSearch "Desktop Search" bo dalej
widze w logu wiec chyba nie bardzo sie zastosowalas ;-)


Znowu uruchamiasz windows w trybie awaryjnym i w hijackthis zaznacz te wpisy:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{1A83B1AA-0374-
40A9-9BFB-AD03EFCCC7BA}\SVCHOST.EXE
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O16 - DPF: {FBFF6F10-A2FC-9544-832F-A1F75A0501AE} - www.italian-
toplist.com/cart/gs/gsa0122.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: zVJgdVn - {6CCB1F5D-C661-B5F7-BA5C-744A7FFB9280} -
C:\WINDOWS\System32\zgphs.dll
O21 - SSODL: System - {1F4F276A-DAA0-4E68-B42D-86EA81B408B9} - vr_sys.dll (file
missing)


Killbox'em kasujesz to:
C:\WINDOWS\System32\zgphs.dll
C:\WINDOWS\SYSTEM32\drct16.dll <- to jest backdoor o ktorym napisalem na gorze,
usun go tak jak w opsie
C:\WINDOWS\isrvs\mfiltis.dll <- iSearch tez dalej jest
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\Services\{1A83B1AA-0374-40A9-9BFB-AD03EFCCC7BA}\SVCHOST.EXE

Jak juz wszystko to usuniesz i nie bedzie tego w logu to mozesz wkleic nowy ;-)

[Gość: ewa]

kiedy wchodze na te linki wlaczaja sie google
Podana fraza - cache:www.searchengines.pl/phpbb203/index.php?showtopic% -
nie została odnaleziona.
mimo ze posklejalam je tak jak mowiles...

[Gość: Kolobos]

Chyba w ogole nie czytasz co ja do Ciebie pisze :(
Napisalem, ze link sie polamal i ze ma byc w jednej linijce caly, masz taki:
42.pl/url/cxP
Ten sie przynajmniej nie polamie i nie bedziesz pisac, ze nie dziala.

[Gość: ewka]

ostateczny log, prosze bardzo

Logfile of HijackThis v1.99.1
Scan saved at 23:18:40, on 2005-06-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Właściciel\Pulpit\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.wp.pl/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program
Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program
Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02
\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program
Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} -
C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-
C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109163090920
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {81E688E8-36A4-4FEF-B70B-8B0A1C5C1308} (WebLauncherX Control) -
www.cadprojekt.com.pl/netdesign/launcher.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B144D6EC-3EF9-42F9-9BB6-630D33865D7F}:
NameServer = 212.160.238.2,80.85.224.50
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe

[Gość: barracuda7110]

Zainstaluj poprawki do windowsa (sp2 i późniejsze). Możesz również zainstalować
alternatywną przeglądarkę ( www.firefox.pl lub www.opera.com )

[Gość: Kolobos]

Wyglada ok, aktualizacji do windowsa pewnie nie mzoesz zainstalowac bo masz
piracki windows ze zlym kodem? Po co w ogole instalowac taki windows jak nie
mozna zainstalowac aktualizacji?

[Gość: ewka]

pewnie nie moge ;) serdeczne dzieki za szybka i fachowa pomoc
pozdrawiam