log - błagam o pomoc

[Gość: ruda czarna offfca]

może i jestem tepa bo nie umiem sobie z tym poradzic i nawet nie wiem o co
chodzi.... ale jak by nie bylo wole poradzic sie kogos kto sie na tym zna bo
samemu usówanie wirusów juz kilka razy skonczylo sie dla mnie tragicznie!!!
Tak wiec niech ktoś sprawdzi ten cały log

Logfile of HijackThis v1.99.1
Scan saved at 01:46:59, on 2005-06-27
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\AVACS\MpegTV Station PCITV\RemoteCtl.exe
C:\WINDOWS\system32\l?gonui.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\RUDACZ~1\USTAWI~1\Temp\Rar$EX00.248\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CCB0AF7-E431-95EC-6076-9E3C1420EFCC} -
C:\WINDOWS\System32\kzw.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} -
C:\DOCUME~1\RUDACZ~1\USTAWI~1\Temp\MegaHost.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Onet.pl AutoUpdate] "C:\Program Files\Common
Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Service Host]
C:\WINDOWS\System32\Services\{B844AAF7-6EB7-40A2-AF6E-320D46E4EAD6}\SVCHOST.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Aooo] C:\Program Files\acou\ueop.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Oemm] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: ICQ-PL - Auto Update.lnk = C:\Program
Files\ICQ-PL\ICQ-PL_5.03_build_2315.exe
O4 - Global Startup: MpegTV Station PCITV Remote Control.lnk = C:\Program
Files\AVACS\MpegTV Station PCITV\RemoteCtl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9}
- C:\Program Files\ICQLite\ICQLite.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.173
O15 - Trusted IP range: 195.95.218.173 (HKLM)
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} -
akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{02F010E0-9752-4062-AA7B-7980C57101C0}:
NameServer = 194.204.159.1
O17 -
HKLM\System\CCS\Services\Tcpip\..\{0A8B6DB5-7BF5-4F3D-8539-3EF50A6D173B}:
NameServer = 213.25.110.130
O17 -
HKLM\System\CS1\Services\Tcpip\..\{02F010E0-9752-4062-AA7B-7980C57101C0}:
NameServer = 194.204.159.1
O17 -
HKLM\System\CS2\Services\Tcpip\..\{02F010E0-9752-4062-AA7B-7980C57101C0}:
NameServer = 194.204.159.1
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O21 - SSODL: SvcSys - {1001342A-8A23-4E57-84C9-36E2AD3449ED} - svcsys.dll
(file missing)
O21 - SSODL: System - {8477DF16-05CF-4809-B32B-DEDC95B11147} - vr_sys.dll
(file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH -
C:\P

[Gość: Kolobos]

Caly? Nie widze, zeby byl caly ;-) Nie uruchamiaj hijackthis z zipa tylko
rozpakuj i dopiero wlacz.

Opis naprawy tapety masz tutaj:
www.searchengines.pl/phpbb203/index.php?showtopic=31936&st=0&p=175003&#entry175003

Przeskanuj tym i usun wszystko co znajdzie:
download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe
Uzyj tego i zamknij porty:
www.firewallleaktester.com/tools/wwdc.exe
Z tego co jest usun te wpisy:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
O2 - BHO: (no name) - {2CCB0AF7-E431-95EC-6076-9E3C1420EFCC} -
C:\WINDOWS\System32\kzw.dll
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} -
C:\DOCUME~1\RUDACZ~1\USTAWI~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Service Host]
C:\WINDOWS\System32\Services\{B844AAF7-6EB7-40A2-AF6E-320D46E4EAD6}\SVCHOST.EXE
O4 - HKCU\..\Run: [Aooo] C:\Program Files\acou\ueop.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Oemm] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.173
O15 - Trusted IP range: 195.95.218.173 (HKLM)
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O21 - SSODL: SvcSys - {1001342A-8A23-4E57-84C9-36E2AD3449ED} - svcsys.dll
(file missing)
O21 - SSODL: System - {8477DF16-05CF-4809-B32B-DEDC95B11147} - vr_sys.dll
(file missing)

Nastepnie killbox:
www.downloads.subratam.org/KillBox.zip
Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam/a nie
szukaj tylko wklejaj gotowa) i naciskaj czerwony przycisk ale na pytanie o
reset odpowiadaj nie i tak zrob z tymi plikami:

C:\WINDOWS\System32\kzw.dll
C:\WINDOWS\System32\Services\{B844AAF7-6EB7-40A2-AF6E-320D46E4EAD6}\SVCHOST.EXE
C:\Program Files\acou\ueop.exe <- usuwasz caly katalog acou
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\l?gonui.exe
C:\winstall.exe
C:\Program Files\SpySheriff\SpySheriff.exe <- usuwasz caly katalog SpySheriff

Po wszystkim wklej CALY log.

[Gość: ruda czarna offfca]

Logfile of HijackThis v1.99.1
Scan saved at 14:29:44, on 2005-06-27
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonalPremium\AVWUPSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\AVPersonalPremium\AVGNT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\AVACS\MpegTV Station PCITV\RemoteCtl.exe
C:\Program Files\ICQ-PL\X_ICQ-PL_5.03_build_2315.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Ruda czarna offffca\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program
Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Onet.pl AutoUpdate] "C:\Program Files\Common
Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonalPremium\AVGNT.EXE" /min
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: ICQ-PL - Auto Update.lnk = C:\Program
Files\ICQ-PL\ICQ-PL_5.03_build_2315.exe
O4 - Global Startup: MpegTV Station PCITV Remote Control.lnk = C:\Program
Files\AVACS\MpegTV Station PCITV\RemoteCtl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} -
akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02F010E0-9752-4062-AA7B-7980C57101C0}:
NameServer = 194.204.159.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8B6DB5-7BF5-4F3D-8539-3EF50A6D173B}:
NameServer = 213.25.110.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{02F010E0-9752-4062-AA7B-7980C57101C0}:
NameServer = 194.204.159.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{02F010E0-9752-4062-AA7B-7980C57101C0}:
NameServer = 194.204.159.1
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany -
C:\Program Files\AVPersonalPremium\AVWUPSRV.EXE

[Gość: Kolobos]

Usun jeszcze:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php

Reszta juz ok.