Logfile of HijackThis v1.99.1

Scan saved at 15:49:11, on 2005-07-01

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\FSI\F-Prot\fpavupdm.exe

C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\taskswitch.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\FSI\F-Prot\F-StopW.EXE

C:\WINDOWS\System32\wupaderees.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\Tlen.pl\tlen.exe

C:\Program Files\NetMeter\NetMeter.exe

F:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”

O4 - HKLM…\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM…\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM…\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033

O4 - HKLM…\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE

O4 - HKLM…\Run: [Microsoft DDEs Control] wupaderees.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\RunServices: [Microsoft DDEs Control] wupaderees.exe

O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU…\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [C] C:\Program Files\NetMeter\NetMeter.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Media … e-c139.cab

O17 - HKLM\System\CCS\Services\Tcpip…{4A6603BE-4CCA-4C5D-BE32-1EFA3600174B}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Jeśli usunąłeś już oprogramowanie oryginalne Neostrady, usuń te wpisy:

R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

   	O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

To pozostałość po EliteToolbar, kasacja:

O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

Kosmetycznie skasuj wpis:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Alexa, kasacja:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

   	O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Kasacja szkodliwej kontrolki ActiveX:

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab

Tego zapewne nie znasz. Ja też nie. Google też o tym nic nie mówią, czyli na 98% to syf. Skasuj. W trybie awaryjnym [F8] w czasie bootowania komputera z wyłączonym przywracaniem systemu.

C:\WINDOWS\System32\ wupaderees.exe

Jeśli plik będzie stawiał opór, użyj programu KillBox.

Link: http://www.downloads.subratam.org/KillBox.zip

Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:

C:\WINDOWS\System32\ wupaderees.exe

następnie program będzie pytał o restart (oczywiście zgadzasz się).

Po czynnościach nowy log.

Logfile of HijackThis v1.99.1

Scan saved at 16:16:13, on 2005-07-01

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\WINDOWS\System32\taskswitch.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\WINDOWS\System32\WF2K.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\FSI\F-Prot\F-StopW.EXE

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\Tlen.pl\tlen.exe

C:\Program Files\NetMeter\NetMeter.exe

F:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll

O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”

O4 - HKLM…\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings

O4 - HKLM…\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM…\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM…\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM…\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE

O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033

O4 - HKLM…\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE

O4 - HKLM…\Run: [Microsoft DDEs Control] wupaderees.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\RunServices: [Microsoft DDEs Control] wupaderees.exe

O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU…\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe

O4 - HKCU…\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [C] C:\Program Files\NetMeter\NetMeter.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O16 - DPF: ING Bank Online - https://ssl.bsk.com.pl/bskonl/component/INGOnl.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Media … e-c139.cab

O17 - HKLM\System\CCS\Services\Tcpip…{4A6603BE-4CCA-4C5D-BE32-1EFA3600174B}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Pozdrawiam i dziękuje

Log czysty.

Skasuj pochodne wpisy:

O4 - HKLM\..\Run: [Microsoft DDEs Control] wupaderees.exe

   	O4 - HKLM\..\RunServices: [Microsoft DDEs Control] wupaderees.exe

oraz kontrolkę.

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab

Wyczyść foldery Teporary Internet Files, TEMP, Pretetch.