Proszę o sprawdzenie loga i... pomoc w usunięciu wirusa

Dla specjalistów Bezpieczeństwo
#1

ciągle dostaję komunikaty o wirusie win32- coś tam - nie mogę się go pozbyć - może ktoś mi pomóc?

Log:

Logfile of HijackThis v1.99.1

Scan saved at 11:10:10, on 2006-09-05

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE

C:\WINDOWS\TBPanel.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe

C:\Program Files\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe

C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\TuneUp Utilities\Integrator.exe

C:\WINDOWS\MSmedia.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Documents and Settings\Olaf\Ustawienia lokalne\Temp\Katalog tymczasowy 3 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://signup.t-online.de/cgi-bin/vek/ … ode=stcd01

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lacza

F2 - REG:system.ini: Shell=explorer.exe

O1 - Hosts: 61.129.88.154 lloydstsb.co.uk

O1 - Hosts: 61.129.88.154 online.lloydstsb.co.uk

O1 - Hosts: 61.129.88.154 http://www.lloydstsb.co.uk

O1 - Hosts: 61.129.88.154 http://www.lloydstsb.com

O1 - Hosts: 61.129.88.154 http://www.lloydstsb.com

O1 - Hosts: 61.129.88.154 personal.barclays.co.uk

O1 - Hosts: 61.129.88.154 barclays.co.uk

O1 - Hosts: 61.129.88.154 ibank.barclays.co.uk

O1 - Hosts: 61.129.88.154 http://www.barclays.co.uk

O1 - Hosts: 61.129.88.154 http://www.nwolb.com

O1 - Hosts: 61.129.88.154 nwolb.com

O1 - Hosts: 61.129.88.154 hsbc.co.uk

O1 - Hosts: 61.129.88.154 http://www.hsbc.co.uk

O1 - Hosts: 61.129.88.154 abbey.com

O1 - Hosts: 61.129.88.154 http://www.abbey.com

O1 - Hosts: 61.129.88.154 http://www.abbey.co.uk

O1 - Hosts: 61.129.88.154 abbey.co.uk

O1 - Hosts: 61.129.88.154 cahoot.com

O1 - Hosts: 61.129.88.154 http://www.cahoot.com

O1 - Hosts: 61.129.88.154 http://www.cahoot.co.uk

O1 - Hosts: 61.129.88.154 cahoot.co.uk

O1 - Hosts: 61.129.88.154 http://www.co-operativebank.co.uk

O1 - Hosts: 61.129.88.154 co-operativebank.co.uk

O1 - Hosts: 61.129.88.154 http://www.co-operativebank.com

O1 - Hosts: 61.129.88.154 co-operativebank.com

O1 - Hosts: 61.129.88.154 welcome2.co-operativebankonline.co.uk

O1 - Hosts: 61.129.88.154 welcome6.co-operativebankonline.co.uk

O1 - Hosts: 61.129.88.154 welcome8.co-operativebankonline.co.uk

O1 - Hosts: 61.129.88.154 welcome10.co-operativebankonline.co.uk

O1 - Hosts: 61.129.88.154 http://www.smile.co.uk

O1 - Hosts: 61.129.88.154 smile.co.uk

O1 - Hosts: 61.129.88.154 http://www.cajamar.es

O1 - Hosts: 61.129.88.154 cajamar.es

O1 - Hosts: 61.129.88.154 http://www.cajamar.com

O1 - Hosts: 61.129.88.154 cajamar.com

O1 - Hosts: 61.129.88.154 http://www.unicaja.es

O1 - Hosts: 61.129.88.154 unicaja.es

O1 - Hosts: 61.129.88.154 http://www.unicaja.com

O1 - Hosts: 61.129.88.154 unicaja.com

O1 - Hosts: 61.129.88.154 http://www.caixagalicia.es

O1 - Hosts: 61.129.88.154 caixagalicia.es

O1 - Hosts: 61.129.88.154 http://www.caixagalicia.com

O1 - Hosts: 61.129.88.154 caixagalicia.com

O1 - Hosts: 61.129.88.154 activa.caixagalicia.es

O1 - Hosts: 61.129.88.154 http://www.caixapenedes.es

O1 - Hosts: 61.129.88.154 caixapenedes.es

O1 - Hosts: 61.129.88.154 http://www.caixapenedes.com

O1 - Hosts: 61.129.88.154 caixapenedes.com

O1 - Hosts: 61.129.88.154 bancae.caixapenedes.com

O1 - Hosts: 61.129.88.154 http://www.caixasabadell.es

O1 - Hosts: 61.129.88.154 caixasabadell.es

O1 - Hosts: 61.129.88.154 http://www.caixasabadell.net

O1 - Hosts: 61.129.88.154 caixasabadell.net

O1 - Hosts: 61.129.88.154 http://www.cajamadrid.es

O1 - Hosts: 61.129.88.154 cajamadrid.es

O1 - Hosts: 61.129.88.154 http://www.cajamadrid.com

O1 - Hosts: 61.129.88.154 cajamadrid.com

O1 - Hosts: 61.129.88.154 oi.cajamadrid.es

O1 - Hosts: 61.129.88.154 http://www.ccm.es

O1 - Hosts: 61.129.88.154 ccm.es

O1 - Hosts: 61.129.88.154 http://www.haspa.de

O1 - Hosts: 61.129.88.154 haspa.de

O1 - Hosts: 61.129.88.154 ssl2.haspa.de

O1 - Hosts: 61.129.88.154 http://www.dresdner-bank.de

O1 - Hosts: 61.129.88.154 dresdner-bank.de

O1 - Hosts: 61.129.88.154 http://www.dresdner-privat.de

O1 - Hosts: 61.129.88.154 postbank.de

O1 - Hosts: 61.129.88.154 http://www.postbank.de

O1 - Hosts: 61.129.88.154 banking.postbank.de

O1 - Hosts: 61.129.88.154 http://www.sparda-b.de

O1 - Hosts: 61.129.88.154 sparda-b.de

O1 - Hosts: 61.129.88.154 http://www.bankingonline.de

O1 - Hosts: 61.129.88.154 http://www.raiffeisenbank-erding.de

O1 - Hosts: 61.129.88.154 raiffeisenbank-erding.de

O1 - Hosts: 61.129.88.154 http://www.vr-networld-ebanking.de

O1 - Hosts: 61.129.88.154 vr-networld-ebanking.de

O1 - Hosts: 61.129.88.154 http://www.bnhof.de

O1 - Hosts: 61.129.88.154 bnhof.de

O1 - Hosts: 61.129.88.154 http://www.deutsche-bank.de

O1 - Hosts: 61.129.88.154 deutsche-bank.de

O1 - Hosts: 61.129.88.154 meine.deutsche-bank.de

O1 - Hosts: 61.129.88.154 http://www.citibank.de

O1 - Hosts: 61.129.88.154 citibank.de

O1 - Hosts: 61.129.88.154 http://www.dkb.de

O1 - Hosts: 61.129.88.154 dkb.de

O1 - Hosts: 61.129.88.154 http://www.sparkasse-regensburg.de

O1 - Hosts: 61.129.88.154 sparkasse-regensburg.de

O1 - Hosts: 61.129.88.154 http://www.berliner-bank.de

O1 - Hosts: 61.129.88.154 berliner-bank.de

O1 - Hosts: 61.129.88.154 http://www.berliner-sparkasse.de

O1 - Hosts: 61.129.88.154 berliner-sparkasse.de

O1 - Hosts: 61.129.88.154 http://www.wellsfargo.com

O1 - Hosts: 61.129.88.154 wellsfargo.com

O1 - Hosts: 61.129.88.154 http://www.bankofamerica.com

O1 - Hosts: 61.129.88.154 bankofamerica.com

O1 - Hosts: 61.129.88.154 http://www.usbank.com

O1 - Hosts: 61.129.88.154 usbank.com

O1 - Hosts: 61.129.88.154 http://www.bankone.com

O1 - Hosts: 61.129.88.154 bankone.com

O1 - Hosts: 61.129.88.154 http://www.citibank.com

O1 - Hosts: 61.129.88.154 citibank.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t

O4 - HKLM…\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Windows Helper] C:\WINDOWS\System32\svchozt.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip…{AE1CE626-5A05-4336-BE93-AE78841958DD}: NameServer = 217.237.150.205 217.237.150.188

O20 - Winlogon Notify: scsiusr4 - C:\WINDOWS\SYSTEM32\scsiusr4.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe

O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

z góry dziekuję

#2

Stary ale masz syfu! !!

Niech to ktoś jeszcze sprawdzi :smiley:

#3

Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługę: MicroSoft Media Tools

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

Po zabiegach nowy log z Hijacka + log z Silent Runners

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobaczyć jaka jest prośba do userów wklejających loga.

Pozdrawiam Gutek2222