alient
10 Listopad 2005 14:24
#1
Witam. Ostatnio zlapalem troche wirusow i trojanow. Udalo mi sie czesc ich usunac ale ciagle pojawiaja mi sie jakies bledy.
Prosze o sprawdzenie loga.
Czasami tez widze jak symantek skanuje jakies mejla ktorego nie wysylalem.
Dziekuje z gory
Logfile of HijackThis v1.99.1 Scan saved at 15:14:23, on 2005-11-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Battery miser\batterymiser.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\On Screen Display\Hotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Mouse Driver\MouseDrv.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\system.exe C:\Program Files\IP Operator\IPOperator.exe C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\sys32.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\ircN\SYSTEM\mirc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\FlashGet\flashget.exe C:\DOCUME~1\oem\USTAWI~1\Temp\Rar$EX00.013\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O1 - Hosts: 72.9.232.244 http://www.bankone.com O1 - Hosts: 72.9.232.244 bankone.com O1 - Hosts: 72.9.232.244 halifax.com O1 - Hosts: 72.9.232.244 http://www.halifax.com O1 - Hosts: 72.9.232.244 halifax.co.uk O1 - Hosts: 72.9.232.244 http://www.halifax.co.uk O1 - Hosts: 72.9.232.244 http://www.bankofamerika.com O1 - Hosts: 72.9.232.244 bankofamerika.com O1 - Hosts: 72.9.232.244 http://www.paypal.com O1 - Hosts: 72.9.232.244 paypal.com O1 - Hosts: 72.9.232.244 http://www.lloydstsb.com O1 - Hosts: 72.9.232.244 lloydstsb.com O1 - Hosts: 72.9.232.244 http://www.lloydstsb.co.uk O1 - Hosts: 72.9.232.244 lloydstsb.co.uk O1 - Hosts: 72.9.232.244 http://www.bbvanet.com O1 - Hosts: 72.9.232.244 bbvanet.com O1 - Hosts: 72.9.232.244 http://www.bancopostaonline.poste.it O1 - Hosts: 72.9.232.244 bancopostaonline.poste.it O1 - Hosts: 72.9.232.244 http://www.poste.it O1 - Hosts: 72.9.232.244 poste.it O1 - Hosts: 72.9.232.244 http://www.credem.it O1 - Hosts: 72.9.232.244 credem.it O1 - Hosts: 72.9.232.244 http://www.creval.it O1 - Hosts: 72.9.232.244 creval.it O1 - Hosts: 72.9.232.244 http://www.gruppocarige.it O1 - Hosts: 72.9.232.244 gruppocarige.it O1 - Hosts: 72.9.232.244 http://www.rasbank.it O1 - Hosts: 72.9.232.244 rasbank.it O1 - Hosts: 72.9.232.244 http://www.bancagenerali.it O1 - Hosts: 72.9.232.244 bancagenerali.it O1 - Hosts: 72.9.232.244 http://www.garanti.com.tr O1 - Hosts: 72.9.232.244 garanti.com.tr O1 - Hosts: 72.9.232.244 http://www.kocbank.com.tr O1 - Hosts: 72.9.232.244 kocbank.com.tr O1 - Hosts: 72.9.232.244 http://www.finansbank.com.tr O1 - Hosts: 72.9.232.244 finansbank.com.tr O1 - Hosts: 72.9.232.244 http://www.disbank.com.tr O1 - Hosts: 72.9.232.244 disbank.com.tr O1 - Hosts: 72.9.232.244 http://www.cassarimini.it O1 - Hosts: 72.9.232.244 cassarimini.it O1 - Hosts: 72.9.232.244 http://www.unicredit.it O1 - Hosts: 72.9.232.244 unicredit.it O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll (file missing) O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [KeybdUtility] “C:\Program Files\On Screen Display\Hotkey.exe” O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [CreativeMouse] C:\Program Files\Mouse Driver\MouseDrv.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [sysMemory manager] c:\windows\system32\mdms.exe O4 - HKLM…\Run: [system service] C:\WINDOWS\system32\system.exe O4 - HKLM…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM…\Run: [iPOperator] “C:\Program Files\IP Operator\IPOperator.exe” -aUtOsTaRtFrOmReG O4 - HKLM…\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU…\Run: [klop] C:\WINDOWS\F.tmp O4 - HKCU…\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe O4 - Startup: PKDC++.lnk = C:\Program Files\PKDC++\PKDCPlusPlus.exe O4 - Global Startup: BlueSoleil.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 0295572765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{CD1E0BAE-F4C1-4C8F-90EB-5FFB3DE3C335}: NameServer = 80.48.254.129,80.50.50.50 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O20 - Winlogon Notify: nuclabdll - nuclabdll.dll (file missing) O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\cclbgipi.dll (file missing) O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\system32\illqmfaj.dll (file missing) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
boczi
10 Listopad 2005 20:42
#2
Wszystkie czynności wykonujesz w trybie awaryjnym [F8] w czasie bootowania komputera z wyłączonym przywracaniem systemu. Gdybyś nie wiedział, jak to zrobić, zobacz TU
Pogrubione kasujesz z dysku oraz wszystkie wpisy z Hijacka.
Znasz - zostawiasz, nie - usuwasz.
C:\WINDOWS\system32\system.exe C:\WINDOWS\system32\sys32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O1 - Hosts: 72.9.232.244 http://www.bankone.com O1 - Hosts: 72.9.232.244 bankone.com O1 - Hosts: 72.9.232.244 halifax.com O1 - Hosts: 72.9.232.244 http://www.halifax.com O1 - Hosts: 72.9.232.244 halifax.co.uk O1 - Hosts: 72.9.232.244 http://www.halifax.co.uk O1 - Hosts: 72.9.232.244 http://www.bankofamerika.com O1 - Hosts: 72.9.232.244 bankofamerika.com O1 - Hosts: 72.9.232.244 http://www.paypal.com O1 - Hosts: 72.9.232.244 paypal.com O1 - Hosts: 72.9.232.244 http://www.lloydstsb.com O1 - Hosts: 72.9.232.244 lloydstsb.com O1 - Hosts: 72.9.232.244 http://www.lloydstsb.co.uk O1 - Hosts: 72.9.232.244 lloydstsb.co.uk O1 - Hosts: 72.9.232.244 http://www.bbvanet.com O1 - Hosts: 72.9.232.244 bbvanet.com O1 - Hosts: 72.9.232.244 http://www.bancopostaonline.poste.it O1 - Hosts: 72.9.232.244 bancopostaonline.poste.it O1 - Hosts: 72.9.232.244 http://www.poste.it O1 - Hosts: 72.9.232.244 poste.it O1 - Hosts: 72.9.232.244 http://www.credem.it O1 - Hosts: 72.9.232.244 credem.it O1 - Hosts: 72.9.232.244 http://www.creval.it O1 - Hosts: 72.9.232.244 creval.it O1 - Hosts: 72.9.232.244 http://www.gruppocarige.it O1 - Hosts: 72.9.232.244 gruppocarige.it O1 - Hosts: 72.9.232.244 http://www.rasbank.it O1 - Hosts: 72.9.232.244 rasbank.it O1 - Hosts: 72.9.232.244 http://www.bancagenerali.it O1 - Hosts: 72.9.232.244 bancagenerali.it O1 - Hosts: 72.9.232.244 http://www.garanti.com.tr O1 - Hosts: 72.9.232.244 garanti.com.tr O1 - Hosts: 72.9.232.244 http://www.kocbank.com.tr O1 - Hosts: 72.9.232.244 kocbank.com.tr O1 - Hosts: 72.9.232.244 http://www.finansbank.com.tr O1 - Hosts: 72.9.232.244 finansbank.com.tr O1 - Hosts: 72.9.232.244 http://www.disbank.com.tr O1 - Hosts: 72.9.232.244 disbank.com.tr O1 - Hosts: 72.9.232.244 http://www.cassarimini.it O1 - Hosts: 72.9.232.244 cassarimini.it O1 - Hosts: 72.9.232.244 http://www.unicredit.it O1 - Hosts: 72.9.232.244 unicredit.it O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll (file missing) O4 - HKLM…\Run: [sysMemory manager] c:\windows\system32\mdms.exe - O usuwaniu Repsamo czytasz TU O4 - HKLM…\Run: [system service] C:\WINDOWS\system32\system.exe O4 - HKLM…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU…\Run: [Windows installer] C:\winstall.exe O4 - HKCU…\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU…\Run: [klop] C:\WINDOWS\F.tmp O4 - HKCU…\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O20 - Winlogon Notify: nuclabdll - nuclabdll.dll (file missing) O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\cclbgipi.dll (file missing) O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\system32\illqmfaj.dll (file missing)
Potem nowy log, mam wątpliwości co do:
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
I skan programami ANTY.
Opróżnij katalogi TEMP, Prefetch z katalogu systemowego WINDOWS.
Jeśli będą problemy z usuwaniem, używasz narzędzia KillBox,
http://www.downloads.subratam.org/KillBox.zip
Info:
Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę (przykład):
C:\WINDOWS\System32\xxx.exe
następnie program będzie pytał o restart (oczywiście zgadzasz się).
alient
10 Listopad 2005 23:29
#3
Wydaje mi sie, ze zrobilem wszystko ale sprawdz jeszcze jak mozesz loga
Logfile of HijackThis v1.99.1 Scan saved at 00:28:15, on 2005-11-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Battery miser\batterymiser.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\On Screen Display\Hotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Mouse Driver\MouseDrv.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\IP Operator\IPOperator.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\oem\Pulpit\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 72.9.232.244 http://www.bankone.com O1 - Hosts: 72.9.232.244 bankone.com O1 - Hosts: 72.9.232.244 halifax.com O1 - Hosts: 72.9.232.244 http://www.halifax.com O1 - Hosts: 72.9.232.244 halifax.co.uk O1 - Hosts: 72.9.232.244 http://www.halifax.co.uk O1 - Hosts: 72.9.232.244 http://www.bankofamerika.com O1 - Hosts: 72.9.232.244 bankofamerika.com O1 - Hosts: 72.9.232.244 http://www.paypal.com O1 - Hosts: 72.9.232.244 paypal.com O1 - Hosts: 72.9.232.244 http://www.lloydstsb.com O1 - Hosts: 72.9.232.244 lloydstsb.com O1 - Hosts: 72.9.232.244 http://www.lloydstsb.co.uk O1 - Hosts: 72.9.232.244 lloydstsb.co.uk O1 - Hosts: 72.9.232.244 http://www.bbvanet.com O1 - Hosts: 72.9.232.244 bbvanet.com O1 - Hosts: 72.9.232.244 http://www.bancopostaonline.poste.it O1 - Hosts: 72.9.232.244 bancopostaonline.poste.it O1 - Hosts: 72.9.232.244 http://www.poste.it O1 - Hosts: 72.9.232.244 poste.it O1 - Hosts: 72.9.232.244 http://www.credem.it O1 - Hosts: 72.9.232.244 credem.it O1 - Hosts: 72.9.232.244 http://www.creval.it O1 - Hosts: 72.9.232.244 creval.it O1 - Hosts: 72.9.232.244 http://www.gruppocarige.it O1 - Hosts: 72.9.232.244 gruppocarige.it O1 - Hosts: 72.9.232.244 http://www.rasbank.it O1 - Hosts: 72.9.232.244 rasbank.it O1 - Hosts: 72.9.232.244 http://www.bancagenerali.it O1 - Hosts: 72.9.232.244 bancagenerali.it O1 - Hosts: 72.9.232.244 http://www.garanti.com.tr O1 - Hosts: 72.9.232.244 garanti.com.tr O1 - Hosts: 72.9.232.244 http://www.kocbank.com.tr O1 - Hosts: 72.9.232.244 kocbank.com.tr O1 - Hosts: 72.9.232.244 http://www.finansbank.com.tr O1 - Hosts: 72.9.232.244 finansbank.com.tr O1 - Hosts: 72.9.232.244 http://www.disbank.com.tr O1 - Hosts: 72.9.232.244 disbank.com.tr O1 - Hosts: 72.9.232.244 http://www.cassarimini.it O1 - Hosts: 72.9.232.244 cassarimini.it O1 - Hosts: 72.9.232.244 http://www.unicredit.it O1 - Hosts: 72.9.232.244 unicredit.it O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [KeybdUtility] “C:\Program Files\On Screen Display\Hotkey.exe” O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [CreativeMouse] C:\Program Files\Mouse Driver\MouseDrv.exe O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [sysMemory manager] c:\windows\system32\mdms.exe O4 - HKLM…\Run: [system service] C:\WINDOWS\system32\system.exe O4 - HKLM…\Run: [iPOperator] “C:\Program Files\IP Operator\IPOperator.exe” -aUtOsTaRtFrOmReG O4 - HKLM…\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: PKDC++.lnk = C:\Program Files\PKDC++\PKDCPlusPlus.exe O4 - Global Startup: BlueSoleil.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 0295572765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{CD1E0BAE-F4C1-4C8F-90EB-5FFB3DE3C335}: NameServer = 80.48.254.129,80.50.50.50 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Dzieki jeszcze raz.
Pozdrawiam alient.
kuz5
12 Listopad 2005 00:11
#4
Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
Pliki na czerwono usun ręcznie z dysku
Trojan.Repsamo jak go usunąć masz TUTAJ
Plik mdms.exe i system.exe usuń programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:
c:\windows\system32* * mdms.exe**
następnie program będzie pytał o restart (oczywiście zgadzasz sie)
I to samo robisz ze ścieżką:
C:\WINDOWS\system32* * system.exe**
