Prosze o sprawdzenie loga

system (system) 2006-03-12 12:45:13 UTC #1

Logfile of HijackThis v1.99.1 Scan saved at 13:43:45, on 2006-03-12 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\mswmf32.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\System32\lcps.exe C:\WINDOWS\System32\oleupdate.exe C:\WINDOWS\System32\MS22.exe C:\WINDOWS\System32\HTTP.exe C:\WINDOWS\System32\NAMED.exe C:\mousepad1.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\SVCHOST.EXE C:\WINDOWS\netconf32.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\win32ssr.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe c:\windows\temp\fuers.exe D:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe C:\Documents and Settings\Vika\Pulpit\PrOgRaMiKi\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com http://www.avp.ch http://www.avp.com http://www.avp.ru http://www.awaps.net http://www.ca.com http://www.f-secure.com http://www.kaspersky.ru http://www.mcafee.com http://www.my-etrust.com http://www.nai.com http://www.networkassociates.com http://www.sophos.com http://www.symantec.com http://www.trendmicro.com http://www.viruslist.com http://www.viruslist.ru www3.ca.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM..\Run: [AntyDialerTP] "c:\program files\antydialer tp\antydialertp.exe" tray O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM..\Run: [Generic Host Process9 System Backup] scvhost9.exe O4 - HKLM..\Run: [Generic Host Process2 System Backup] scvhost2.exe O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM..\Run: [client] C:\WINDOWS\system32\client.exe O4 - HKLM..\Run: [services] C:\Program Files\Common Files\Microsoft Shared\services.exe O4 - HKLM..\Run: [mlp] C:\apace.exe O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM..\Run: [lcps] C:\WINDOWS\System32\lcps.exe O4 - HKLM..\Run: [Win Update] C:\WINDOWS\System32\oleupdate.exe O4 - HKLM..\Run: [] mozilla.exe O4 - HKLM..\Run: [MS22] C:\WINDOWS\System32\MS22.exe O4 - HKLM..\Run: [HTTP] C:\WINDOWS\System32\HTTP.exe O4 - HKLM..\Run: [NAMED] C:\WINDOWS\System32\NAMED.exe O4 - HKLM..\Run: [P]_X] C:\WINDOWS\System32\kvjrmksczrm.exe O4 - HKLM..\Run: [keyboard] C:\keyboard1.exe O4 - HKLM..\Run: [mousepad] C:\mousepad1.exe O4 - HKLM..\Run: [gimmysmileys] C:\gimmysmileys1.exe O4 - HKLM..\Run: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM..\RunServices: [] mozilla.exe O4 - HKLM..\RunServices: [P]_X] C:\WINDOWS\System32\kvjrmksczrm.exe O4 - HKLM..\RunServices: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU..\Run: [AQQ] C:\DOCUME~1\Vika\Pulpit\AQQ\AQQ.exe O4 - HKCU..\Run: [] mozilla.exe O4 - HKCU..\RunServices: [] mozilla.exe O4 - Global Startup: SVCHOST.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip..{DBC8ADCD-930C-4AC9-B8AA-C1E9D92D5CB8}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe

Gutek (Gutek) 2006-03-12 12:56:09 UTC #2

Dlaczego nie czytacie - http://forum.dobreprogramy.pl/viewtopic.php?t=66889

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com http://www.avp.ch http://www.avp.com http://www.avp.ru http://www.awaps.net http://www.ca.com http://www.f-secure.com http://www.kaspersky.ru http://www.mcafee.com http://www.my-etrust.com http://www.nai.com http://www.networkassociates.com http://www.sophos.com http://www.symantec.com http://www.trendmicro.com http://www.viruslist.com http://www.viruslist.ru www3.ca.com O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll O4 - HKLM..\Run: [Generic Host Process9 System Backup] scvhost9.exe O4 - HKLM..\Run: [Generic Host Process2 System Backup] scvhost2.exe O4 - HKLM..\Run: [services] C:\Program Files\Common Files\Microsoft Shared\services.exe O4 - HKLM..\Run: [mlp] C:\apace.exe O4 - HKLM..\Run: [lcps] C:\WINDOWS\System32\lcps.exe O4 - HKLM..\Run: [Win Update] C:\WINDOWS\System32\oleupdate.exe O4 - HKLM..\Run: [] mozilla.exe O4 - HKLM..\Run: [MS22] C:\WINDOWS\System32\MS22.exe O4 - HKLM..\Run: [HTTP] C:\WINDOWS\System32\HTTP.exe O4 - HKLM..\Run: [NAMED] C:\WINDOWS\System32\NAMED.exe O4 - HKLM..\Run: [P]_X] C:\WINDOWS\System32\kvjrmksczrm.exe O4 - HKLM..\Run: [keyboard] C:\keyboard1.exe O4 - HKLM..\Run: [mousepad] C:\mousepad1.exe O4 - HKLM..\Run: [gimmysmileys] C:\gimmysmileys1.exe O4 - HKLM..\Run: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe O4 - HKLM..\RunServices: [] mozilla.exe O4 - HKLM..\RunServices: [P]_X] C:\WINDOWS\System32\kvjrmksczrm.exe O4 - HKLM..\RunServices: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe O4 - HKCU..\Run: [] mozilla.exe O4 - HKCU..\RunServices: [] mozilla.exe O4 - Global Startup: SVCHOST.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: mswmf32 - Unknown owner - C:\WINDOWS\mswmf32.exe O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe O23 - Service: - Unknown owner - C:\WINDOWS\win32ssr.exe

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Win32Sr, netconf32 i mswmf32

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable. Po użyciu tego narzędzia wymagany jest reset sysa.

Wyłączyć Przywracanie systemu w XP TU
Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).
Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.
Skasować z dysku pliki i folder, które podkreśliłem na czerwono
Dokończyć skanerami online - Scanery do wyboru
Pokazać nowy log

Scan EWIDO po update - http://www.ewido.net/en/

system (system) 2006-03-12 20:43:51 UTC #3

Logfile of HijackThis v1.99.1

Scan saved at 21:41:44, on 2006-03-12

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Vika\Pulpit\PrOgRaMiKi\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com http://www.avp.ch http://www.avp.com http://www.avp.ru http://www.awaps.net http://www.ca.com http://www.f-secure.com http://www.kaspersky.ru http://www.mcafee.com http://www.my-etrust.com http://www.nai.com http://www.networkassociates.com http://www.sophos.com http://www.symantec.com http://www.trendmicro.com http://www.viruslist.com http://www.viruslist.ru www3.ca.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [AntyDialerTP] "c:\program files\antydialer tp\antydialertp.exe" tray

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [client] C:\WINDOWS\system32\client.exe

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM..\Run: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe

O4 - HKLM..\RunServices: [] mozilla.exe

O4 - HKLM..\RunServices: [P]_X] C:\WINDOWS\System32\kvjrmksczrm.exe

O4 - HKLM..\RunServices: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU..\Run: [AQQ] C:\DOCUME~1\Vika\Pulpit\AQQ\AQQ.exe

O4 - HKCU..\Run: [] mozilla.exe

O17 - HKLM\System\CCS\Services\Tcpip..{DBC8ADCD-930C-4AC9-B8AA-C1E9D92D5CB8}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

[/code

było wylaczone win32sr , netconf32 i mswms32

znaczki byly wszystkie na enable

InfinityToJa (Gblade) 2006-03-12 20:55:50 UTC #4

Zostało jeszcze to:

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com http://www.avp.ch http://www.avp.com http://www.avp.ru http://www.awaps.net http://www.ca.com http://www.f-secure.com http://www.kaspersky.ru http://www.mcafee.com http://www.my-etrust.com http://www.nai.com http://www.networkassociates.com http://www.sophos.com http://www.symantec.com http://www.trendmicro.com http://www.viruslist.com http://www.viruslist.ru www3.ca.com O4 - HKLM..\Run: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe O4 - HKLM..\RunServices: [] mozilla.exe O4 - HKLM..\RunServices: [P]_X] C:\WINDOWS\System32\kvjrmksczrm.exe O4 - HKLM..\RunServices: [jwkliZKrkumbbzrYRnovwx] C:\WINDOWS\system32\nerocheck.txt:kcehcoren.exe O4 - HKCU..\Run: [] mozilla.exe

Usuń wpisy i pogrubione pliki/foldery w trybie awaryjnym z wyłączonym przywracaniem systemu.

Przeskanuj ewido http://www.ewido.net/en/

Oparte na Discourse, najlepiej oglądać z włączonym JavaScriptem