Skanowałem swój komputer jakimś anty-trojanem i pokazuje, że jest on w pliku wkssvc.exe.
Ścieżka do pliku: C:\WINDOWS\system32\wkssvc.exe
Nie wiem jak mam to usunąć.
Ta ścieżka poprawna jest tylko w programie, bo normalnie tego pliku nigdzie nie widać.
Wyszukiwarka Windows też go nie znalazła.
Chciałbym pozbyć się tego trojana, co zrobić?
Usuń go programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:
C:\WINDOWS\system32** wkssvc.exe**
następnie program będzie pytał o restart (oczywiście zgadzasz sie)
Wklej loga HijackThis
Dzięki, usunąłem ten plik.
Logfile of HijackThis v1.99.1
Scan saved at 19:55:46, on 2006-01-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\Programy i inne\Graficzne\QuickTime\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Admin\Pulpit\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programy i inne\Graficzne\QuickTime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - G:\Programy i inne\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - G:\Programy i inne\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\JetCar.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\JetCar.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.mks.com.pl
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_24.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B183321-6940-4157-96B0-100A4418E17E}: NameServer = 195.225.121.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B183321-6940-4157-96B0-100A4418E17E}: NameServer = 195.225.121.1
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exepozostałość po RXToolBar uusń hijackiem w trybie awaryjnym
Zainstaluj Ewido
http://www.searchengines.pl/phpbb203/lo … 16762.html zrób update i przeskanuj 
OK, przeskanowałem tym programem.
Tutaj raport:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 09:29:07, 2006-01-22
+ Report-Checksum: 25178937
+ Scan result:
HKLM\SOFTWARE\Aureate -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3 -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Commands -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\GbSet -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Installed -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Media -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Media\131073 -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Media\196609 -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Media\196611 -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Proxy -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Aureate\V3\Servers -> Spyware.Aureate : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate -> Spyware.Aureate : Cleaned with backup
HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\Advertising -> Spyware.Aureate : Cleaned with backup
HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\Advertising\Demographics -> Spyware.Aureate : Cleaned with backup
HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\V3 -> Spyware.Aureate : Cleaned with backup
HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\V3\Cookies -> Spyware.Aureate : Cleaned with backup
HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\RX Toolbar -> Spyware.RXToolbar : Cleaned with backup
C:\!KillBox\wkssvc.exe -> Backdoor.Rbot.aeu : Error during cleaning
C:\Documents and Settings\Admin\Cookies\admin@ad.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@idg.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@metacafe.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@my.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@oewabox[1].txt -> Spyware.Cookie.Oewabox : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Admin\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-29628741.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup
C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\Cookies\admin@ad.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\Cookies\admin@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\Cookies\admin@my.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Program Files\Tlen.pl\plugins\DozaKultury.tpl -> Adware.Doza : Cleaned with backup
C:\WINDOWS\system32\adimage.dll -> Spyware.Aureate : Cleaned with backup
C:\WINDOWS\system32\htmdeng.exe -> Spyware.Aureate : Cleaned with backup
C:\WINDOWS\system32\ipcclient.dll -> Spyware.Aureate : Cleaned with backup
C:\WINDOWS\system32\msipcsv.exe -> Spyware.Aureate : Cleaned with backup
C:\WINDOWS\system32\tfde.dll -> Spyware.Aureate : Cleaned with backup
::Report EndNo wszystko usnol 