[Trojan] wkssvc.exe


(Morgenowsky) #1

Skanowałem swój komputer jakimś anty-trojanem i pokazuje, że jest on w pliku wkssvc.exe.

Ścieżka do pliku: C:\WINDOWS\system32\wkssvc.exe

Nie wiem jak mam to usunąć.

Ta ścieżka poprawna jest tylko w programie, bo normalnie tego pliku nigdzie nie widać.

Wyszukiwarka Windows też go nie znalazła.

Chciałbym pozbyć się tego trojana, co zrobić?


(Kuz5) #2

Usuń go programem Pocket Killbox czyli odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżke:

C:\WINDOWS\system32**** wkssvc.exe

następnie program będzie pytał o restart (oczywiście zgadzasz sie)

Wklej loga HijackThis


(Morgenowsky) #3

Dzięki, usunąłem ten plik.

Logfile of HijackThis v1.99.1

Scan saved at 19:55:46, on 2006-01-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

G:\Programy i inne\Graficzne\QuickTime\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\Ctsvccda.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Admin\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "G:\Programy i inne\Graficzne\QuickTime\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NaturalColorLoad.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - G:\Programy i inne\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - G:\Programy i inne\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\JetCar.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\JetCar.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.mks.com.pl

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_24.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B183321-6940-4157-96B0-100A4418E17E}: NameServer = 195.225.121.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{5B183321-6940-4157-96B0-100A4418E17E}: NameServer = 195.225.121.1

O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

(Gutek) #4

pozostałość po RXToolBar uusń hijackiem w trybie awaryjnym

Zainstaluj Ewido

http://www.searchengines.pl/phpbb203/lo ... 16762.html zrób update i przeskanuj :stuck_out_tongue:


(Morgenowsky) #5

OK, przeskanowałem tym programem.

Tutaj raport:

---------------------------------------------------------

 ewido anti-malware - Scan report

---------------------------------------------------------


 + Created on: 09:29:07, 2006-01-22

 + Report-Checksum: 25178937


 + Scan result:


	HKLM\SOFTWARE\Aureate -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3 -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Commands -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\GbSet -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Installed -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Media -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Media\131073 -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Media\196609 -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Media\196611 -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Proxy -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Aureate\V3\Servers -> Spyware.Aureate : Cleaned with backup

	HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup

	HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup

	HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup

	HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup

	HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup

	HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate -> Spyware.Aureate : Cleaned with backup

	HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\Advertising -> Spyware.Aureate : Cleaned with backup

	HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\Advertising\Demographics -> Spyware.Aureate : Cleaned with backup

	HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\V3 -> Spyware.Aureate : Cleaned with backup

	HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\Aureate\V3\Cookies -> Spyware.Aureate : Cleaned with backup

	HKU\S-1-5-21-2000478354-2111687655-839522115-1003\Software\RX Toolbar -> Spyware.RXToolbar : Cleaned with backup

	C:\!KillBox\wkssvc.exe -> Backdoor.Rbot.aeu : Error during cleaning

	C:\Documents and Settings\Admin\Cookies\admin@ad.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@idg.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@metacafe.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@my.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@oewabox[1].txt -> Spyware.Cookie.Oewabox : Cleaned with backup

	C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup

	C:\Documents and Settings\Admin\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-29628741.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup

	C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\Cookies\admin@ad.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\Cookies\admin@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Admin\Ustawienia lokalne\Temp\Cookies\admin@my.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup

	C:\Program Files\Tlen.pl\plugins\DozaKultury.tpl -> Adware.Doza : Cleaned with backup

	C:\WINDOWS\system32\adimage.dll -> Spyware.Aureate : Cleaned with backup

	C:\WINDOWS\system32\htmdeng.exe -> Spyware.Aureate : Cleaned with backup

	C:\WINDOWS\system32\ipcclient.dll -> Spyware.Aureate : Cleaned with backup

	C:\WINDOWS\system32\msipcsv.exe -> Spyware.Aureate : Cleaned with backup

	C:\WINDOWS\system32\tfde.dll -> Spyware.Aureate : Cleaned with backup



::Report End

(Gutek) #6

No wszystko usnol :slight_smile: