Forum IDG.pl - miejsce dyskusji o IT: Adware.Agent.BN - Forum IDG.pl - miejsce dyskusji o IT

Mój log po wykonaniu instrukcji:
http://wklej.org/id/32c6913d5c

Mam nadzieję że jest dobry

-------------- @Matt_08

Wg mnie - jest OK!

==================
F.

Bardzo dziękuję za pomoc

jak to badziewie wywalic???

prócz tego ze wyskakuja mi reklamy jakiegos antyvirusa, to mam niebieski pulpit, a virus zablokowal wszystko ze nie mozna przegladac katalogow(menadzera zadan, nie moge nawet wlaczyc wierszu polecen, skróty od dysków, mojego komputera, moich dokumentow itp. wywalikl z pulpitu wiec moge uruchomic tylko to co na pulpicie)
zrobilem skan logow i zapisalem w notatniku. a co dalej?
prosze o dokladna instrukcje xD


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23: VIRUS ALERT!, on 2008-07-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Borland\Interbase\bin\ibguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\lphcv7sj0eef5.exe
C:\Program Files\rhcr7sj0eef5\rhcr7sj0eef5.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program FilesBitComet\BitComet.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\pphcv7sj0eef5.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Borland\Interbase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CableRouting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CableRouting\CableRouting.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program FilesBitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: QXK Olive - {CA9AFAAB-E1D4-4D52-883C-02981238C0DA} - C:\WINDOWS\wbxdpgfeqdb.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: sqvgnrpx - {1BFB720F-B45D-43FF-8AE1-54C86718DE99} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lphcv7sj0eef5] C:\WINDOWS\system32\lphcv7sj0eef5.exe
O4 - HKLM\..\Run: [SMrhcr7sj0eef5] C:\Program Files\rhcr7sj0eef5\rhcr7sj0eef5.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program FilesBitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program FilesBitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program FilesBitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program FilesBitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program FilesBitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: fsrpknov - {773FFE07-B0A1-4037-AA83-11C77E4D538B} - C:\WINDOWS\fsrpknov.dll
O21 - SSODL: fdxbameg - {6262702B-17BC-4D5F-AC91-D7C9071CC1C0} - C:\WINDOWS\fdxbameg.dll
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\bin\ibserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9877 bytes

Cytuj

Te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >>Fix checked.

the_monster, o 25-07-2008, 14:43, powiedział:

Masz co najmniej 8 różnych infekcji.
Daj log z -->ComboFix.



=================================================
F.
>Jest już exploit na lukę w DNS

.

i nie ma badziewia


ComboFix 08-07-24.3 - Maciej 2008-07-25 16:05:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1516 [GMT 2:00]
Running from: C:\Documents and Settings\Maciej\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.

((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-25 12:43 . 2008-07-25 12:43 <DIR> d-------- C:\Program Files\Thomson
2008-07-07 23:03 . 2008-07-07 23:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 22:47 . 2008-07-07 22:47 <DIR> d-------- C:\Program Files\CableRouting
2008-07-07 21:54 . 2008-07-07 22:22 <DIR> d-------- C:\Program Files\RegSupreme Pro
2008-07-07 21:05 . 2008-07-07 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ADSL Software Ltd
2008-07-01 23:04 . 2008-07-01 23:04 <DIR> d-------- C:\Program Files\SAGEM
2008-07-01 23:04 . 2005-11-04 16:55 126,976 --a------ C:\WINDOWS\system32\coclassfast.dll
2008-06-30 13:32 . 2008-06-30 13:32 <DIR> d-------- C:\ArmyBuilderEX
2008-06-30 13:30 . 2008-06-30 13:30 <DIR> d-------- C:\Documents and Settings\SamboR\Menu Start
2008-06-30 13:30 . 2008-06-30 13:30 <DIR> d-------- C:\Documents and Settings\SamboR
2008-06-27 18:31 . 2008-06-27 18:32 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-06-25 10:43 . 2008-06-25 10:43 <DIR> d-------- C:\Program Files\MP3 2 Ogg Lab 2004

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 14:10 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-07-25 14:10 --------- d-----w C:\Program Files\neostrada tp
2008-07-25 14:10 --------- d-----w C:\Program Files\lg_fwupdate
2008-07-25 13:12 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-25 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 20:22 --------- d-----w C:\Documents and Settings\Maciej\Dane aplikacji\Xfire
2008-06-28 20:49 --------- d-----w C:\Documents and Settings\Maciej\Dane aplikacji\AdobeUM
2008-06-20 17:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ubisoft
2008-06-15 20:25 --------- d-----w C:\Documents and Settings\Maciej\Dane aplikacji\PC Tools
2008-06-15 09:16 --------- d-----w C:\Documents and Settings\Maciej\Dane aplikacji\Wizards of the Coast
2008-06-14 18:01 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 20:32 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-06-01 15:44 --------- d-----w C:\Program Files\free-downloads.net
2008-06-01 15:16 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-06-01 15:16 --------- d-----w C:\Documents and Settings\Maciej\Dane aplikacji\DAEMON Tools
2008-05-28 21:07 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 14:00 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-07 22:07 22,328 ----a-w C:\Documents and Settings\Maciej\Dane aplikacji\PnkBstrK.sys
2008-03-07 17:07 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Program Files\free-downloads.net\tbfree.dll" [2007-12-04 13:53 1502232]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2007-12-04 13:53 1502232 --a------ C:\Program Files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Program Files\free-downloads.net\tbfree.dll" [2007-12-04 13:53 1502232]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "C:\Program Files\free-downloads.net\tbfree.dll" [2007-12-04 13:53 1502232]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-03-28 20:29 1271032]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 20:40 2048000]
"BitComet"="C:\Program FilesBitComet\BitComet.exe" [2008-02-01 09:20 2194744]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 11:39 486856]
"AlcoholAutomount"="C:\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 12:27 219520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 11:58 356352]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"WOOWATCH"="C:\PROGRA~1\NEOSTR~1\Watch.exe" [2004-08-23 14:49 20480]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-11-02 08:55 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2005-04-12 10:11 229376]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"WinampAgent"="C:\Winamp\winampa.exe" [2005-10-20 20:32 33792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-25 13:42 1107848]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38 866816]
"WOOTASKBARICON"="C:\PROGRA~1\NEOSTR~1\GestMaj.exe" [2004-10-14 16:55 32768]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 10:56 16261632 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]

C:\Documents and Settings\Maciej\Menu Start\Programy\Autostart\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-11-15 02:59:50 2836304]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\the_monaster\\condition zero\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\the_monaster\\counter-strike\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\the_monaster\\day of defeat\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\the_monaster\\deathmatch classic\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program FilesBitComet\\BitComet.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\the_monaster\\condition zero deleted scenes\\hl.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"F:\\Heroes of Might and Magic III\\Heroes3.exe"=
"F:\\soulstrom\\Soulstorm.exe"=
"F:\\commandos\\commandos3.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"E:\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"E:\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"E:\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"F:\\orginalwar\\OwarFull.dll"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11704:TCP"= 11704:TCP:BitComet 11704 TCP
"11704:UDP"= 11704:UDP:BitComet 11704 UDP

S3 bDMusicb;bDMusicb;C:\DOCUME~1\Maciej\USTAWI~1\Temp\bDMusicb.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40c1ccc0-d715-11dc-9682-000e50d680bb}]
\Shell\AutoRun\command - I:\xo8wr9.exe
\Shell\explore\Command - I:\xo8wr9.exe
\Shell\open\Command - I:\xo8wr9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40c1ccc1-d715-11dc-9682-000e50d680bb}]
\Shell\AutoRun\command - K:\xo8wr9.exe
\Shell\explore\Command - K:\xo8wr9.exe
\Shell\open\Command - K:\xo8wr9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e130e1c-c9de-11dc-9656-000e50d680bb}]
\Shell\AutoRun\command - I:\xo8wr9.exe
\Shell\explore\Command - I:\xo8wr9.exe
\Shell\open\Command - I:\xo8wr9.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com
O8 -: &D&ownload &with BitComet - C:\Program FilesBitComet\BitComet.exe/AddLink.htm
O8 -: &D&ownload all video with BitComet - C:\Program FilesBitComet\BitComet.exe/AddVideo.htm
O8 -: &D&ownload all with BitComet - C:\Program FilesBitComet\BitComet.exe/AddAllLink.htm
O8 -: E&ksportuj do programu Microsoft Excel
O9 -: { - C:\Program Files\Messenger\msmsgs.exe
O9 -: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program FilesBitComet\tools\BitCometBHO_1.2.1.2.dll/206

Ściągnij sobie Avast Antywirus ja go używam i jestem bardzo zadowolona z jego funkcji. Użytkuje Avasta od roku i jestem w stanie polecać go wszystkim użytkownikom Windowsów.

Witam!
Mam problem chyba podobnego rodzaju co moi poprzednicy w tym, że:
Mam avasta i ten niczego nei wykrył.
System albo ten wirus poblokował mi wszystkie funkcje, ie i używam internetu z trybu awaryjnego. Pojawiają się komunikaty:
"Security warning!
Worm.Win32.NetSky detected on your machine".... itd. jak pisali moi poprzednicy.

"your computer is infected! Windows has detedted an infection of spyware! It is recommended to use aspecial antispyware tools to prevent data loss. Windows will now download and instal the most up-tp-date antispyware for you."

Pierwszy raz korzystam z forum, bo zazwyczaj jakos rtadziłem sobie z tym, tzn z wirusami powazniejszych poroblemow nie mialem, do teraz, prosze o podpowiedzi i każdą pomoc.

Wklej logi z OTL i DDS. Programy możesz pobrać z http://www.searcheng...OTL-t86306.html. i czekaj na pomoc forumowiczów. Ja miałem taką samą (lub podobną) infekcję, którą usunąłem ręcznie. Przeskanowałem partycję systemową programem SuperAntiSpyware, który co prawda nic nie usunął, ale wykrył wirusa. W załączeniu log ze skanu:
HKEY_CURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\ Scan Log
http://www.superantispyware.com

Generated 12/16/2009 at 06:54 PM

Application Version : 4.28.1008

Core Rules Database Version : 4379
Trace Rules Database Version: 2217

Scan type : Quick Scan
Total Scan Time : 00:14:45

Memory items scanned : 431
Memory threats detected : 0
Registry items scanned : 476
Registry threats detected : 26
File items scanned : 5643
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@adserver.gadu-gadu[2].txt

Unclassified.Oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS3200\Control
HKLM\SYSTEM\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#INITSTARTFAILED

Trojan.Agent/Gen
C:\WINDOWS\system32\critical_warning.html
C:\WINDOWS\system32\winhelper86.dll

Trojan.Agent/Gen-Rogue[Installer]
C:\WINDOWS\SYSTEM32\WINUPDATE86.EXE
C:\WINDOWS\Prefetch\WINUPDATE86.EXE-1F84C996.pf

Jeśli masz to samo,a nie poradzi ci nikt inny, próbuj tak jak ja. Wirus między innymi blokuje zmianę tapet, wyłącza pasek zadań i blokuje wejście do rejestru. Ponieważ miałem zablokowane wejście do rejestru za pomocą regedit, przywróciłem kopię rejestru, którą zrobiłem gdy system był nie zainfekowany.Następnie wejście do rejestru: Start>Uruchom, wpisz regedit i OK.
W kluczu HKEY_CURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop nazwę NoChangingWallpaper kliknij 2x i zmień jej wartość z 1 na 0. Następnie w HKEY_CURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\System wartość DisableTaskMgr zmień w podobny sposób na 0. Przeskanuj dysk C programem SuperAntiSpyware, który powinien usunąć wirusa. Następnie w kluczach:
HKEY_CURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer zmienić wartość NoSetActiveDesktop z 1 na 0 oraz wartość NoActiveDesktopChanges z 1 a 0.
HKEY_CURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\System wartość DisableTask Mgr zmienić z 1 na 0.
Sprawdzić czy w C:\WINDOWS\system32\ jest plik winupdate86.exe. Jeśli jest, to usuń.
w C:\WINDOWS\system32\ usuń winhelper86.dll
Przeskanuj ponownie. U mnie pomogło.





Dodano 23-12-2009 03:40:18:

W C:\WINDOWS\system32\ Usuń critical_warning.html jeśli jeszcze jest.