Bardzo proszę o sprawdzenie loga

Dla specjalistów Bezpieczeństwo
#1

Bardzo prosze o sprawdzenie loga … :frowning:

Logfile of HijackThis v1.99.0

Scan saved at 05:22:49, on 2005-02-17

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\Anti-Trojan-55\ATWatch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Filip\Pulpit\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”

O4 - HKLM…\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM…\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM…\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun

O4 - HKLM…\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM…\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM…\Run: [Control handler] C:\WINDOWS\System32\cmebgo8071thd.exe

O4 - HKLM…\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM…\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht! http://vparivalka.com/G7/chm10.chm::/ieloader.exe

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_60.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) - http://67.15.101.3/g_bin/pl/boards_2_0_0_18.cab

O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbies&Diamonds) - http://67.15.101.3/g_bin/pl/marbles_2_0_0_21.cab

O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/pl/wordssingle_2_0_0_34.cab

O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_18.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip…{AE83C12E-A987-40E9-B593-897C38019276}: NameServer = 10.0.1.1

O20 - AppInit_DLLs: zfcl6hjgopn5w3ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Z góry dziękuję !!

#2

di kasacji:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

zainstaluj SP2 8)

#3

widze że masz 2 antywirusy(no chyba że jest Norton to tylko firewall) jeśli nie to odinstaluj jeden antywirus, tylko ci muli komputer :wink: C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

#4

wylacz przywracanie systemu ,przejdz w tryb awaryjny i za pomocą hijacka usun:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL

O4 - HKLM…\Run: [Control handler] C:\WINDOWS\System32\cmebgo8071thd.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht! http://vparivalka.com/G7/chm10.chm::/ieloader.exe

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_60.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) - http://67.15.101.3/g_bin/pl/boards_2_0_0_18.cab

O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbies&Diamonds) - http://67.15.101.3/g_bin/pl/marbles_2_0_0_21.cab

O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/pl/wordssingle_2_0_0_34.cab

O20 - AppInit_DLLs: zfcl6hjgopn5w3ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll

Jezeli znasz to

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9

to zostawiasz ,jesli nie znasz wywalasz.

Nastepnie przeskanuj system tymi programami:

http://forum.dobreprogramy.pl/viewtopic.php?t=17671

Zainstaluj sp2

i daj raz jeszcze log

#5

tryb awaryjny; (wylacz przywracanie systemu )

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL

[znasz zostawiasz /NIE/ kasacja]

dalej kosmetycznie

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

[pusty dubel]

na koniec

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht! http://vparivalka.com/G7/chm10.chm::/ieloader.exe

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_60.cab

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) - http://67.15.101.3/g_bin/pl/boards_2_0_0_18.cab

O16 - DPF: {A9ED6AA2-D9D4-4D71-9586-E293E2E3580B} (GameDesire Marbies&Diamonds) - http://67.15.101.3/g_bin/pl/marbles_2_0_0_21.cab

O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/pl/wordssingle_2_0_0_34.cab

O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_18.cab

INFO: jak korzystasz i tak powroca

1.)

sciagasz Windows Worms Doors Cleaner v1.4.1

http://www.firewallleaktester.com/tools/wwdc.exe

INFO:

zamylasz porty /ALL/ w tym progsie ze wzgledu na

(brak SP2) - najnowszych UPDATE

2.)

usypiasz jednego antywira (dzialajacego w tle - ma byc tylko 1) ,lub usuwasz ktoregos

3.)

skanujesz system

skanerem na zadanie G DATA Software

http://dobreprogramy.com/index.php?dz=2&t=73&id=846

4.)

sciagasz SpywareBlaster

http://www.javacoolsoftware.com/sbdownload.html

INFO:

zabezpiecza przegladarki

oraz kontroluje ActiveX w Logu Hijack pozycja 016

5.)

skanujesz dysk antyszpiegami PestPatrol, ETD_Security, Ad-Aware

http://download.zonelabs.com/bin/free/p … olHome.exe

http://www.download.com/Ad-Aware-SE-Per … ag=lst-0-1

http://www.download.com/ETD-Security-Sc … 29424.html

INFO: (PestPatrol)

http://www.searchengines.pl/phpbb203/in … entry72774

5.)

skanujesz dysk skanerami AV

–F-Secure–

http://support.f-secure.com/enu/home/ols.shtml

–Softwin (BitDefender)–

http://www.bitdefender.com/scan/licence.php

lub

–Trend Micro (PC-cillin)–

http://housecall.trendmicro.com/houseca … t_corp.asp

:wink: :wink:

#6

Możesz wyłączyć CTFMON.EXE: Panel sterowania => Opcje regionalne=> Języki => Szczegóły => Zaawansowane => zaznaczasz wyłącz zaawansowane usługi tekstowe

#7

Przede wszystkim, to dziękuję za pomoc !!

Mój log wygląda teraz tak …

Logfile of HijackThis v1.99.0

Scan saved at 14:45:43, on 2005-02-17

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Anti-Trojan-55\ATWatch.exe

C:\DOCUME~1\Filip\USTAWI~1\Temp\2005217125751_mcinfo.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Filip\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.onet.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe 

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL (file missing)

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [AT-Watch] C:\Program Files\Anti-Trojan-55\ATWatch.exe

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Filip\USTAWI~1\Temp\2005217125751_mcinfo.exe /insfin

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AE83C12E-A987-40E9-B593-897C38019276}: NameServer = 10.0.1.1

O20 - AppInit_DLLs: zfcl6hjgopn5w3ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

udało mi się w końcu zmienić stronę startową ;P:P:P, ale nie mogę wyrzucić innych rzeczy,m.in O20 - AppInit_DLLs: zfcl6hjgopn5w3ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. Tak swoją drogą, to co to jest ??!?!? !!

Pozdrawiam, Filip

#8

Z trybu awaryjnego napewno usuniesz.

#9

To jest ciężki do usunięcia trojan, w twoim logu ma on postać:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL (file missing)

O20 - AppInit_DLLs: zfcl6hjgopn5w3ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.

Tutaj masz opis jak go usunąć