severah
23 Sierpień 2006 17:57
#1
no więc, przeskanowałam komputer programem PrevX1 i mam teraz w kwarantannie 5 zainfekowanych plików msjavames.exe i 3 inne zainfekowane pliki, nie wiem jak się ich skutecznie pozbyć… prosze o pomoc
Logfile of HijackThis v1.99.1 Scan saved at 19:57:33, on 2006-08-23 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\SYSTEM32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\WINDOWS\Explorer.exe D:\PROGRA~1\Wanadoo\TaskbarIcon.exe D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\QuickTime\qttask.exe D:\Program Files\iTunes\iTunesHelper.exe D:\Program Files\Common Files\AOL\1155921827\ee\AOLSoftware.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\Dialer Killer\DialKill.exe D:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe D:\WINDOWS\System32\rundll32.exe D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\System32\nvsvc32.exe D:\Program Files\Prevx1\PXAgent.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Prevx1\PXConsole.exe D:\WINDOWS\System32\svchost.exe D:\PROGRA~1\WINZIP\winzip32.exe D:\Documents and Settings\Linda\Ustawienia lokalne\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.grono.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi … earch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def … .yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=Explorer.exe msjavames.exe F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\userinit.exe,msjavames.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - D:\Documents and Settings\All Users\Dane aplikacji\Prevx\pxbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - D:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [WOOWATCH] D:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] D:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM…\Run: [ccApp] “D:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [iTunesHelper] “D:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [HostManager] D:\Program Files\Common Files\AOL\1155921827\ee\AOLSoftware.exe O4 - HKLM…\Run: [iPHSend] D:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM…\Run: [PrevxOne] D:\Program Files\Prevx1\PXConsole.exe O4 - HKLM…\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [DialerKiller] D:\Program Files\Dialer Killer\DialKill.exe -h O4 - HKLM…\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU…\Run: [ccleaner] “C:\Program Files\CCleaner\ccleaner.exe” /AUTO O4 - HKCU…\RunServices: [Ms Java for Windows 98, NT, ME & XP] msjavames.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE O15 - Trusted Zone: http://www.ang.pl O15 - Trusted Zone: http://www.bbc.co.uk O15 - Trusted Zone: poczta.gazeta.pl O15 - Trusted Zone: serwisy.gazeta.pl O15 - Trusted Zone: http://www.gazeta.pl O15 - Trusted Zone: http://www.neostrada.pl O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c … st0401.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 0943663201 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house … hcImpl.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru … ebscan.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe … loader.cab O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/g … anager.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip…{45409FE3-0C65-4B50-8612-5B04963A40C6}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O21 - SSODL: UPnP Tray Monitor - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - D:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
Myszak
23 Sierpień 2006 18:01
#2
F2 - REG:system.ini: Shell=Explorer.exe msjavames.exe F2 - REG:system.ini: UserInit=D:\WINDOWS\System32\userinit.exe,msjavames.exe 04 - HKCU…\RunServices: [Ms Java for Windows 98, NT, ME & XP] msjavames.exe O21 - SSODL: UPnP Tray Monitor - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
Startujesz do trybu awaryjnego i wyłączasz przywracanie systemu.
Wpisy skasuj Hijackiem.
Użyj programu Killbox . Uruchamiasz zaznaczasz Delete on reboot, w polu full path of file wklej ścieżkę :
D:\WINDOWS\System32\msjavames.exe
Klikasz X i reset kompa.
Daj log z Silent Runners – tu masz opis.
Zainstaluj sp2
severah
23 Sierpień 2006 19:25
#3
a jak się startuje do trybu awaryjnego i wyłącza przywracanie systemu? wybaczcie, ale jestem początkująca
