Log do sprawdzenia - upierdliwy trojan :/

Dla specjalistów Bezpieczeństwo
#1

Kolega nie może usunąć trojana, więc podaje loga:

Logfile of HijackThis v1.99.1

Scan saved at 21:26:34, on 06-03-29

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\windows\mousepad6.exe

C:\Program Files\SurfAccuracy\SAcc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\ampypeas.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\?ecurity\w?auboot.exe

C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe

C:\Program Files\Winamp\winamp.exe

C:\Documents and Settings\KAWEK\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tenbit.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O1 - Hosts: 217.96.35.130 auto.search.msn.com

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard6.exe

O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad6.exe

O4 - HKLM\..\Run: [newname] C:\windows\newname6.exe

O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ampypeas.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Rara] "C:\DOCUME~1\KAWEK\MOJEDO~1\YMBOLS~1\msconfig.exe" -vt yax

O4 - HKCU\..\Run: [zwfi] C:\PROGRA~1\COMMON~1\zwfi\zwfim.exe

O4 - Startup: Alarm v1.0.lnk = C:\Bonus 1\win 95_98 PL\alarmv12\Alarm.exe

O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk142YYPL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c567.cab?4e918170d5aab5957cf40b084290b486e1a6399dfddc5d4b39e53a0ade7744fe6ddff21ac8720b79246e15d6c5352b987d95f56d87cfc55dbd03f24980ac7395491150a1:6dca6baa6610edcaf4460de3c4f368c4

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\n24s0ch7ef4.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
#2

Wpis R3 nie usuwasz hijackiem tylko usuniesz Registrar Lite, opis masz TUTAJ

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz Network Monitor

Użyj Look2Me-Destroyer.exe, po tym narzędziu ściągnij l2mfix.exe i daj log nr 1 z narzędzia L2Mfix

  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.

  4. Skasować z dysku pliki i foldery, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Scanery do wyboru

  6. Pokazać nowy log :stuck_out_tongue:

Scan EWIDO po update :wink: