Log do sprawdzenia

Dla specjalistów Bezpieczeństwo
#1

Proszę o sprawdzenie loga mojej znajomej. Miała kilka wirusów, a poza tym wolno Jej komputer chodził. Nie podoba mi się kilka wpisów ale wolę się poradzić specjalistów.

Z góry wielki dzięki.

Logfile of HijackThis v1.99.1

Scan saved at 17:55:13, on 2005-07-06

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avast 4.6\aswUpdSv.exe

C:\YDPDict\watch.exe

D:\Program Files\Avast 4.6\ashServ.exe

D:\PROGRA~1\AVAST4~1.6\ashDisp.exe

D:\Program Files\Java Runtime\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Avast 4.6\ashWebSv.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

D:\Program Files\Avast 4.6\ashMaiSv.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\System32\msiexec.exe

D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\System32\MsiExec.exe

C:\Documents and Settings\Dominik\Pulpit\Hijaktis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\YDPDict\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\AVAST4~1.6\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] D:\Program Files\Java Runtime\bin\jusched.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java Runtime\bin\npjpi150_02.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java Runtime\bin\npjpi150_02.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted IP range: 69.50.161.82

O15 - Trusted IP range: 69.50.161.82 (HKLM)

O15 - ProtocolDefaults: ‘http’ protocol is in Trusted Zone, should be Internet Zone

O15 - ProtocolDefaults: ‘https’ protocol is in Trusted Zone, should be Internet Zone

O15 - ProtocolDefaults: ‘http’ protocol is in Trusted Zone, should be Internet Zone (HKLM)

O15 - ProtocolDefaults: ‘https’ protocol is in Trusted Zone, should be Internet Zone (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip…{9FA2CFEF-13C8-4708-9EEB-B7E16B6CEFC1}: NameServer = 80.244.142.250 80.244.128.1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast 4.6\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast 4.6\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast 4.6\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast 4.6\ashWebSv.exe" /service (file missing)

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#2

Wszystkie czynności wykonujesz w trybie awaryjnym [F8] w czasie bootowania komputera z wyłączonym przywracaniem systemu. Gdybyś nie wiedział, jak to zrobić, zobacz TU.

I kasujesz w Hijackthis wpisy:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Następnie kasujesz wpisy 015 z Hijacka. Jeśli będą z którymś problemy, użyj KillTrusted 0.6.http://www.searchengines.pl/phpbb203/in … pic=26221#

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.iframedollars.biz

O15 - Trusted Zone: *.skoobidoo.com

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.iframedollars.biz (HKLM)

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

O15 - Trusted IP range: 69.50.161.82

O15 - Trusted IP range: 69.50.161.82 (HKLM)

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)

MSN Messenger jeśli nie używasz, usuń tym:

http://www.amnezja.org/modules.php?name … e&sid=4369

Wyczyść katalogi TEMP, Prefetch z katalogu systemowego WINDOWS.

I na koniec skan skanerami online i nowy log.

#3

SP2 by jej się przydał - łatki - może wyłączyć jego firewall i używać Kerio,a także zmiana przeglądarki z IE na Firefox

#4

Sorry Boczi, że tak długo nie odpowiadałem. Oto nowy log po usunięciu tych wpisów co podałeś.

Logfile of HijackThis v1.99.1

Scan saved at 20:58:15, on 2005-07-07

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Avast 4.6\aswUpdSv.exe

C:\YDPDict\watch.exe

D:\Program Files\Avast 4.6\ashServ.exe

D:\PROGRA~1\AVAST4~1.6\ashDisp.exe

D:\Program Files\Java Runtime\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

D:\Program Files\Avast 4.6\ashWebSv.exe

D:\Program Files\Avast 4.6\ashMaiSv.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Documents and Settings\Dominik\Pulpit\Hijaktis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\YDPDict\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\AVAST4~1.6\ashDisp.exe

O4 - HKLM…\Run: [sunJavaUpdateSched] D:\Program Files\Java Runtime\bin\jusched.exe

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java Runtime\bin\npjpi150_02.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java Runtime\bin\npjpi150_02.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O17 - HKLM\System\CCS\Services\Tcpip…{9FA2CFEF-13C8-4708-9EEB-B7E16B6CEFC1}: NameServer = 80.244.142.250 80.244.128.1

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast 4.6\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast 4.6\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast 4.6\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast 4.6\ashWebSv.exe" /service (file missing)

O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#5

Witam.

Log czysty :smiley:

Kosmetyka

Z autostartu (start -> uruchom -> msconfig) z zakładki Uruchamianie możesz poodznaczać:

nwiz.exe

NeroCheck.exe

jusched.exe

ctfmon.exe

Adobe Gamma Loader.exe

Zainstaluj SP2. :slight_smile:

#6

Wielkie dzięki Boczi w imieniu mojej znajomej.