Logi do sprawdzenia po trojanie

Vanilly · 16 Czerwiec 2007 07:19

Logfile of HijackThis v1.99.1 Scan saved at 09:04:26, on 2007-06-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Żana\Pulpit\Nieużywane skróty pulpitu\Skype\Phone\Skype.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dwwin.exe C:\WINDOWS\system32\cmd.exe C:\Documents and Settings\Żana\Pulpit\Nieużywane skróty pulpitu\HijackThis.exe C:\WINDOWS\system32\ping.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [Detect Mode] C:\Program Files\ABIT\ABIT vGuru\OCGuru\DetectMode.exe O4 - HKLM…\Run: [Ad-aware] “C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe” +c O4 - HKLM…\Run: [Ad-watch] “C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Budzik.lnk = C:\Program Files\Budzik\budzik.exe O4 - Startup: Timer Runing (Fast Ram Clean).lnk = C:\Program Files\Fast Ram Clean PRO\timerruning.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint – Dodaj do listy drukowania - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint – Drukuj - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint – Drukuj z dużą szybkością - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint – Podgląd - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/ … nnerV2.ocx O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 9706987453 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{EAC8E3CD-4DDC-49A6-8892-6948BED63455}: NameServer = 217.30.129.149,217.30.137.200 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

ComboFix 07-06-13.3 - C:\Documents and Settings\˝ana\Pulpit\ComboFix.exe “˝ana” - 2007-06-16 9:18:16 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 ))))))))))))))))))))))))))))))) 2007-06-16 09:17 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-16 02:22 2007-06-16 02:22 2007-06-15 02:09 2007-06-05 00:26 2007-06-03 12:34 2007-06-03 12:33 2007-05-21 05:58 128,232 --a------ C:\WINDOWS\system32\mucltui.dll 2007-05-21 02:28 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-05-21 02:27 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-16 07:17:54 -------- d-----w C:\DOCUME~1\ANA~1\DANEAP~1\Skype 2007-06-16 06:46:27 -------- d-----w C:\Program Files\eMule 2007-06-15 18:07:25 -------- d-----w C:\Program Files\Winamp 2007-06-14 17:21:49 153,925 ----a-w C:\WINDOWS\system32\drivers\dump_wmimmc.sys 2007-06-12 07:32:45 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-19 19:36:17 -------- d-----w C:\Program Files\Lineage II 2007-05-16 15:18:58 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-14 22:48:38 -------- d-----w C:\DOCUME~1\ANA~1\DANEAP~1\Gadu-Gadu 2007-05-14 16:50:38 24 ----a-w C:\WINDOWS\popcinfo.dat 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-25 14:23:30 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-20 22:13:55 -------- d-----w C:\Program Files\Dynomite 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 14:37:28 -------- d-----w C:\Program Files\Wirtualne Studio Wizazu 2007-04-07 23:16:22 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat 2007-04-06 19:43:39 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat 2007-03-26 00:30:26 68,554 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-26 00:30:26 439,538 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56] {68F9551E-0411-48E4-9AAF-4BC42A6A46BE}=C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 15:37] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-07-17 22:10] “Detect Mode”=“C:\Program Files\ABIT\ABIT vGuru\OCGuru\DetectMode.exe” [2004-09-03 15:23] “Ad-aware”=“C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe” [2003-07-12 23:01] “Ad-watch”=“C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe” [2003-02-12 23:04] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” [2006-11-09 16:07] “SoundMan”=“SOUNDMAN.EXE” [2004-11-15 12:20 C:\WINDOWS\soundman.exe] “iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-03-14 20:05] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 01:44] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [] “Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f1c7098f-affe-11db-a435-806d6172696f}] AutoRun\command- E:\ASUSACPI.exe Contents of the ‘Scheduled Tasks’ folder 2007-06-10 20:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-06-16 01:00:00 C:\WINDOWS\tasks\XoftSpySE.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-16 09:19:25 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-16 9:20:02 — E O F —

Złączono Posta : 16.06.2007 (Sob) 9:30

I jeszcze jedno pytanie, dlaczego są programy których nie powinno być bo albo nie były instalowane, albo dawno wykopane są z dysku…?? i dziwne skanery on line, których nie używam w ogóle ?

C:\WINDOWS\system32\ping.exe co to jest ?

bdoscandel.exe a właśnie to zostało określone jako niebezpieczy trojan, mks on line go usunął (ponoć)

ale avast nie widzi mi żadnego zagrożenia

Gutek · 16 Czerwiec 2007 13:31

Process Name: Microsoft Ping Utility

Dokończyć skanerami online - Skanery do wyboru

przeskanuj i daj wynik - http://www.virustotal.com/en/indexf.html

Vanilly · 16 Czerwiec 2007 14:23

Antivirus Version Update Result AhnLab-V3 2007.6.16.0 06.15.2007 no virus found AntiVir 7.4.0.32 06.16.2007 no virus found Authentium 4.93.8 06.16.2007 no virus found Avast 4.7.997.0 06.15.2007 no virus found AVG 7.5.0.467 06.15.2007 no virus found BitDefender 7.2 06.16.2007 no virus found CAT-QuickHeal 9.00 06.16.2007 no virus found ClamAV devel-20070416 06.16.2007 no virus found DrWeb 4.33 06.16.2007 no virus found eSafe 7.0.15.0 06.14.2007 no virus found eTrust-Vet 30.7.3721 06.15.2007 no virus found Ewido 4.0 06.16.2007 no virus found FileAdvisor 1 06.16.2007 No threat detected Fortinet 2.85.0.0 06.16.2007 no virus found F-Prot 4.3.2.48 06.15.2007 no virus found F-Secure 6.70.13030.0 06.15.2007 no virus found Ikarus T3.1.1.8 06.16.2007 no virus found Kaspersky 4.0.2.24 06.16.2007 no virus found McAfee 5054 06.15.2007 no virus found Microsoft 1.2607 06.16.2007 no virus found NOD32v2 2334 06.15.2007 no virus found Norman 5.80.02 06.15.2007 no virus found Panda 9.0.0.4 06.16.2007 no virus found Prevx1 V2 06.16.2007 no virus found Sophos 4.18.0 06.12.2007 no virus found Sunbelt 2.2.907.0 06.16.2007 no virus found Symantec 10 06.16.2007 no virus found TheHacker 6.1.6.133 06.15.2007 no virus found VBA32 3.12.0.2 06.15.2007 no virus found VirusBuster 4.3.23:9 06.16.2007 no virus found Webwasher-Gateway 6.0.1 06.16.2007 BlockReason.0

wynik skanowania z tego pliczku.

dziwi mnie ten ping.exe ponieważ nie miałam nic uruchomionego co mogłoby się z tym wiązać, czy coś mogło to uruchomić ?

[

qrczak13 · 17 Czerwiec 2007 12:58

Jest ok.

O ping.exe

http://www.pcworld.pl/artykuly/5181_1.html