konripl
7 Marzec 2009 16:48
#1
Witam,
mam następujący problem złapałem jakiś syf
Bardzo prosze o sprawdzenie loga
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:46:49, on 2009-03-07 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\ZoneLabs\vsmon.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe D:\WINDOWS\system32\inetsrv\inetinfo.exe D:\Program Files\Java\jre6\bin\jqs.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe D:\WINDOWS\system32\ThpSrv.exe D:\Program Files\TOSHIBA\TME3\Tmesrv31.exe D:\PROGRA~1\VPOINT~1\SUservice.exe D:\WINDOWS\system32\SearchIndexer.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\system32\wbem\wmiapsrv.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Apoint2K\Apoint.exe D:\WINDOWS\system32\igfxtray.exe D:\WINDOWS\system32\hkcmd.exe D:\WINDOWS\system32\igfxpers.exe D:\WINDOWS\RTHDCPL.EXE D:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe D:\WINDOWS\system32\00THotkey.exe D:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe D:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE D:\WINDOWS\system32\TPSMain.exe D:\Program Files\TOSHIBA\TouchED\TouchED.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe D:\WINDOWS\system32\igfxsrvc.exe D:\Program Files\Messenger\msmsgs.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe D:\Program Files\TOSHIBA\TME3\TMEEJME.EXE D:\WINDOWS\system32\TPSBattM.exe D:\Program Files\Protector Suite QL\psqltray.exe D:\Program Files\Apoint2K\Apntex.exe D:\PROGRA~1\MI3AA1~1\rapimgr.exe D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe D:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe D:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM…\Run: [Apoint] D:\Program Files\Apoint2K\Apoint.exe O4 - HKLM…\Run: [igfxTray] D:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [TFncKy] TFncKy.exe O4 - HKLM…\Run: [00THotkey] D:\WINDOWS\system32\00THotkey.exe O4 - HKLM…\Run: [000StTHK] 000StTHK.exe O4 - HKLM…\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM…\Run: [PSQLLauncher] “D:\Program Files\Protector Suite QL\launcher.exe” /startup O4 - HKLM…\Run: [TMERzCtl.EXE] D:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service O4 - HKLM…\Run: [TMESRV.EXE] D:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon O4 - HKLM…\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM…\Run: [TPSMain] TPSMain.exe O4 - HKLM…\Run: [TouchED] D:\Program Files\TOSHIBA\TouchED\TouchED.exe O4 - HKLM…\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM…\Run: [Microsoft Shell Execute] C:\WINDOWS\isass.exe O4 - HKLM…\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [ZoneAlarm Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] D:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [H/PC Connection Agent] “D:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - Global Startup: Bluetooth Manager.lnk = ? O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - D:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: HASP License Manager (hasplms) - Unknown owner - D:\WINDOWS\system32\hasplms.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: SQL Active Directory Helper Service (MSSQLServerADHelper100) - Unknown owner - D:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - D:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe O23 - Service: Ochrona dysku twardego TOSHIBA (Thpsrv) - TOSHIBA Corporation - D:\WINDOWS\system32\ThpSrv.exe O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - D:\Program Files\TOSHIBA\TME3\Tmesrv31.exe O23 - Service: VCON MXMSU Service - Unknown owner - D:\PROGRA~1\VPOINT~1\SUservice.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe – End of file - 6331 bytes
Leon1
7 Marzec 2009 17:08
#2
usuń HijackThisem >> Fix checked
Pobierz Combofix http://www.searchengines.pl/index.php?s … ntry395642 ale nie włączaj
Podczas pobierania i skanu Combofixem proszę wyłączyć wszelkie zapory i antywirusy
Otwórz notatnik i wklej
zapisz jako CFScript.txt (zapisz by ikonka CFScript.txt była obok ikonki ComboFix.exe) >> Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe
Powinno rozpocząć się usuwanie
Potem log z usuwania Combofix
Przestała mi działać komenda cmd a firewall blokuje service.exe które próbuje połączyć się z dziwnymi ip-kami np. 218.61.7.9.