Problem z gg, rozłaczanie neta

Dla specjalistów Bezpieczeństwo
#1

Mam problem Kerio pokazuje atak

C:\Windows\System32\dllcache\qxchost.exe

Komp ogólnie zarazony róznymi wirusami i trojanami

Częsc usunełem, zauwazyłem poprawe ale cos mu jeszcze jest

Daje logi

Logfile of HijackThis v1.99.1

Scan saved at 11:41:27, on 2007-06-03

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\cisvc.exe

F:\Program Files\Winamp\winampa.exe

C:\Program Files\BearShare\BearShare.exe

C:\WINDOWS\winlogin.exe

C:\WINDOWS\system32\srvcc.exe

C:\WINDOWS\System32\svcchosst.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\system\msdll.exe

C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\WINDOWS\system\msnntlp.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Documents and Settings\Anna\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [sched] C:\WINDOWS\taskmrg.exe

O4 - HKLM\..\Run: [taskmgr] C:\WINDOWS\winlogin.exe

O4 - HKLM\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe

O4 - HKLM\..\Run: [msvccc66] svcchosst.exe

O4 - HKLM\..\Run: [Windows Security Center Notification Appls] C:\WINDOWS\System32\sxe.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Spik] C:\Program Files\Spik\Spik.exe -autostart

O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe

O4 - HKLM\..\RunServices: [Iexplore Data1 Center] C:\WINDOWS\System32\clockz.exe

O4 - HKLM\..\RunServices: [Windows Security Center Notification Applsee] C:\WINDOWS\System32\sysecurex.exe

O4 - HKLM\..\RunServices: [system32] C:\WINDOWS\System\uninst32.exe

O4 - HKLM\..\RunServices: [system] C:\WINDOWS\System\bootchk.exe

O4 - HKLM\..\RunServices: [uninst32] C:\WINDOWS\System\windat32.exe

O4 - HKLM\..\RunServices: [bootchk] C:\WINDOWS\System\scvhost.exe

O4 - HKLM\..\RunServices: [clsid] C:\WINDOWS\System\memory.exe

O4 - HKLM\..\RunServices: [user32] C:\WINDOWS\System\debug.exe

O4 - HKLM\..\RunServices: [reg32] C:\WINDOWS\System\sched.exe

O4 - HKLM\..\RunServices: [cmd] C:\WINDOWS\System\taskmrg.exe

O4 - HKLM\..\RunServices: [sched] C:\WINDOWS\System\winlogin.exe

O4 - HKLM\..\RunServices: [taskmgr] C:\WINDOWS\System32\comsys.exe

O4 - HKLM\..\RunServices: [winlogon] C:\WINDOWS\System32\sysvc32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe

O4 - HKCU\..\Run: [system32] C:\WINDOWS\redegit.exe

O4 - HKCU\..\Run: [bootchk] C:\WINDOWS\windat32.exe

O4 - HKCU\..\Run: [clsid] C:\WINDOWS\scvhost.exe

O4 - HKCU\..\Run: [user32] C:\WINDOWS\memory.exe

O4 - HKCU\..\Run: [reg32] C:\WINDOWS\debug.exe

O4 - HKCU\..\Run: [cmd] C:\WINDOWS\sched.exe

O4 - HKCU\..\Run: [sched] C:\WINDOWS\taskmrg.exe

O4 - HKCU\..\Run: [taskmgr] C:\WINDOWS\winlogin.exe

O4 - HKCU\..\Run: [Windows Security Center Notification Appls] C:\WINDOWS\System32\sxe.exe

O4 - HKCU\..\Run: [MSN MESSENGER 9.0] messengerr.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\RunServices: [system32] C:\WINDOWS\System\uninst32.exe

O4 - HKCU\..\RunServices: [system] C:\WINDOWS\System\bootchk.exe

O4 - HKCU\..\RunServices: [uninst32] C:\WINDOWS\System\windat32.exe

O4 - HKCU\..\RunServices: [bootchk] C:\WINDOWS\System\scvhost.exe

O4 - HKCU\..\RunServices: [clsid] C:\WINDOWS\System\memory.exe

O4 - HKCU\..\RunServices: [user32] C:\WINDOWS\System\debug.exe

O4 - HKCU\..\RunServices: [reg32] C:\WINDOWS\System\sched.exe

O4 - HKCU\..\RunServices: [cmd] C:\WINDOWS\System\taskmrg.exe

O4 - HKCU\..\RunServices: [sched] C:\WINDOWS\System\winlogin.exe

O4 - HKCU\..\RunServices: [taskmgr] C:\WINDOWS\System32\comsys.exe

O4 - HKCU\..\RunServices: [winlogon] C:\WINDOWS\System32\sysvc32.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{451E5AE6-BCCB-4950-AFD1-95CC40590DFF}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: msdll - Unknown owner - C:\WINDOWS\system\msdll.exe

O23 - Service: msnntlp - Unknown owner - C:\WINDOWS\system\msnntlp.exe

O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"johnj3155" = "C:\WINDOWS\system32\srvcc.exe" [null data]

"system32" = "C:\WINDOWS\redegit.exe" [null data]

"bootchk" = "C:\WINDOWS\windat32.exe" [null data]

"clsid" = "C:\WINDOWS\scvhost.exe" [null data]

"user32" = "C:\WINDOWS\memory.exe" [null data]

"reg32" = "C:\WINDOWS\debug.exe" [null data]

"cmd" = "C:\WINDOWS\sched.exe" [null data]

"sched" = "C:\WINDOWS\taskmrg.exe" [null data]

"taskmgr" = "C:\WINDOWS\winlogin.exe" [null data]

"Windows Security Center Notification Appls" = "C:\WINDOWS\System32\sxe.exe" [file not found]

"MSN MESSENGER 9.0" = "messengerr.exe" [file not found]

"Gadu-Gadu" = ""C:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]

"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]

"RemoteControl" = ""D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"NWEReboot" = "(empty string)" [file not found]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"WinampAgent" = "F:\Program Files\Winamp\winampa.exe" [null data]

"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

"sched" = "C:\WINDOWS\taskmrg.exe" [null data]

"taskmgr" = "C:\WINDOWS\winlogin.exe" [null data]

"johnj3155" = "C:\WINDOWS\system32\srvcc.exe" [null data]

"msvccc66" = "svcchosst.exe" [null data]

"Windows Security Center Notification Appls" = "C:\WINDOWS\System32\sxe.exe" [file not found]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

"Spik" = "C:\Program Files\Spik\Spik.exe -autostart" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{B4B924A2-EBDA-11DA-95DA-00E08161165F}" = "Dodatki Spika"

  -> {HKLM...CLSID} = "SpikShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Spik\shellext_wpmsg.dll" ["Wirtualna Polska"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> crypt\DLLName = "crypts.dll" [null data]

<> rpcc\DLLName = "C:\WINDOWS\System32\rpcc.dll" [null data]
#2

Ściągnij The Avenger,

wypakuj > uruchom > Input script manually > klikasz w lupkę > w nowo otwartym oknie wklejasz:

Po wklejeniu > Done > klik na zielone światło > ok i będzie restart.

Po tym daj log z ComboFix.