kopec
(Kopec)
15 Luty 2006 20:16
#1
Witam!
Mam pewien problem, dzisiaj jak szukałem czegoś na necie odwiedziłem jakąś stronkę przez którą ściągły mi się jakieś trojany, kaspersky starał się powstrzymać atak ale chyba jednak coś się przedostało. Robiłem pełny skan i w zasadzie nic nie wykrył, teraz co uruchamiam kompa wyświetla się komunikat “Komputer może być zagrożony” problem tkwi w zaporze nie moge jej włączyć, gdy próbuje to uczynić pisze “Z powodu niezidentyfikowanego problemu system Windows nie może wyświetlić ustawień Zapory systemu Windows”.
Oto log z Hijacka:
Logfile of HijackThis v1.99.1 Scan saved at 21:14:04, on 2006-02-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Draco Software\Draco Organizer 2\Organizer.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe C:\Program Files\NetPanel\NetPanel.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wscntfy.exe D:\Programy\DC++\DC\DCPlusPlus.exe D:\Programy\totalcmd\TOTALCMD.EXE D:\Downloads\Antywiry\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.piekary.net/portal R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\Programy\FlashGet\jccatch.dll O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\NetPanel\IEHelper.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NetPanel] “C:\Program Files\NetPanel\Starter.exe” /path=“C:\Program Files\NetPanel” O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe” /minimize O4 - HKCU…\Run: [Draco Organizer] “C:\Program Files\Draco Software\Draco Organizer 2\Organizer.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\Programy\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\Programy\FlashGet\jc_all.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programy\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programy\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: komentator - http://sport.onet.pl/komentator.cab O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_15.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_63.cab O16 - DPF: {2A781DED-C22D-4153-9812-CEA98A32981C} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/cardsmakao_2_0_0_17.cab O16 - DPF: {4B4513E2-4E57-43DF-9496-FCD37E9DFA64} (GameDesire Sea Battle) - http://67.15.101.3/g_bin/pl/navy_2_0_0_17.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 0032627107 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_36.cab O16 - DPF: {8626DFA9-2BAC-4BDA-8663-8DAA0F942C0D} - http://megapanel.gem.pl/temp/netp/8133/ … 014700.ocx O16 - DPF: {881290B9-F53C-4676-8DAF-3DBEFC297308} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/makao_2_0_0_15.cab O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) - http://67.15.101.3/g_bin/pl/slots70_2_0_0_24.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/pl/words_2_0_0_36.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http://67.15.101.3/g_bin/pl/billardt_2_0_0_22.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_22.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/pl/billard8UK_2_0_0_22.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing) O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
Z góry dziękuję!
Pozdrawiam!
Gutek
(Gutek)
15 Luty 2006 20:49
#2
w dodoaj\usun odinstaluj a potem folder ręcznie usuń
ściągnij Ewido
http://www.searchengines.pl/phpbb203/lo … 16762.html zrób update i przeskanuj
kopec
(Kopec)
15 Luty 2006 22:52
#3
Więc zrobiłem dokładnie co napisałeś, Ewido wykrył pełno syfu i myśle że komp już jest w miarę czysty, pobrałem aktualizacje z Windowsa ale co do zapory to nic nie pomogło, dalej nie mogę jej włączyć. Nie wiem co jest grane, jak szukałem na necie to ludzie radzili sobie z nią po prostu wyłanczając albo format o którym nawet nie myślę 8)
Ma ktoś może jeszcze jakieś pomysły?
Dzięki za odzew i pozdrawiam!
Gutek
(Gutek)
15 Luty 2006 23:08
#4
Start >>> Uruchom >>> services.msc
Znajdź usługę Centrum Zabezpieczeń, z prawokliku ją zatrzymaj a we Właściwościach ustaw Typ startowania na Wyłączona.
kuz5
(Kuz5)
15 Luty 2006 23:49
#6
kopec:
Dzięki! Pozdrawiam!
Pomogło ??
Możesz jeszcze zapodać loga z programu SilentRunners
kopec
(Kopec)
16 Luty 2006 00:15
#7
Jak się domyślam po prostu wyłączyłem tą funkcję i już się nie pojawia ten ‘dymek’ z ostrzeżeniem, natomiast jeśli chodzi o zaporę nadal nie mogę jej odpalić. Poniżej log z Silent:
“Silent Runners.vbs”, revision 43, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Draco Organizer” = ““C:\Program Files\Draco Software\Draco Organizer 2\Organizer.exe” /tray” [“Draco Software”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “KAVPersonal50” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe” /minimize” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = “IeCatch2 Class” [from CLSID] -> {CLSID}\InProcServer32(Default) = “D:\Programy\FlashGet\jccatch.dll” [“Amaze Soft”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{CC6EEFFB-43F6-46c5-9619-51D571967F7D}” = “Kreator publikacji w sieci Web” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\netplwiz.dll” [file not found] “{add36aa8-751a-4579-a266-d66f5202ccbb}” = “Zamawianie odbitek w sieci Web” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\netplwiz.dll” [file not found] “{6b33163c-76a5-4b6c-bf21-45de9cd503a1}” = “Obiekt powłoki kreatora publikacji” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\netplwiz.dll” [file not found] “{58f1f272-9240-4f51-b6d4-fd63d1618591}” = “Kreator uzyskiwania profilu usługi Passport” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\netplwiz.dll” [file not found] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {CLSID}\InProcServer32(Default) = “D:\Programy\Telefon\Siemens Data Suite\DES\DESShellExt.dll” [“Siemens AG”] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {CLSID}\InProcServer32(Default) = “D:\Programy\Telefon\Siemens Data Suite\DES\DESShellExt.dll” [“Siemens AG”] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {CLSID}\InProcServer32(Default) = “D:\Programy\Telefon\Siemens Data Suite\DES\DESShellExt.dll” [“Siemens AG”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice Property Sheet Handler” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\OpenOffice.org1.1.4\program\shlxthdl.dll” [“Sun Microsystems, Inc.”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software, Karlsbad, Germany”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{CCA60260-A2C9-11D2-BA62-0020188191B2}” = “Registrar Registry Manager SHell Extension” -> {CLSID}\InProcServer32(Default) = “rrShellX.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Adam\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Adam” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\Adam\Menu Start\Programy\Autostart “OpenOffice.org 1.1.4” -> shortcut to: “C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}” = “&SearchBar” [from CLSID] -> {CLSID}\InProcServer32(Default) = “C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “D:\Programy\FlashGet\flashget.exe” [“Amaze Soft”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] Crypkey License, Crypkey License, “crypserv.exe” [“Kenonic Controls Ltd.”] ewido security suite control, ewido security suite control, “C:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”] ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”] InCD File System Service, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“AHEAD Software”] kavsvc, kavsvc, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe”” [“Kaspersky Lab”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 19 seconds, including 6 seconds for message boxes)
A oto co wyskakuje gdy próbuję włączyć zaporę:
http://img306.imageshack.us/img306/9177/blad6lz.jpg
Pozdrawiam!
Gutek
(Gutek)
16 Luty 2006 00:40
#8