Prosba o sprawdzenie loga - THXS

Dla specjalistów Bezpieczeństwo
#1

Tym razem komp znajomego. Tez z gory THXS

Dll Compare wykazal:

* DLLCompare Log version(1.0.0.127)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

C:\WINNT\SYSTEM32\mfc421.dll Wed 2001-06-13 1:00:00 A…H. 20 489 20,01 K

________________________________________________

1 203 items found: 1 203 files (1 H/S), 0 directories.

Total of file sizes: 228 441 670 bytes 217,86 M

Administrator Account = True

--------------------End log---------------------

HiJack:

Logfile of HijackThis v1.99.1

Scan saved at 10:23:20, on 2005-03-07

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\Mixer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\AVerTV2K\QuickTV.exe

C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe

E:\TPK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM…\Run: [TCP Monitoring] LanNSvc.exe

O4 - HKLM…\Run: [Client Server Runtime Process] csrsss.exe

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [DumpFaultCheck] C:\WINNT\system32

O4 - HKLM…\Run: [bmsvc32] bmsvc32.exe

O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”

O4 - HKLM…\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”

O4 - HKLM…\RunServices: [TCP Monitoring] LanNSvc.exe

O4 - HKLM…\RunServices: [Client Server Runtime Process] csrsss.exe

O4 - HKLM…\RunServices: [DumpFaultCheck] C:\WINNT\system32

O4 - HKLM…\RunServices: [bmsvc32] bmsvc32.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV2K\QuickTV.exe

O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ … .0.228.cab

O17 - HKLM\System\CS2\Services\Tcpip…{1A63DF98-F0C4-44CC-95D2-9AAFE4D454C7}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

O23 - Service: Windows Management NetWork Service Extensions - Unknown owner - NetManager.exe (file missing)

#2

Przy wylaczonym przywracaniu w menedzerze zadan killujesz nastepujace procesy(zakoncz proces) i wywalasz je z dysku:

LanNSvc.exe=RANDEX.AAS WORM

csrsss.exe=SDBOT-LD WORM

bmsvc32.exe=W32/Agobot-NX

Fix ponizszych pozycji

O4 - HKLM\..\Run: [TCP Monitoring] LanNSvc.exe

O4 - HKLM\..\Run: [Client Server Runtime Process] csrsss.exe

O4 - HKLM\..\Run: [DumpFaultCheck] C:\WINNT\system32

O4 - HKLM\..\Run: [Bmsvc32] bmsvc32.exe

O4 - HKLM\..\RunServices: [TCP Monitoring] LanNSvc.exe

O4 - HKLM\..\RunServices: [Client Server Runtime Process] csrsss.exe

O4 - HKLM\..\RunServices: [DumpFaultCheck] C:\WINNT\system32

O4 - HKLM\..\RunServices: [Bmsvc32] bmsvc32.exe

O23 - Service: Windows Management NetWork Service Extensions - Unknown owner - NetManager.exe (file missing)
#3

nastepnie przeskanuj system tym

http://forum.dobreprogramy.pl/viewtopic.php?t=17671

i dajesz raz jeszcze log

#4

witanko - teraz log wyglada tak:

prosba o sprawdzenie - txs

Logfile of HijackThis v1.99.1

Scan saved at 16:01:01, on 2005-03-09

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\Mixer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\AVerTV2K\QuickTV.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\JAKUBO~1\USTAWI~1\Temp\update.tmp

E:\TPK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM…\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”

O4 - HKLM…\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV2K\QuickTV.exe

O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ … .0.228.cab

O17 - HKLM\System\CCS\Services\Tcpip…{1A63DF98-F0C4-44CC-95D2-9AAFE4D454C7}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip…{1A63DF98-F0C4-44CC-95D2-9AAFE4D454C7}: NameServer = 194.204.152.34 217.98.63.164

O17 - HKLM\System\CS2\Services\Tcpip…{1A63DF98-F0C4-44CC-95D2-9AAFE4D454C7}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

#5

Usuwasz:

To chyba nie potrzebne … / zmień na real Alternative/

Po zatym czysto.