graylin
(Hondowicz)
20 Luty 2006 17:58
#1
Proszę o sprawdzenie loga. Przy odpalaniu windowsa ewido anti-malware informuje o zablokowaniu mssearchnet.exe Potem pojawia się chmurka z informacja o zainfekowaniu kompa - po kliknięciu na nią Firefox otwiera stronę http://www.spyfalcon.com/?aff=259
Pozdr
Logfile of HijackThis v1.99.1 Scan saved at 18:34:56, on 2006-02-20 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\PrivacyExpert\Shield.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~2\MOZILL~1\FIREFOX.EXE C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~2\Piotr\USTAWI~1\Temp\Rar$EX00.703\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://biuro/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE” /s O4 - HKLM…\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe” O4 - HKLM…\Run: [spyWare Shield] “C:\Program Files\Acronis\PrivacyExpert\Shield.exe” O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Process Activity Monitor (paamsrv) - Unknown owner - C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
W logu HijackThis nic nie widać.
Ściągnij Silent Runners http://www.silentrunners.org/ , odpal, pojawi się komunikat, klikasz “nie” , czekasz cierpliwie aż dostaniesz info o zakończeniu generowania loga, wklejasz go tu.
Zapuść ewido, usuń wszystko co znajdzie.
graylin
(Hondowicz)
20 Luty 2006 19:31
#3
To log z Silent Runners, a poniżej raport z ewido
“Silent Runners.vbs”, revision 43, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “wininet.dll” = “dfrgsrv.exe” [null data] “kernel32.dll” = “C:\WINDOWS\system32\mssearchnet.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE” /s” [“Panda Software International”] “Acronis Scheduler2 Service” = ““C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”” [“Acronis”] “SpyWare Shield” = ““C:\Program Files\Acronis\PrivacyExpert\Shield.exe”” [“Acronis”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL” [“Panda Software International”] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL” [“Panda Software International”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL” [“Panda Software International”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavlsp.dll ["Panda Software "], 01 - 03, 17 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Acronis Scheduler2 Service, AcrSch2Svc, ““C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe”” [“Acronis”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ewido security suite control, ewido security suite control, “C:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”] ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe”” [“Panda Software”] Panda Firewall Service, PAVFIRES, “C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe” [“Panda Software”] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe”” [“Panda Software”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe”” [“Panda Software Internacional”] Panda Pavkre, Pavkre, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe”” [“Panda Software”] Panda PavProt, PavProt, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe”” [“Panda Software”] Panda Preventium+ Service, PREVSRV, ““C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe”” [“Panda Software”] Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”] Process Activity Monitor, paamsrv, ““C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe”” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 22 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 7 seconds. ---------- (total run time: 53 seconds)
+ Created on: 20:20:46, 2006-02-20 + Report-Checksum: E2E0E756 + Scan result: HKU\S-1-5-21-725345543-1614895754-2147082517-1004\Software\Classes\CLSID{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup HKU\S-1-5-21-725345543-1614895754-2147082517-1004_Classes\CLSID{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup [2416] C:\WINDOWS\system32\dxmpp.dll -> Not-A-Virus.Hoax.Win32.Renos.v : Error during cleaning C:\Documents and Settings\Piotr\Cookies\piotr@gde.adocean[2].txt -> TrackingCookie.Adocean : Cleaned with backup C:\Documents and Settings\Piotr\Cookies\piotr@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup C:\WINDOWS\system32__delete_on_reboot__dxmpp.dll -> Not-A-Virus.Hoax.Win32.Renos.v : Cleaned with backup ::Report End
Gutek
(Gutek)
20 Luty 2006 19:38
#4
Zastosuj instrukcję Usuwanie SpyFalcon
graylin
(Hondowicz)
20 Luty 2006 22:22
#5
Zastosowałem, wszystko ok. Wielkie dzięki.
pozdrawiam