Proszę o sprwadzenie loga (przymulony komp, wysoki ping)

egsotic · 26 Styczeń 2009 14:32

B. bym prosił o sprawdzenie mojego loga z hijack z góry dziękuję

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:27:02, on 2009-01-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Razer\DeathAdder\razerhid.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe F:\program files\valve\steam\steam.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Opera\opera.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 81.168.241.252 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing) O1 - Hosts: 89.32.107.121 L2authd.lineage2.com O1 - Hosts: 216.107.250.194 nprotect.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll (file missing) O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing) O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [okay send mpeg file] C:\Documents and Settings\All Users\Dane aplikacji\list grid okay send\lies wma.exe O4 - HKLM…\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [steam] “f:\program files\valve\steam\steam.exe” -silent O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘?’) O4 - HKUS\S-1-5-21-1547161642-1614895754-725345543-1003…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘?’) O4 - HKUS\S-1-5-21-1547161642-1614895754-725345543-1003…\Run: [steam] “f:\program files\valve\steam\steam.exe” -silent (User ‘?’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘?’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ … .3.102.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_30.cab O20 - AppInit_DLLs: ???P O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O24 - Desktop Component 0: (no name) - http://adsearch.adkontekst.pl/akon/spli … ubione+has%u0142o±+PHP-Fusion+Powered+Website+_200+lostpassword.php_200++_50++_50+++_500+++_100+++To+nasz+ca%u0142y+clan+ma+odnie%u015B%u0107+SUKCES+a+nie+tylko+ja+unit+ilt+i+bula++odchodze+od+klanu+poniewaz+nie+bede+na+kazdym+z+treninng%F3w+bo+mam+dalej+popsutego+cs+Zastan%F3wcie+si%u0119+nad+tym+co+robicie+i+piszecie+Do+mnie+i+innych+cz%u0142%u0105k%F3w+clanu++SnikerS+i+co+ztym+co+ci+podalam+to+GG+gdziemieszkasz+robisz+to+czy+nie+Kasia+sci%u0105gnij+wko%u0144cu&lup= – End of file - 7577 bytes

jessica · 26 Styczeń 2009 14:50

W logu widzę infekcję " LOP", więc daj jeszcze log z -->ComboFix.

Ale log wklejaj na http://wklej.org/, a tu daj tylko link.

EDIT:

Te powyższe od razu sfiksuj:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >>Fix checked.

jessi

egsotic · 26 Styczeń 2009 15:15

http://wklej.org/id/44839/ proszo log z ComboFix

jessica · 26 Styczeń 2009 15:41

Eee - w logu widać tylko pozostałości po poprzednich infekcjach.

Wklej do Notatnika :

File::

c:\documents and settings\All Users\Dane aplikacji\list grid okay send\lies wma.exe

c:\program files\Ahead\InCD\bak\InCD.exe

c:\program files\IGN\Download Manager\bak\DLM.exe

c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

c:\program files\Skype\Phone\bak\Skype.exe

c:\program files\Winamp\bak\winampa.exe

c:\windows\system32\bak\NeroCheck.exe

c:\program files\DAEMON Tools\daemon.exe

c:\program files\Gadu-Gadu\gg.exe

c:\windows\system32\ctfmon.exe


Folder::

c:\documents and settings\All Users\Dane aplikacji\list grid okay send


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdb58849-bacd-11dc-a64c-0017315b51b7}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sXe Injected]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"okay send mpeg file"=-

"SunJavaUpdateSched"=-

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

– podobnie jak na tym obrazku –>

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log.

Następnie przenieś te poniższe pliki:

odpowiednio:

Potem sprawdź je na - http://virusscan.jotti.org/ albo na http://www.virustotal.com/en/indexf.html.

Potem usuń foldery:

I zrób nowy log - daj oba logi: i ten ze Scriptu, i ten po usuwaniu pozostałości VUNDO.

jessi