To co zawsze - log ;]

Dla specjalistów Bezpieczeństwo
#1

jak w temacie

Logfile of HijackThis v1.99.1

Scan saved at 19:04:24, on 2005-04-26

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Documents and Settings\Piotrek\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.192/search.php?v=6&aff=968701

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.192/index.php?v=6&aff=968701

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.192/index.php?v=6&aff=968701

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.56.253.183:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe 

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll (file missing)

O4 - HKLM\..\Run: [jopoj] C:\WINDOWS\jopoj.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\programy\xmplay28\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe

O4 - HKLM\..\Run: [XAPef] C:\WINDOWS\qenwhrt.exe

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [Iefzm] C:\Program Files\Mndjn\Vndcy.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [owrz] C:\PROGRA~1\COMMON~1\owrz\owrzm.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{581A0804-1F98-4699-B2F5-0CD0DF23F59C}: NameServer = 217.173.160.6,217.173.160.35

O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
#2

wylacz przywracanie systemu wejdz w tryb awaryjny f8 i usuwasz:

nastepnie usun hosta fix:

dalej kasacja:

recznie wywalasz:

jopoj.exe

dalej fix:

dodatkowo sciagnij :

http://securityresponse.symantec.com/av … Istbar.exe

dalej fix:

recznie:qenwhrt.exe

nastepnie usuwasz:

dalej won:

na koniec fix:

generalnie brak zabezpieczen ,system zainfekowany bardzo

brak sp2

pomysl o bezpieczenstwie bo tak daleko nie zajedziesz :slight_smile:

#3

teraz wyglada tak:

Logfile of HijackThis v1.99.1

Scan saved at 21:25:35, on 2005-04-26

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

D:\programy\xmplay28\daemon.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\soundman.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Piotrek\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: Shell=explorer.exe 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\programy\xmplay28\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{581A0804-1F98-4699-B2F5-0CD0DF23F59C}: NameServer = 217.173.160.6,217.173.160.35

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

cos jeszcze ? :oops:

#4

Już OK!

Pamiętaj o łatach i Sp2.

Kosmetycznie, z autostartu - Start -> Uruchom -> msconfig odznacz:

nwiz.exe /install - usługa wirt. pulpitów nVidii,

winampa.exe - Winamp Agent,

qttask.exe - Quick Time zalecam zastąpić kodekami Quick Time Alternative,

jusched.exe - zbędny aktualizator Javy.