tweens
(Grzeskowiak)
19 Listopad 2005 10:42
#1
Dr.Web.(ta srócona wersja programu antywirusowego)wykrył mi trojan swizzor gg exe. Jeśli zaznaczę opcję napraw to dr.web usuwa mi gg.
Jak się tego pozbyć,ale tak żeby nie usunęło gg. Czy ten trojan to coś bardzo poważnego?
Zaznaczę,że avast mi nie wykrywa tego trojna,ani skanery on line.
Gutek
(Gutek)
19 Listopad 2005 10:46
#2
Skoro masz ten syf zobacz na klucze http://www.sophos.com/virusinfo/analyse … zorbq.html
a najlepiej daj log z hijacka i z Silent Runners
tweens
(Grzeskowiak)
19 Listopad 2005 12:14
#3
log z HijackLogfile of HijackThis v1.99.1 Scan saved at 13:13:42, on 2005-11-19 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\RaConfig.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\msagent\AgentSvr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Moje dokumenty\programy nie ruszać!\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netsprint.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/webhp?hl=pl&btnG=S … Google&lr= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/pl/big/1 … gleNav.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “PeerGuardian” = “C:\Program Files\PeerGuardian2\pg2.exe” [“Methlabs”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “gcasServ” = ““C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”” [MS] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = “Google Toolbar Helper” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2E9FFF5C-4375-494d-951F-098BAA42239E}” = “Spy Emergency Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Spy Emergency 2005\SpyEmergencyExt.dll” [file not found] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}” = “Trend Micro Anti-Spyware Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Trend Micro\Tmas\sshook.dll” [“Trend Micro Incorporated”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{9EF34FF2-3396-4527-9D27-04C8C1C67806}” = “Microsoft AntiSpyware Service Hook” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Microsoft AntiSpyware\shellextension.dll” [MS] INFECTION WARNING! “{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}” = “Trend Micro Anti-Spyware Shell Extension” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Trend Micro\Tmas\sshook.dll” [“Trend Micro Incorporated”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SpyEmergency(Default) = “{2E9FFF5C-4375-494d-951F-098BAA42239E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Spy Emergency 2005\SpyEmergencyExt.dll” [file not found] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ SpyEmergency(Default) = “{2E9FFF5C-4375-494d-951F-098BAA42239E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Spy Emergency 2005\SpyEmergencyExt.dll” [file not found] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] SpyEmergency(Default) = “{2E9FFF5C-4375-494d-951F-098BAA42239E}” -> {CLSID}\InProcServer32(Default) = “C:\Program Files\Spy Emergency 2005\SpyEmergencyExt.dll” [file not found] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “max” & “All Users” startup folders: ------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “RaConfig” -> shortcut to: “C:\WINDOWS\system32\RaConfig.exe” [“Ralink Technology, Corp.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = “&Google” [from CLSID] -> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] CA License Client, CA_LIC_CLNT, ““C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe”” [“Computer Associates International Inc.”] Event Log Watch, LogWatch, ““C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe”” [“Computer Associates”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 58 seconds, including 33 seconds for message boxes)
===================================
na przyszłosć umieszczaj takie informacje z znacznikach
monczkin
Gutek
(Gutek)
19 Listopad 2005 14:17
#4
Jest Ok, odinstaluj Dr.Web.(ta srócona wersja programu antywirusowego) masz Avast4 druga kwestia sprawdzaleś 2 linka i klucze?
Ale ja myślę że to wina tej skróconej wersji softu
tweens
(Grzeskowiak)
19 Listopad 2005 18:59
#5
Gutek2222—możesz mi powiedzieć jakiego 2 linka i klucze?Bo nie wiem o co chodzi?Możesz mi to zaznaczyć?
Złączono Posta : 19.11.2005 (Sob) 21:22
Monczkin jak mam te znaczniki zrobić?
Gutek
(Gutek)
19 Listopad 2005 21:48
#6
Jak to jak, zobacz na Advanced imasz uuswanie zobacz w kluczach na tej stronie opisanych
tweens
(Grzeskowiak)
20 Listopad 2005 13:10
#7
Gutek chyba znalazłam ale jeszcze proszę o sprawdzenie,bo jak mówiłam nie znam się na tym. Wklejam zaznaczoną pozycję wg.loga silenta i zgadza się z kluczami(co mi podałeś te strone)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = “Google Toolbar Helper” [from CLSID]
-> {CLSID}\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
Możesz to przerobić i powiedzieć czy to jest to czy nię?Jeśli tak to jak to usunąć?
Gutek
(Gutek)
20 Listopad 2005 13:31
#8
Tylko od google jest nic więcej?
tweens
(Grzeskowiak)
21 Listopad 2005 09:37
#9
Gutek wygląda na to,że tylko od google toolbar ale bardzo cie proszę sprawdzenie tamtych logów dobrze?Nie wiem co robić.Proszę pomóz mi.
Gutek
(Gutek)
21 Listopad 2005 13:13
#10
to zrobiłem nic nie widać, użyj jeszcze Scanery online jk nic nie będzie wywal Dr.Web.(ta srócona wersja) - jaki błąd generuje
tweens
(Grzeskowiak)
21 Listopad 2005 19:10
#11
Dr.Web pisze,że jest ten trojan w gg i nic więcej.Już usunęlam ten program.Żaden skaner on-line nic nie wykrywa ani spybot ani adaware.Chodź w adaware stale jest jeden obiekt krytyczny to jest on umiejscowiony w windowsie i też nie mogę go na stałe wywalić.Chyba jednak pozostaje format.Dzięki za pomoc.
Gutek
(Gutek)
21 Listopad 2005 20:09
#12
Jaki to obiekt podaj lokalizację?
tweens
(Grzeskowiak)
22 Listopad 2005 13:33
#13
Gutek2222 w ad-aware ten obiekt jest zlokalizowany tu:Windows/RegData/Vulnerability/HKEY_LOKAL_MACHINE:software/microsoft/windows nt/currentversion/winlogon"SHELL"(explorer.exe)
Comment:Shell Possibly Compromised
Gutek
(Gutek)
22 Listopad 2005 16:58
#14
czy to czasem nie wygląda tak, że po “SHELL” jest spacja (explorer.exe), o tak: winlogon"Shell" (explorer.exe) - o hehehe podobny temat http://www.searchengines.pl/phpbb203/in … Adny+klucz