Zainfekowany komp

Dla specjalistów Bezpieczeństwo
#1

Log Hijacka nie moge tu wkleic, bo nie moge go uruchomic (przy probie odpalenia wywala komunikat: Odnalezienie wymaganego pliku.dll MSVBVM60.DLL bylo niemozliwe)

Pestpatrol znalazl: NetPal.PrizePopper, wiec usunalem plik kernell32.dll. Jednak jest cos jeszcze, bo skan on-line Bitdefender dal taki rezultat:

C:\WINDOWS\SYSTEM\system.bin: infected with Backdoor.Agent.EK

C:\WINDOWS\SYSTEM_WINRAR infected with Backdoor.Agent.EK

C:\WINDOWS\SYSTEM\svchosts.exe: infected with Backdoor.Agent.EK

C:\WINDOWS\Dane aplikacji\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected

C:\WINDOWS\Dane aplikacji\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected

C:\WINDOWS\Temporary Internet Files\Content.IE5\K5EJ8HQZ\xscan53[1].cab=>auupdate.dat: bad crc

C:\WINDOWS\Temporary Internet Files\Content.IE5\299LNAOE\iuctl[1].

CAB=>iuengine.dll: bad crc

C:\Program Files\PestPatrol\Spyware.dat=>f: password protected

C:\Program Files\PestPatrol\Spyware.dat=>r: password protected

C:\Program Files\PestPatrol\Spyware.dat=>c: password protected

C:\Program Files\PestPatrol\Spyware.dat=>co: password protected

C:\Program Files\PestPatrol\Spyware.dat=>d: password protected

Po Bitdefenderze dalem jeszcze skany:Adaware 6.0 PROF, RAV-Gecad, TrojanScan(GFI Trojan) - nic nie wykryly :stuck_out_tongue:

A Spybot nawet mi pogratulowal, ze nie znaleziono zadnego szpiega :o ,(ale to tak na marginesie tylko) :lol:

Jak sie tego skutecznie pozbyc?

UPDATE:

sciagnalem brakujaca biblioteke .dll i Hijack dziala. Ze strony mks_vir dowiedzialem sie jakie pliki i gdzie moga sie znajdowac i je pousuwalem.Restart i scan Hijackiem, na moje oko czysto. Gdyby jednak jakies fachowe oko zechcialo na to spojrzec to z gory dzieki

Logfile of HijackThis v1.98.2

Scan saved at 03:40:22, on 05-02-07

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\MIXER.EXE

C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\REALTEK\RTL8180\RTLWAKE.EXE

C:\PROGRAM FILES\HIJACK THIS 1.98\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virusscan.jotti.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eu.microsoft.com/poland/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL

O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM…\Run: [systemTray] SysTray.Exe

O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM…\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM…\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM…\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM…\Run: [internat.exe] internat.exe

O4 - HKLM…\Run: [spIDer] C:\Program Files\DrWeb\SpIDer.exe

O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM…\RunServices: [schedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe

O4 - Startup: RtlWake.lnk = C:\Program Files\Realtek\Rtl8180\RtlWake.exe

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 … scan53.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 213.140.2.12,213.209.161.87

:smiley: :smiley: :smiley:

#2

do kasacji:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

#3

ładnie masz teraz

#4

Logfile of HijackThis v1.99.0

Scan saved at 12:52:45, on 05-02-07

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Log z nowej wersji Hijacka :

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\MIXER.EXE

C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\WINDOWS\SYSTEM\INTERNAT.EXE

C:\PROGRAM FILES\REALTEK\RTL8180\RTLWAKE.EXE

C:\PROGRAM FILES\OPERA\OPERA.EXE

C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE

C:\PROGRAM FILES\HIJACK THIS 1.99\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virusscan.jotti.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eu.microsoft.com/poland/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL

O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM…\Run: [systemTray] SysTray.Exe

O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM…\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM…\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM…\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM…\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM…\Run: [internat.exe] internat.exe

O4 - HKLM…\Run: [spIDer] C:\Program Files\DrWeb\SpIDer.exe

O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM…\RunServices: [schedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe

O4 - Startup: RtlWake.lnk = C:\Program Files\Realtek\Rtl8180\RtlWake.exe

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 … scan53.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 213.140.2.12,213.209.161.87

Mam jeszcze z Bitdefendera taki wynik:

C:\WINDOWS\Temporary Internet Files\Content.IE5\299LNAOE\iuctl[1].CAB=>iuengine.dll: bad crc

C:\WINDOWS\Temporary Internet Files\Content.IE5\299LNAOE\enavweb[1].cab=>ecmsvr32.dll: bad crc

#5

Wg mnie czysty. Zainstaluj tylko IE 6!

#6

No to dzieki wszystkim. :wink: :smiley: