Zwalniający komp i otwieranie dziwnych stron

Dla specjalistów Bezpieczeństwo
#1 
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:49:17, on 2007-10-19

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\ibmpmsvc.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

D:\WINDOWS\Explorer.EXE

D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

D:\PROGRA~1\Grisoft\AVG7\avgemc.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\crypserv.exe

D:\Program Files\GFI\LANguard Network Security Scanner 6.0\lnssatt.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\WINDOWS\system32\tp4mon.exe

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

D:\Program Files\Winamp\winampa.exe

D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

D:\WINDOWS\svzip.exe

D:\WINDOWS\sv.exe

D:\WINDOWS\runsql.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\DAEMON Tools\daemon.exe

D:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Messenger\msmsgs.exe

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

D:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll

O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [netzip] D:\WINDOWS\svzip.exe

O4 - HKLM\..\Run: [netsv32] D:\WINDOWS\sv.exe

O4 - HKLM\..\Run: [runsql] D:\WINDOWS\runsql.exe

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-21-1708537768-2111687655-1957994488-1005\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LNSS_MONITOR_USR')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: LNSS Status Monitor.lnk = D:\Program Files\GFI\LANguard Network Security Scanner 6.0\statusmonitor.exe

O8 - Extra context menu item: Add to &Teleport - D:\Program Files\Teleport Pro\teleport.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D1CC19D-557E-4852-8CB8-47023195F086}: NameServer = 85.255.116.52,85.255.112.106

O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFE6A31-BAB0-404E-903F-3844635B86E8}: NameServer = 85.255.116.52,85.255.112.106

O17 - HKLM\System\CCS\Services\Tcpip\..\{B27108D6-F5D7-4518-98FD-4FE546C9BE68}: NameServer = 85.255.116.52,85.255.112.106

O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BB7A36-A86C-458E-B0D4-4C3B449A1A64}: NameServer = 85.255.116.52,85.255.112.106

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.106

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.106

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.106

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Crypkey License - Unknown owner - D:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: GFI LANguard N.S.S. 6.0 attendant service - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 6.0\lnssatt.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - D:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\system32\dmkms.exe
#2

Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę Windows Management Service

Pliki zaznaczone na czerwono usuń ręcznie z dysku w trybie awaryjnym natomiast wpisy HijackThis.

Zobacz - Zainfekowane DNS i użyj przedstawionego tam narzędzia FixWareOut.

Po wykonaniu wykonaj i wklej log z ComboFix oraz zawartość pliku c:\fixwareout\report.txt

#3 
Username "andy" - 2007-10-19 18:37:24 [Fixwareout edited 9/01/2007]


~~~~~ Prerun check

Service: "Windows Management Service" = D:\WINDOWS\System32\dmkms.exe 


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

"nameserver"="85.255.116.52 85.255.112.106" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2D1CC19D-557E-4852-8CB8-47023195F086} 

"nameserver"="85.255.116.52,85.255.112.106" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4AFE6A31-BAB0-404E-903F-3844635B86E8} 

"nameserver"="85.255.116.52,85.255.112.106" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B27108D6-F5D7-4518-98FD-4FE546C9BE68} 

"nameserver"="85.255.116.52,85.255.112.106" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B5BB7A36-A86C-458E-B0D4-4C3B449A1A64} 

"nameserver"="85.255.116.52,85.255.112.106" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2D1CC19D-557E-4852-8CB8-47023195F086}

"DhcpNameServer"="85.255.116.52,85.255.112.106" 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B27108D6-F5D7-4518-98FD-4FE546C9BE68}

"DhcpNameServer"="85.255.116.52,85.255.112.106" 

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.



System was rebooted successfully. 


~~~~~ Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "System"="" 

....

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FE09A165C0E7-9F49-4974-EA6A-F1DFC5D8{" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0A0F71985D2E-38CA-C5F4-B22A-730DCEA1{" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "jahmd" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}66CAE101BAC8-CD3A-C3C4-7EC5-9413A651{" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}71294AE54A6F-534A-A1A4-DB73-7FAE764A{" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4F49C6971A03-408B-C594-3A19-38DDB98D{" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "smkmd" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BB0734C29F1B-0EAA-DBB4-DDB3-37D00B0E{" Deleted 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmhaj.exe" Value deleted 

D:\WINDOWS\System32\qwonz.exe Deleted

....

~~~~~ Misc files. 

....

~~~~~ Checking for older varients.

....


Search five digit cs, dm, kd, jb, other, files.

The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection. 


D:\WINDOWS\system32\csrss.exe 6144 2004-08-04


Click browse, find the file then click submit.

http://www.virustotal.com/flash/index_en.html

Or http://virusscan.jotti.org/



~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrackPointSrv"="tp4mon.exe"

"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"

"PCSuiteTrayApplication"="D:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"

"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="D:\\WINDOWS\\system32\\ctfmon.exe"

"DAEMON Tools"="\"D:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

"MSMSGS"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"Gadu-Gadu"="\"D:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

....

Hosts file was reset, If you use a custom hosts file please replace it...

%SystemRoot%\repair\autoexec.nt missing 

%SystemRoot%\repair\Config.nt missing 

~~~~~End report~~~~~

Złączono Posta : 19.10.2007 (Pią) 18:54

ComboFix 07-10-17.8@ - andy 2007-10-19 18:48:29.1 - NTFSx86
#4

Już jest Ok. Czy masz jeszcze jakieś problemy?

#5

Sprawdzam,chyba jest ok.

Pozdrawiam i dzięki.