Help.Download.Trojan i W32.Spybot.Worm

IP: *.taninet.pl / *.devs.futuro.pl 24.04.05, 19:40
Na zmianę oba alerty pokazują się mi od wczoraj,komputer zaczyna się troszkę
wieszać,spowolnił się.Pracuję na XP i wczoraj odebrałem z sewrisu/gdzie mi
przeinstalowali system/,podejrzewam,ze tam mi wpuścili to paskudztwo.
Norton tego nie chwyta,mksvir wogóle nie zauważa.Co robić,czym to wytłuc?
    • Gość: Kolobos Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.warszawa.sdi.tpnet.pl 24.04.05, 19:52
      Wklej wyniki skanowania z hijackthis:
      www.spychecker.com/program/hijackthis.html
      To zobaczymy co tam masz.

      Przeskanuj tez system tym:
      housecall.trendmicro.com/housecall/start_corp.asp
      www.windowsecurity.com/trojanscan/
      www.pandasoftware.com/activescan/pol/activescan_principal.htm
      • Gość: bezradnydarek Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.taninet.pl / *.devs.futuro.pl 24.04.05, 20:10
        ogfile of HijackThis v1.99.1
        Scan saved at 19:58:17, on 2005-04-24
        Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
        C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
        C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
        C:\Program Files\Winamp\winampa.exe
        C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
        C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
        C:\WINDOWS\System32\wfxsnt40.exe
        C:\SCANJET\PrecisionScanLT\hppwrsav.exe
        C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
        C:\Program Files\Logitech\ImageStudio\LogiTray.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
        C:\Program Files\PC-TV\WinManager\WinManager.exe
        C:\Program Files\WinZip\WZQKPICK.EXE
        C:\Program Files\Logitech\ImageStudio\LowLight.exe
        C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
        C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
        C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\wuauclt.exe
        C:\Program Files\Gadu-Gadu\gg.exe
        C:\WINDOWS\explorer.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\WinRAR\WinRAR.exe
        C:\DOCUME~1\1\USTAWI~1\Temp\Rar$EX00.656\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.gazeta.pl/
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
        Settings,ProxyOverride = localhost
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1
        \SPYBOT~1\SDHelper.dll
        O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
        Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
        C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
        C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32
        \spool\drivers\w32x86\3\hpztsb08.exe
        O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP
        Software Update\HPWuSchd.exe
        O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
        Imaging\bin\hpotdd01.exe
        O4 - HKLM\..\Run: [RemoteControl] "C:\Program
        Files\CyberLink\PowerDVD\PDVDServ.exe"
        O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
        O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
        O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
        O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
        O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3
        \LVCOMS.EXE
        O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program
        Files\Logitech\ImageStudio\ISStart.exe
        O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program
        Files\Logitech\ImageStudio\LogiTray.exe
        O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
        O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480
        \Program\BackWeb-8876480.exe
        O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
        Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
        O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-
        TV\WinManager\WinManager.exe
        O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
        Files\WinZip\WZQKPICK.EXE
        O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
        C:\WINDOWS\web\related.htm
        O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
        00aa003c157a} - C:\WINDOWS\web\related.htm
        O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
        www.windowsecurity.com/trojanscan/TDECntrl.CAB
        O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
        skaner.mks.com.pl/SkanerOnline.cab
        O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
        Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
        O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
        Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
        O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
        C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
        O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
        Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
        O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1
        \SPEEDD~1\nopdb.exe

        ogfile of HijackThis v1.99.1
        Scan saved at 19:58:17, on 2005-04-24
        Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
        C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
        C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
        C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
        C:\Program Files\Winamp\winampa.exe
        C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
        C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
        C:\WINDOWS\System32\wfxsnt40.exe
        C:\SCANJET\PrecisionScanLT\hppwrsav.exe
        C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
        C:\Program Files\Logitech\ImageStudio\LogiTray.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
        C:\Program Files\PC-TV\WinManager\WinManager.exe
        C:\Program Files\WinZip\WZQKPICK.EXE
        C:\Program Files\Logitech\ImageStudio\LowLight.exe
        C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
        C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
        C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\System32\wuauclt.exe
        C:\Program Files\Gadu-Gadu\gg.exe
        C:\WINDOWS\explorer.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\WinRAR\WinRAR.exe
        C:\DOCUME~1\1\USTAWI~1\Temp\Rar$EX00.656\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.gazeta.pl/
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
        Settings,ProxyOverride = localhost
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.
        • Gość: Kolobos Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.warszawa.sdi.tpnet.pl 24.04.05, 20:58
          Odinstaluj Logitech Desktop Messenger

          W hijackthis zaznacz te wpisy:


          O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480
          \Program\BackWeb-8876480.exe
          O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
          Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

          I Fix Checked, reszta wyglada ok, gdzie antyvirus znajduje Ci tego trojana?
          Pewnie w temp?
          Jak jest w temp to usun go tym:
          www.downloads.subratam.org/KillBox.zip jakby nie chcial sie normalnie
          usunac, zaznacz delete file on reboot, jednak moze najpierw napisz gdzie
          znajduje Ci tego trojana.
          • Gość: bezradnydarek Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.taninet.pl / *.devs.futuro.pl 24.04.05, 21:08
            Witam.Trojana znajduje w /system32/o
            • Gość: Kolobos Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.warszawa.sdi.tpnet.pl 24.04.05, 21:20
              /system32/o <- o to plik? czy to nie cala nazwa? napisz w jakim dokladnie pliku
              i gdzie on jest.
              • Gość: bezradnydarek Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.taninet.pl / *.devs.futuro.pl 24.04.05, 21:28
                Object Name:C:\Windows\system32\o wirus name Download.Trojan, ten drugi
                zresztą też znajdował się w C:\Windows\system32\TFTP1796 wirus name
                W32.Spybot.Worm
                • Gość: Kolobos Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.warszawa.sdi.tpnet.pl 24.04.05, 21:59
                  No to usun ten dziwny plik "o" jakby nie chcial sie skasowac to potraktuj go
                  killbox'em.
                  • Gość: bezradnydarek Re: Help.Download.Trojan i W32.Spybot.Worm IP: *.taninet.pl / *.devs.futuro.pl 25.04.05, 06:53
                    Serdeczne dzięki za porady.Ostatecznie walnąłem go Killboxem i chyba wywaliłem
                    ten plik bo go potem juz fizycznie nie było w syst.32.W razie gdyby coś to
                    jeszcze sie odezwę.
    • wielandf Re: Help.Download.Trojan i W32.Spybot.Worm 25.04.05, 18:46

Pełna wersja