Forum Komputery Wirusy, trojany, spyware
ZMIEŃ
    Dodaj do ulubionych

    Prosze o sprawdzenie loga

    07.05.05, 16:44
    Logfile of HijackThis v1.99.1
    Scan saved at 16:43:05, on 2005-05-07
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\WINDOWS\System32\keyhook.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Tlen.pl\tlen.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jadwiga Wycisło\Ustawienia lokalne\Temp\Katalog
    tymczasowy 3 dla hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    81.222.131.49/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = new-
    search.net/search.php?v=6&aff=1036157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = new-
    search.net/index.php?v=6&aff=1036157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    www.onet.pl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\DOCUME~1\JADWIG~1\USTAWI~1\Temp\se.dll/spage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    81.222.131.49/index.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = 82.160.74.15:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no
    file)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
    0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {83729D32-37D4-4D04-BC98-2DC2D86D7C74} -
    C:\WINDOWS\System32\iocd.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
    O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
    O4 - HKLM\..\Run: [q36g36P] qwietmgr.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
    Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1
    \SNDMon.exe /Consumer
    O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
    O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
    O4 - HKCU\..\Run: [b0pmRWjne] qossc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Uruchamianie pakietu Office.lnk = C:\Program
    Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
    Office\Office\FINDFAST.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
    www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
    skaner.mks.com.pl/SkanerOnline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{409AD2CA-19E8-4E9E-B871-
    784E5A871141}: NameServer = 80.48.108.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{409AD2CA-19E8-4E9E-B871-
    784E5A871141}: NameServer = 80.48.108.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{409AD2CA-19E8-4E9E-B871-
    784E5A871141}: NameServer = 80.48.108.2
    O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
    O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
    C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
    Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
    Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
    AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
    Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
    Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Obserwuj wątek
      • Gość: Kolobos Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 07.05.05, 17:23
        Na poczatek uzyj tego:
        www.trojaner-info.de/files/SpSeHjfix112.exe
        cwshredder.net/bin/CWShredder.exe
        Usun z autostartu:
        Microsoft Find Fast albo w hijackthis:
        O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
        Office\Office\FINDFAST.EXE

        Opis usuwania Backdoor.Haxdoor
        masz tutaj:
        www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&p=109496&#entry132561
        Masz wersje D, radze Ci usunac tego backdoor tak jak masz w opisie.


        W hijackthis zaznacz te wpisy:

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        81.222.131.49/index.php
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = new-
        search.net/search.php?v=6&aff=1036157
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = new-
        search.net/index.php?v=6&aff=1036157
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\DOCUME~1\JADWIG~1\USTAWI~1\Temp\se.dll/spage.html
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        81.222.131.49/index.php
        R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no
        file)
        O2 - BHO: (no name) - {83729D32-37D4-4D04-BC98-2DC2D86D7C74} -
        C:\WINDOWS\System32\iocd.dll (file missing)
        O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKLM\..\Run: [q36g36P] qwietmgr.exe
        O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
        O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
        O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
        O4 - HKCU\..\Run: [b0pmRWjne] qossc.exe
        O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
        O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll

        Nastepnie sciagnij:
        www.downloads.subratam.org/KillBox.zip
        Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam/a nie
        szukaj tylko wklejaj gotowa) i naciskaj czerwony przycik ale na pytanie o reset
        odpowiadaj nie i tak zrob z tymi plikami:

        C:\WINDOWS\System32\paytime.exe
        C:\WINDOWS\System32\atipatxx.exe
        C:\WINDOWS\SYSTEM32\ntfs32.dll
        C:\WINDOWS\SYSTEM32\drct16.dll
        C:\WINDOWS\SYSTEM32\qossc.exe
        C:\WINDOWS\SYSTEM32\qwietmgr.exe

        I reset.

        Po wszystkim wklej nowy log.
        • ksiegowymafii Re: Prosze o sprawdzenie loga 07.05.05, 18:39
          Bardzo dziekuje za opisanie procedury:), obecnie log powinien byc chyba czysty
          ale prosze rzucic jeszcze okiem, zastanawiam sie nad powylaczaniem proxy, nad
          fix-owaniem
          O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe


          Logfile of HijackThis v1.99.1
          Scan saved at 18:29:05, on 2005-05-07
          Platform: Windows XP (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 (6.00.2600.0000)

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\system32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          C:\WINDOWS\system32\LEXBCES.EXE
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\system32\LEXPPS.EXE
          C:\WINDOWS\System32\RunDll32.exe
          C:\WINDOWS\System32\sistray.EXE
          C:\WINDOWS\System32\keyhook.exe
          C:\Program Files\Common Files\Symantec Shared\ccApp.exe
          C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
          C:\Program Files\Messenger\msmsgs.exe
          C:\Program Files\Tlen.pl\tlen.exe
          C:\Program Files\Microsoft Office\Office\OSA.EXE
          C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
          C:\Program Files\SpywareGuard\sgmain.exe
          C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
          C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
          C:\Program Files\SpywareGuard\sgbhp.exe
          C:\WINDOWS\System32\wuauclt.exe
          C:\WINDOWS\system32\NOTEPAD.EXE
          C:\WINDOWS\System32\wuauclt.exe
          C:\Program Files\Internet Explorer\iexplore.exe
          C:\Documents and Settings\Jadwiga Wycisło\Ustawienia lokalne\Temp\Katalog
          tymczasowy 8 dla hijackthis.zip\HijackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          www.onet.pl/
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
          O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-
          0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
          O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
          Files\Norton AntiVirus\NavShExt.dll
          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
          C:\WINDOWS\System32\msdxm.ocx
          O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
          C:\Program Files\Norton AntiVirus\NavShExt.dll
          O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
          O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
          O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
          O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
          O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
          O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
          Shared\ccApp.exe"
          O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
          Shared\Security Center\UsrPrmpt.exe
          O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1
          \SNDMon.exe /Consumer
          O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
          O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
          O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
          O4 - Global Startup: Uruchamianie pakietu Office.lnk = C:\Program
          Files\Microsoft Office\Office\OSA.EXE
          O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
          Files\InterVideo\Common\Bin\WinCinemaMgr.exe
          O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
          a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
          O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) -
          www.windowsecurity.com/trojanscan/axscan.cab
          O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
          skaner.mks.com.pl/SkanerOnline.cab
          O17 - HKLM\System\CCS\Services\Tcpip\..\{409AD2CA-19E8-4E9E-B871-784E5A871141}:
          NameServer = 80.48.108.2
          O17 - HKLM\System\CS1\Services\Tcpip\..\{409AD2CA-19E8-4E9E-B871-784E5A871141}:
          NameServer = 80.48.108.2
          O17 - HKLM\System\CS2\Services\Tcpip\..\{409AD2CA-19E8-4E9E-B871-784E5A871141}:
          NameServer = 80.48.108.2
          O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
          C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
          O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
          C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
          O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
          C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
          O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
          C:\WINDOWS\system32\LEXBCES.EXE
          O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
          Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
          O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec
          Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
          O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
          AntiVirus\SAVScan.exe
          O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
          C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
          O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
          Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
          O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
          Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
          O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
          Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

          • Gość: Kolobos Re: Prosze o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 07.05.05, 19:10
            Nad czym sie zastanwiasz?
            Chcesz sobie tego trojana zostawic?
            O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe

            www.sophos.com/virusinfo/analyses/trojsmalled.html
            Troj/Small-ED is a backdoor Trojan which runs in the background as a service
            process and allows unauthorised remote access to the computer via an opened
            port.
            The Trojan then opens a TCP port, listening for commands from remote users. If
            it receives the appropriate command the Trojan attempts to:
            act as a HTTP Proxy server, redirect network traffic
            participate in denial of service (DoS) attacks
            download files from the internet and run them

            Backdoor, umozliwjajacy dostep do Twojego komputera,a Ty chcesz go zostawic? hm
            no nic to w koncu Twoja decyzja :P

    Najnowsze z forum Wirusy, trojany, spyware

    Nie masz jeszcze konta? Zarejestruj się

    Nakarm Pajacyka
    Osoby zamieszczające wypowiedzi naruszające prawo lub prawem chronione dobra osób trzecich mogą ponieść z tego tytułu odpowiedzialność karną lub cywilną. Regulamin
    Treści z serwisów internetowych Grupy Wyborcza.pl oraz serwisu tokfm.pl prezentujemy w ramach komercyjnej współpracy z ich wydawcami: Wyborcza sp. z o.o. oraz Grupą Radiową Agory sp. z o.o.