trojan Agent CP

[Gość: kiki]

jak usunąć pomocy

[Gość: Kolobos]

Wklej log z hijackthis.

[Gość: kiki]

Logfile of HijackThis v1.98.2
Scan saved at 18:59:14, on 2005-05-08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\WANADOO\TaskbarIcon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\PROGRA~1\GADU-G~1\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
c:\windows\system32\mivmnlf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\as\Ustawienia lokalne\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\WANADOO\TaskbarIcon.exe
O4 - HKLM\..\Run: [mtwv] C:\WINDOWS\mtwv.exe
O4 - HKLM\..\Run: [eqfifa] C:\WINDOWS\System32\xzcybp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05
\bin\jusched.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [NetDy] C:\WINDOWS\VisualGuard.exe
O4 - HKLM\..\Run: [MKS_MENU] C:\Program Files\MKS\Bin\mks_menu.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [gygsks] c:\windows\system32\mivmnlf.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRA~1\GADU-G~1\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program
Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840
\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) -
poczta.wp.pl/autoryzacja/mailcfg.ocx
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) -
67.15.101.3/g_bin/pl/boards_2_0_0_16.cab
O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) -
67.15.101.3/g_bin/pl/slots90_2_0_0_23.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093712559905
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) -
67.15.101.3/g_bin/pl/slots70_2_0_0_23.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word
Games) - 67.15.101.3/g_bin/pl/wordssingle_2_0_0_30.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -
67.15.101.3/g_bin/pl/billard8_2_0_0_21.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC65D666-9546-47D2-8068-44C10B62B56E}:
NameServer = 194.204.152.34 217.98.63.164

[Gość: Kolobos]

Nie ponagalaj, trzeba ciepliwie czekac na swoja kolej.

Sciagasz to:
www.downloads.subratam.org/KillBox.zip
Uruchamiasz windows w trybie awaryjnym F5 lub F8 podczas startu systemu.

W hijackthis zaznacz te wpisy:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKLM\..\Run: [mtwv] C:\WINDOWS\mtwv.exe
O4 - HKLM\..\Run: [eqfifa] C:\WINDOWS\System32\xzcybp.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [_Cat3] C:\WINDOWS\msmsgrxp.exe
O4 - HKLM\..\Run: [NetDy] C:\WINDOWS\VisualGuard.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [gygsks] c:\windows\system32\mivmnlf.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

I Fix Checked.

Nastepnie uruchamiasz Killbox, zaznacz Delete file on reboot wklej sciezke do
pliku (sam/a nie szukaj tylko wklejaj gotowa) i naciskaj czerwony przycik ale
na pytanie o reset odpowiadaj nie i tak zrob z tymi plikami:

C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\wuamgrd.exe lub C:\WINDOWS\wuamgrd.exe
c:\windows\system32\mivmnlf.exe
C:\WINDOWS\msmsgrxp.exe
C:\WINDOWS\VisualGuard.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\System32\xzcybp.exe
C:\WINDOWS\mtwv.exe
C:\WINDOWS\Nail.exe

I reset, nastepnie zainstaluj to:
www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D ->
przeskanuj i wlacz ochrone przegladarki
www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz
ochrone przegladarki
www.wilderssecurity.net/spywareguard.html <- SpywareGuard

Oraz antyvirusa:
www.free-av.com/
Do tego:
www.firewallleaktester.com/tools/wwdc.exe
Przeskanuj jeszcze tym:

housecall.trendmicro.com/housecall/start_corp.asp
www.windowsecurity.com/trojanscan/
www.pandasoftware.com/activescan/pol/activescan_principal.htm
I wklej nowy log z NOWEGO hijackthis:
www.spychecker.com/program/hijackthis.html

Przydaloby sie tez zaktualizowac system:
www.windowsupdate.com

[Gość: kiki]

pomocy Kolobos