Proszę o sprawdzenie loga

14.09.05, 10:58
activescan panda = 7xspyware, 2xdialer (nieuleczalne)
mks-vir wynalazl 8 trojanow, niby usunal pliki, jednemu nie dal rady.
ad-aware cos tam powynajdywal, usunal chyba wszystko
Prosze o sprawdzenie loga i krok po kroku, jak blondynce, wyjasnic jak usunac
ten szajs. dzięki:)

Logfile of HijackThis v1.99.1
Scan saved at 02:25:35, on 2005-09-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\programy\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} -
C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} -
C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} -
c:\windows\system\bhomod00.dll
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [KonektorTP] "c:\program files\konektortp\konektortp.exe"
tray
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04
\bin\jusched.exe
O4 - HKLM\..\Run: [RunOdigo] C:\Program Files\Odigo\Bin\Odigo.exe -m
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programy\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program
Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 195.95.218.173
O15 - Trusted IP range: 195.95.218.173 (HKLM)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) -
asp03.photoprintit.de/microsite/1661/defaults/activex/IPSUploader.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB8069B0-7BB2-4A98-BD3F-
576D86AE6DAB}: NameServer = 194.204.152.34 217.98.63.164
O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} -
C:\WINDOWS\system32\Gfdmbp32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32
\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner -
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file
missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software -
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe (file missing)

    • Gość: Kolobos Re: Proszę o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 14.09.05, 12:35
      Przeskanuj tym:
      download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe
      download.ewido.net/ewido-setup.exe <- zrob update przed skanowaniem, po
      przeskanowaniu odinstaluj.
      Zamknij porty tym:
      www.firewallleaktester.com/tools/wwdc.exe
      Uzyj tez:
      andymanchesta.com/Downloads/ABIremover.zip

      W hijackthis usun:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      195.95.218.172/index.php
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      195.95.218.172/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
      195.95.218.172/index.php
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      195.95.218.172/index.php
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      195.95.218.172/index.php
      R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
      C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
      O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} -
      C:\WINDOWS\AuroraHandler.dll (file missing)
      O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} -
      c:\windows\system\bhomod00.dll <- usun plik
      O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - (no file)
      O15 - Trusted Zone: *.skoobidoo.com
      O15 - Trusted Zone: *.slotchbar.com
      O15 - Trusted Zone: *.windupdates.com
      O15 - Trusted Zone: *.skoobidoo.com (HKLM)
      O15 - Trusted Zone: *.slotchbar.com (HKLM)
      O15 - Trusted Zone: *.windupdates.com (HKLM)
      O15 - Trusted IP range: 195.95.218.173
      O15 - Trusted IP range: 195.95.218.173 (HKLM)
      O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} -
      C:\WINDOWS\system32\Gfdmbp32.dll (file missing)
      O23 - Service: System Startup Service (SvcProc) - Unknown owner -
      C:\WINDOWS\svcproc.exe (file missing) <- uruchom services.msc , odszukaj tam ta
      usluge i ustaw tryb uruchomienia na wylaczony.

      Po wszystkim wklej nowy log i napisz jakie trojan i w jakich plikach wykryla Ci
      panda, mks itd.

      • seganiren Re: Proszę o sprawdzenie loga 15.09.05, 13:20
        idąc za Twoimi radami taki o to wynik uzyskałam:
        panda:
        1. spyware Adware:adware/aurora, No disinfected, Windows
        Registry
        2. dialer Dialer:dialer.bqw, No disinfected,
        HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
        3. mks vir nie znalazl nic
        4. sam log wygląda teraz tak:

        Logfile of HijackThis v1.99.1
        Scan saved at 13:04:39, on 2005-09-15
        Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\SYSTEM32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\Ati2evxx.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\SYSTEM32\Ati2evxx.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
        C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
        C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
        C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
        C:\programy\qttask.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
        C:\Program Files\Messenger\msmsgs.exe
        C:\WINDOWS\system32\wscntfy.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Gadu-Gadu\gg.exe
        C:\Program Files\eMule\emule.exe
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        C:\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.google.pl/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
        www.google.pl/
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
        O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
        O4 - HKLM\..\Run: [KonektorTP] "c:\program files\konektortp\konektortp.exe" tray
        O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus
        Platinum\Inicio.exe"
        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04
        \bin\jusched.exe
        O4 - HKLM\..\Run: [RunOdigo] C:\Program Files\Odigo\Bin\Odigo.exe -m
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\programy\qttask.exe" -atboottime
        O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System
        Mechanic 4 Professional\PopupStopper.exe"
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
        O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
        Files\Adobe\Calibration\Adobe Gamma Loader.exe
        O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
        res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
        C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
        00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
        O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
        C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
        C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
        00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
        Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
        www.pandasoftware.com/activescan/as5free/asinst.cab
        O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) -
        asp03.photoprintit.de/microsite/1661/defaults/activex/IPSUploader.cab
        O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
        skaner.mks.com.pl/SkanerOnline.cab
        O17 - HKLM\System\CCS\Services\Tcpip\..\{BB8069B0-7BB2-4A98-BD3F-576D86AE6DAB}:
        NameServer = 194.204.152.34 217.98.63.164
        O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32
        \Ati2evxx.exe
        O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
        O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner -
        C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
        O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program
        Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
        O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -
        Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

        chyba nieco lepiej, prawda? mam nadzieję że nic nie skopałam po drodze, ale ja
        jestem raczej ignorantką w tych sprawach i trzeba mnie "prowadzić za raczkę";)
        Teraz szykuję się do instalcji nortona. Podobno najlepszy?
        wielkie dzięki za pomoc:)
        • Gość: Kolobos Re: Proszę o sprawdzenie loga IP: *.warszawa.sdi.tpnet.pl 15.09.05, 14:56
          Lepiej sobie zainstaluj avast:
          www.avast.com/eng/avast_4_home.html
          Log wyglada ok.
          • seganiren Re: Proszę o sprawdzenie loga 15.09.05, 15:13
            duże podziękowania raz jeszcze:)
Pełna wersja