Trojan Iroffer 1227
Witam i proszę o pomoc, wczoraj ściagnołem mały pliczek w którym był ten cholerny trojan a wykrył mi go Norton. Próbowałem skasowaś go mks wir on line ale niestety bez rezultatu. Jedynie pokazuje mi gdzie on sie zagnieździł a mianowicie C\Windows\security\winsecure\exe. Na razie złych objawów nie mam mój XP pracuje dobrze. Moźe to nic groźnego ale dmucham na zimne. Pozdrawiam.
Logfile of HijackThis v1.99.1
Scan saved at 12:36:08, on 2005–08–10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\SPYCLE~1\SpyWatcher.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\BitComet\BitComet.exe
G:\Gadu–Gadu\gg.exe
C:\DOCUME~1\p4\USTAWI~1\Temp\Rar$EX00.015\Setup.exe
C:\DOCUME~1\p4\USTAWI~1\Temp\Rar$EX00.891\Setup.exe
C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\winsecure.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\p4\Pulpit\PULPIT 2\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 – HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1045
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [Spy Watcher] "F:\SPYCLE~1\SpyWatcher.exe" –S
O4 – HKCU\..\Run: [Gadu–Gadu] "G:\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: + &Mass Downloader: download this file – C:\Documents and Settings\p4\Pulpit\Mass.Downloader.3.0.577.SR1\crack\Add_Url.htm
O8 – Extra context menu item: + Mass Downloader: download &All files – C:\Documents and Settings\p4\Pulpit\Mass.Downloader.3.0.577.SR1\crack\Add_All.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Personalizuj Menu &4 – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 – Extra context menu item: Pobierz z &BitSpirit
– F:\BitSpirit\bsurl.htm
O8 – Extra context menu item: RF Pasek Narzędzi &2 – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 – Extra context menu item: Wypełnij Pola &] – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 – Extra context menu item: Zapisz Pola &[ – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3850CDFE–F0E1–43B4–AEE9–5D0EBA40CC02}: NameServer = 194.63.133.4,194.63.132.4
O17 – HKLM\System\CS1\Services\Tcpip\..\{3850CDFE–F0E1–43B4–AEE9–5D0EBA40CC02}: NameServer = 194.63.133.4,194.63.132.4
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Proxy Service (ccPxySvc) – Symantec Corporation – C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 – Service: Usługa Auto–Protect w programie Norton AntiVirus (navapsvc) – Symantec Corporation – C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Internet Security Accounts Manager (NISUM) – Symantec Corporation – C:\Program Files\Norton Internet Security\NISUM.EXE
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) – Analog Devices, Inc. – C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 – Service: SymWMI Service (SymWSC) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 – Service: FireDaemon Service: winsecure (winsecure) – Sublime Solutions Pty Ltd – C:\WINDOWS\security\FireDaemon.exe
Logfile of HijackThis v1.99.1
Scan saved at 12:36:08, on 2005–08–10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\D–Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\SPYCLE~1\SpyWatcher.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\BitComet\BitComet.exe
G:\Gadu–Gadu\gg.exe
C:\DOCUME~1\p4\USTAWI~1\Temp\Rar$EX00.015\Setup.exe
C:\DOCUME~1\p4\USTAWI~1\Temp\Rar$EX00.891\Setup.exe
C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\winsecure.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\p4\Pulpit\PULPIT 2\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 – HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [DAEMON Tools–1033] "C:\Program Files\D–Tools\daemon.exe" –lang 1045
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [Spy Watcher] "F:\SPYCLE~1\SpyWatcher.exe" –S
O4 – HKCU\..\Run: [Gadu–Gadu] "G:\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: + &Mass Downloader: download this file – C:\Documents and Settings\p4\Pulpit\Mass.Downloader.3.0.577.SR1\crack\Add_Url.htm
O8 – Extra context menu item: + Mass Downloader: download &All files – C:\Documents and Settings\p4\Pulpit\Mass.Downloader.3.0.577.SR1\crack\Add_All.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Personalizuj Menu &4 – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 – Extra context menu item: Pobierz z &BitSpirit
– F:\BitSpirit\bsurl.htm
O8 – Extra context menu item: RF Pasek Narzędzi &2 – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 – Extra context menu item: Wypełnij Pola &] – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 – Extra context menu item: Zapisz Pola &[ – file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3850CDFE–F0E1–43B4–AEE9–5D0EBA40CC02}: NameServer = 194.63.133.4,194.63.132.4
O17 – HKLM\System\CS1\Services\Tcpip\..\{3850CDFE–F0E1–43B4–AEE9–5D0EBA40CC02}: NameServer = 194.63.133.4,194.63.132.4
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Proxy Service (ccPxySvc) – Symantec Corporation – C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 – Service: Usługa Auto–Protect w programie Norton AntiVirus (navapsvc) – Symantec Corporation – C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Internet Security Accounts Manager (NISUM) – Symantec Corporation – C:\Program Files\Norton Internet Security\NISUM.EXE
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) – Analog Devices, Inc. – C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – F:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 – Service: SymWMI Service (SymWSC) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 – Service: FireDaemon Service: winsecure (winsecure) – Sublime Solutions Pty Ltd – C:\WINDOWS\security\FireDaemon.exe
Odpowiedzi: 8
czyt. 1–y punkt , jak nie potwierdzi , nic nie znajdzie ..to daj sobie spokój .
ps. malware hunters juź daliby o sobie znać ;)
ps. malware hunters juź daliby o sobie znać ;)
czyt. 1–y punkt , jak nie potwierdzi , nic nie znajdzie ..to daj sobie spokój .
ps. malware hunters juź daliby o sobie znać ;)
ps. malware hunters juź daliby o sobie znać ;)
Zerknij na screena bo nie moge zlokalizować tego pliku w windowsie.
zanim coś wykasujesz sprawdz system innym skanerem antywirusowym , polecam Kaspersky online (działa na IE)
1–szy sprawdza cały system (wskazane))
2–i tylko podejrzane pliki
Nawet najlepszy antywirus miewa false alarme , upewnij się czy to nie pomyłka skanując podejrzany plik jeszcze tym http://virusscan.jotti.org/
Dopiero moźesz brać się za kasowanie :)
1–szy sprawdza cały system (wskazane))
2–i tylko podejrzane pliki
Nawet najlepszy antywirus miewa false alarme , upewnij się czy to nie pomyłka skanując podejrzany plik jeszcze tym http://virusscan.jotti.org/
Dopiero moźesz brać się za kasowanie :)
Juz działam tylko jeszcze mi podpowiedź jaką ścieszke dostępu wskazać czy plik o którym piszesz :oops: . Bo nie miałem jeszcze z tym programem do czynienia.
najnowsza wersja Pocket KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip . W okienku naleźy wpisać ścieźkę dostępu albo kliknąć Browse for file i sami wskazujemy plik. Następnie wybieramy metodę usuwania: Standard File kill , Delete on Reboot (powinno zadziałać) albo Replece on.. http://img140.exs.cx/img140/6548/1092.jpg .. Polecam takźe ten : http://forum.infojama.pl/viewtopic.php?t=62553&highlight=unlocker a tu jego najnowsza wersja : http://ccollomb.free.fr/unlocker/unlocker1.7.0.exe
lucy:
http://www.searchengines.pl/phpbb203/lofiversion/index.php/t40508.html
Lucy a mógłbyś coś podpowiedzieć co z tym linkiem bo link na tej stronie do pobrania programu nie działa.
http://www.searchengines.pl/phpbb203/lofiversion/index.php/t40508.html
Strona 1 / 1