Proxy trojanski konj

Mal si tole preberi.

zdravo!

hvala da si se zavzel...

log file hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:23:55, on 25.5.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\Documents and Settings\Anja\Desktop\trsetup.exe
C:\DOCUME~1\Anja\LOCALS~1\Temp\is-KK1JT.tmp\is-DV5G8.tmp
C:\Documents and Settings\Anja\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup...
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA39F5BD-CBA9-4532-AE16-C7B37605D6E2}: NameServer = 193.189.160.23 193.189.160.13
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

services.msc : prtsc





zdaj bom še poskusil postopek v safe mode in pa trojan remover..

hvala!

1. Sumljiva stvar C:\WINDOWS\system32\nvsvcd.exe Pojdi na http://virusscan.jotti.org/ , kjer z browserjem prebrskaj to stvar in daj submit. Skenira z več antivirusi. Povej kaj analiza pove oz spet prtsc...

2. zloadej zastonjski process explorer http://www.sysinternals.com/Utilities/P...
in pa zloadej še Security Task Manager(ali pa WinTasks 5 Pro)Slednji pokaže tudi skrite procese!
Spet prtscr naredi.

3. povej mi malo o svojem računalniku, je to morda prenosnik?, imaš router?
Odgovori pa ti dam nasvet, katere servicese disablirati...

Preizkusi se TrojanHunter, izjemen program kar se ubijanja trojancev tice.
http://www.trojanhunter.com/

Zloadej si ice sword http://rapidshare.de/files/21421647/Ice... in pojdi na kernel module in zgoraj klikni dump current list in nekam shrani. Spet naredi tudi z ssdt, startup. Vse shranjene loge kar zararaj/zazipaj/... in jih nekam uploadej npr rapidshare.de.

Z mojim naslednjim odgovorom gremo v safe boot ročno akcijo!

Zloadej si Unlocker, če ga še nimaš http://ccollomb.free.fr/unlocker/unlock... in ga inštaliraj.
Sklopni system restore. Sklopni internet(FIZIČNO, pri wireless pa kar modem iz štekarja!)

Nalednje delaj na lastno odgovornost.... za kakršnokoli škodo ne odgovarjam!

Pojdi v safe boot, med nalaganem driverjev(in podobnega)-tisto dosovsko pisanje in še mal pritiskaj esc, da se ne naložijo newindowske stvari(v tvojem primeru npr vax347b.sys-od alcohola za navidezni pogon).

Obveznoizberi še, da vidiš tudi skrite datoteke (tools->folder options->view, izberi show hidden files and folders in še odljukaj hide protected operating system files)-posloveni, če imaš slovensko, saj veš orodja...

pojdi v C:\WINDOWS\system32\in zbriši nvsvcd.exe. Če windows zateži, da ne more zbrisati, z desnim klikni nanjo, izberi unlocker in izbriši.
Poglej še za(če obstaja) smss.exe v C:\WINDOWS\system. (pozor v system ne system32!)
Zvriši še stvari iz C:\documents and settings\ (uporanik, ki ga uporabljaš, najbrž administrator)\local settings\temp\ Pozornost obrni predvsem na smssb.exe in smss.exe.

Pojdi start->run->regedit in išči vse stvari(ključi, vrednosti,..) išči pa ta zbrisan nvsvcd.exe.
V registrupoglej še v HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run in zbriši(če tam obstaja) \.nvsvc="%WINDIR%\system\smss.exe /w"

Ponovno zaženi. A deluje?

---

Za odstranjevanje spywarev si posnemi(kakorkoli dobi) webroor spysweeper in pa spyware doctor.
Od časa do časa skeniraj računalnik z kakšnimi online antivirusi kot
-panda http://www.pandasoftware.com/products/a...
-kaspersky http://www.kaspersky.com/virusscanner
...
Glede servisiv (services.msc) ustavi in disabliraj:
-Alerter(obvezno!)
-Fast User Switching...(razen če veliko prekljaplajš med userji)
-Portable Media....
-Remote Deskope ...
-Secondary Logon
-TCP/IP Netbios helper
-Terminal Services
... še kak, a ne poznam celotnega tvojega računalnika(programi, ..)

lp

samo to še, system restore vklopim nazaj al pustim sklopljenega?

hvala