prosze o pomoc

**Posty:** 3 · przez **Jarodt** 20 Lip 2007, 13:40

Mam na serwerze wirusa(w32.fakerecy- tworzy mi na kat. udostępnionych pliki : kosz i autorun.inf). Usuwam,ale co chwilę tworzy je na nowo. Symantec wykrywa,próbuje usuwać,ale co chwilę się pojawia na nowo i antyvir mi sie zazębił.

Logfile of HijackThis v1.99.1
Scan saved at 11:13:36, on 2007-07-20
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Aladdin\HASP LM\nhsrvice.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\WINDOWS\system32\cisvc.exe
D:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
D:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\SAV\DefWatch.exe
D:\Program Files\IBM\SQLLIB\bin\db2dasstm.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
D:\Program Files\IBM\HTTPServer\bin\apache.exe
C:\WINDOWS\System32\ismserv.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
D:\Program Files\IBM\SQLLIB\BIN\db2fmp.exe
C:\WINDOWS\system32\ntfrs.exe
D:\Program Files\IBM\HTTPServer\bin\apache.exe
C:\WINDOWS\system32\raidserv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Alert on LAN\Proxy\Providers\asfpprov.exe
C:\Program Files\Intel\Alert on LAN\Proxy\Aolnsrvr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
d:\Program Files\IBM\WebSphere\AppServer\java\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RAID Web Console\java\bin\jusched.exe
D:\PROGRA~1\IBM\SQLLIB\BIN\db2systray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mmc.exe
F:\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\RAID Web Console\java\bin\jusched.exe
O4 - HKLM\..\Run: [DB2COPY1 - db2systray.exe DB2] D:\PROGRA~1\IBM\SQLLIB\BIN\db2systray.exe DB2
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKLM\..\Run: [AVP] "D:\Kaspersky_Portable\avp.exe"

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Intel Alerting WMI Service (ALRT_PRV) - Intel Corporation - C:\Program Files\Intel\Alert on LAN\Proxy\Providers\asfpprov.exe
O23 - Service: Intel Alerting Service (ALRT_SRV) - Intel Corporation - C:\Program Files\Intel\Alert on LAN\Proxy\Aolnsrvr.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: AVP - Unknown owner - D:\Kaspersky_Portable\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 - DB2COPY1 - DB2 (DB2) - International Business Machines Corporation - D:\PROGRA~1\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2DAS - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - D:\Program Files\IBM\SQLLIB\\bin\db2dasrrm.exe
O23 - Service: DB2 Governor (DB2COPY1) (DB2GOVERNOR_DB2COPY1) - International Business Machines Corporation - D:\Program Files\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 License Server (DB2COPY1) (DB2LICD_DB2COPY1) - International Business Machines Corporation - D:\Program Files\IBM\SQLLIB\BIN\db2licd.exe
O23 - Service: DB2 Management Service (DB2COPY1) (DB2MGMTSVC_DB2COPY1) - International Business Machines Corporation - D:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
O23 - Service: DB2 Security Server (DB2COPY1) (DB2NTSECSERVER_DB2COPY1) - International Business Machines Corporation - D:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Serwer zdalnych komend DB2 (DB2COPY1) (DB2REMOTECMD_DB2COPY1) - International Business Machines Corporation - D:\Program Files\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: HASP Loader - Aladdin Knowledge Systems Ltd. - C:\Program Files\Aladdin\HASP LM\nhsrvice.exe
O23 - Service: IBM HTTP Administration 6.1 (IBMHTTPAdministration6.1) - Unknown owner - d:\Program Files\IBM\HTTPServer\bin\apache.exe" -k runservice (file missing)
O23 - Service: IBM HTTP Server 6.1 (IBMHTTPServer6.1) - Unknown owner - d:\Program Files\IBM\HTTPServer\bin\apache.exe" -k runservice (file missing)
O23 - Service: IBM WebSphere Application Server V6.1 - SWKR11Node01 (IBMWAS61Service - SWKR11Node01) - Unknown owner - d:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS61Service - SWKR11Node01 (file missing)
O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Usługa wykrywania przez centrum Symantec System Center (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: RAID_SERVER - Unknown owner - C:\WINDOWS\system32\\raidserv.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe

Jeśli ktoś może mi pomóc,to bardzo proszę

**Posty:** 8694 · przez **Red** 20 Lip 2007, 14:13

Niestety,albo stety w logu masz wszystko ok.....potrzeba wiecej informacji na temat tego co sie dzieje...

**Posty:** 3 · przez **Jarodt** 20 Lip 2007, 15:35

chyba wyłapałem szkodnika z kompem,który mi tak ładnie sieje
jego log

Logfile of HijackThis v1.99.1
Scan saved at 14:54:51, on 2007-07-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\WINDOWS\explorer.exe
E:\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Multi-user Cleanup Service - IBM Corp - D:\lotus\notes\ntmulti.exe

Jeśli coś uda Wam się znaleźć,to jeszcze napiszcie jak to usunąć.

BIG THX

**Posty:** 8694 · przez **Red** 20 Lip 2007, 15:37

Jeden log z jednego systemu ,drugi log z drugiego :roll:

i wszystkie czyste :wow:

**Posty:** 3 · przez **Jarodt** 21 Lip 2007, 08:46

OK,wielkie dzięki. Teraz u drugiego przeskanuje system i powinno być git.

prosze o pomoc

prosze o pomoc

THX

Kto jest na forum