Pomoc - Szukaj - Użytkownicy - Kalendarz
Pełna wersja: Bardzo prosze o sprawdzenie loga. Dziekuje.
Forum MKS > Inne > Archiwum > Forum mks_vir > Wirusy, logi do sprawdzenia
darioush
Apr 21 2006, 09:45 PM
Logfile of HijackThis v1.99.1
Scan saved at 22:39:48, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\BT Broadband Basic Help\bin\mad.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dariusz zygmunt\My Documents\hijackthis.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mks.com.pl
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BDAED69-316E-441B-A083-D2E2FD958A75}: NameServer = 194.74.65.68 194.72.0.114
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
darioush
Apr 21 2006, 09:49 PM
"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunKistEM" = "C:\Program Files\Digital Media Reader\shwiconem.exe" ["Alcor Micro, Corp."]
"(Default)" = (empty string)
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"Reminder" = "C:\WINDOWS\Creator\Remind_XP.exe" ["SoftThinks"]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]
"Mixersel" = "C:\Program Files\Realtek\InstallShield\mixersel.exe" [null data]
"CHotkey" = "zHotkey.exe" [empty string]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"DSLSTATEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"OpwareSE2" = ""C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."]
"OPSE reminder" = ""C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"" ["ScanSoft, Inc."]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{5EC3EA89-4453-4416-A78B-65F689DC2048}" = "Goback Drives"
-> {HKLM...CLSID} = "Goback Drives"
\InProcServer32\(Default) = "C:\Program Files\Norton GoBack\GBDrvShX.dll" [null data]
"{6809E580-A3A7-11D1-9A00-00A0C945B006}" = "GoBack Shell Extension"
-> {HKLM...CLSID} = "GoBack Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Norton GoBack\ShellExt.dll" ["Symantec Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
GoBack\(Default) = "{6809E580-A3A7-11D1-9A00-00A0C945B006}"
-> {HKLM...CLSID} = "GoBack Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Norton GoBack\ShellExt.dll" ["Symantec Corporation"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\dariusz zygmunt\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\updgoi\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Startup items in "dariusz zygmunt" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"BigFix" -> shortcut to: "C:\Program Files\BigFix\BigFix.exe /atstartup" ["BigFix Inc."]
"BT Broadband Basic Help" -> shortcut to: "C:\Program Files\BT Broadband Basic Help\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Install Pending Files" -> shortcut to: "C:\Program Files\SIFXINST\SIFXINST.EXE /ApplyPending" ["New Boundary Technologies, Inc."]
"Norton GoBack" -> shortcut to: "C:\Program Files\Norton GoBack\GBTray.exe" ["Symantec Corporation"]


Enabled Scheduled Tasks:
------------------------

"At1" -> launches: "C:\DOCUME~1\DARIUS~1\LOCALS~1\TEMPOR~1\Content.IE5\WPQZCXYJ\Look2Me-Destroyer.exe /task" [file not found]
"Norton AntiVirus - Scan my computer - dariusz zygmunt" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
GoBack Polling Service, GBPoll, ""C:\Program Files\Norton GoBack\GBPoll.exe"" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 21 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 59 seconds)
xseper
Apr 22 2006, 06:54 AM
now więc w hjt pokasuj to:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)



następnym razem pisz jaki masz problem, i nazywaj temat normalnie:( patrz regulamin
vilkatla
Apr 22 2006, 07:45 AM
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

fragment softthinks cd creator

O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

a to nie od prisma aby?

i po co user ma odinstalowywac OmniPageSE2.0 ?
to program do konwertowania dokumentow.

za to wywalic mozna szpiega realteka:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


silent czysty.
@darioush - PISZ, CO SIE DZIEJE Z KOMPEM, bo wrozyc tu nikt nie potrafi. bez podania objawow ciezko jest wystawic diagnoze, doprawdy.


pzdr
xseper
Apr 22 2006, 07:51 AM
dałem ciała..... nie znałem tych programów i znalazłem je na necie jako lewe :cry:
vilkatla
Apr 22 2006, 08:01 AM
sifxinst.exe to rowniez nazwa pliku trojana, ale trojan ow instaluje sie w katalogu systemowym i dodaje charakterystyczne wpisy do rejestru, ktorych tutaj nie ma. za to prism sie gdzies w logu przewinal, stad moje wnioski.

co do remindera - automat na hijackthis.de klasyfikuje go jako syf. doprawdy, nie mam pojecia, dlaczego.
wiem za to, ze automatom w zadnym wypadku nie mozna ufac.


pzdr
darioush
Apr 22 2006, 11:50 AM
Bardzo przepraszam , to moj pierwszy post i czulem ze cos zrobie nie tak jak trzeba. Zapomnialem napisac co sie dzieje z kompem.
A wiec tak
Zainstalowalem GG , dostalem wiadomosc , kliknelem na link ( to bylo bardzo glupie) i norton oszalal. komunikaty o trojanach itp.
Sprawdzilem raporty i wedlug nich to norton wszystko poblokowal , ale od tego czasu norton pokazuje info. o logowaniu sie intruzow, podaje ich IP szczegolnie jednego.
Inny problem to taki ze rozlancza mi sie internet , co minute czasem dwie polaczenie jest przerywane i wydaje mi sie ze komp jest troche wolniejszy , nie duzo ale jednak . Moze mi cos poradzicie. Bardzo dziekuje.
vilkatla
Apr 22 2006, 11:57 AM
yh
rzeczywiscie cos gdzies moze siedziec.
zrob jeszcze skan GMERem i wklej loga na forum (rootkit -> szukaj -> kopiuj -> ctrl+v do posta)


pzdr
darioush
Apr 22 2006, 12:18 PM
Nie wiem jak wkleic. klikam kopiuj i mam wiadomosc ze dane sa w schowku, tylko nie wiem gdzie ten schowek.
Troy
Apr 22 2006, 12:23 PM
ctrl + v (czyli wklej) lub ppm->wklej
darioush
Apr 22 2006, 12:30 PM
GMER 1.0.9.8110 - http://www.gmer.net
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.9 ----

SSDT GoBack2K.sys ZwClose
SSDT 81DFDE50 ZwConnectPort
SSDT GoBack2K.sys ZwFsControlFile
SSDT 82065078 ZwOpenProcess
SSDT 82073BC8 ZwOpenThread

---- Devices - GMER 1.0.9 ----

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+6 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+6 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+6 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+6 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DR3 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DR3 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DR3 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DR3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+7 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+7 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+7 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+7 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DR4 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DR4 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DR4 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DR4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+8 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+8 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+8 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+8 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DR5 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DR5 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DR5 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DR5 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+9 IRP_MJ_WRITE [F8246F80] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+9 IRP_MJ_QUERY_INFORMATION [F82471A0] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+9 IRP_MJ_QUERY_VOLUME_INFORMATION [F8247290] GoBack2K.sys
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+9 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8247380] GoBack2K.sys

---- Files - GMER 1.0.9 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{EBE7F5B4-9626-4FB0-8C04-62912E099CB4}

---- EOF - GMER 1.0.9 ----
vilkatla
Apr 22 2006, 12:33 PM
czysto...
darioush
Apr 22 2006, 12:35 PM
Znaczy to ze komp jest czysty jak krysztal?
A co zrobic z intruzami co sie loguja ?
A co z tym szpiegiem realtekiem?
vilkatla
Apr 22 2006, 01:25 PM
no, skoro nawet GMER nic nie wykrywa... to chyba czysto.
notron wszystko poblokowal, ale jakies upierdliwe swinstwo sie przyczepilo i probuje laczyc. nie ma go na kompie, wiec nie mozna usunac.
a jak zapobiec temu laczeniu, to ja niestety poki co nie mam koncepcji.
napisz moze dokladnie, co norton krzyczy.

(darioush)
A co z tym szpiegiem realtekiem?

realtek to nie szpieg, a calkiem powazna firma od Twoich sterownikow audio wink.gif
a plik alcmtr.exe to nieszkodliwy szpieg tej firmy, ktory jej podsyla niektore dane o Tobie (odwiedzane strony, uzywane programy)
pozbywamy sie tego dla zasady - w koncu to niechciana inwigilacja.
kasujesz hijackiem wpis:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

a plik usuwasz recznie z dysku (jesli nie poleci pod fixem).


pzdr
darioush
Apr 22 2006, 02:29 PM
Oto kilka komunikatow nortona:
Intrusion: MS ASN1 Integer Overflow TCP.
Intrusion detected and blocked.All communication with 86.137.130.245 will be blocked for 30 min.
Details:Attemptd intrusion " MS ASN1 Overflow TCP" against your machine.
Intruder:86.137.130.245
Attaked port: netbios-ssn (139)

I tak jest caly czas , zmienia sie tylko numer intrudera.


I jeszcze takie komunikaty, jest ich bardzo duzo o roznych numerach np.

Protecting your connection to a newly detected network on adapter "WAN (PPP/SLIP)Interface" (IP:86.135.205.179)

i za chwile taki: IP 86.135.205.179 has disappeared and is no longer being protected.

Co to oznacza?
xseper
Apr 23 2006, 07:16 AM
że ktos się wciąż włamać/zeskanowac porty.... powiedz prosze jakie masz ip?? znaczy się czy masz stałe czy dynamiczne?
darioush
Apr 23 2006, 11:19 AM
(xseper)
że ktos się wciąż włamać/zeskanowac porty.... powiedz prosze jakie masz ip?? znaczy się czy masz stałe czy dynamiczne?


Niestety nie wiem jakie mam IP. Nie wiem nawet jak i gdzie to sprawdzic.
Bieniol
Apr 23 2006, 11:24 AM
Dynamiczne IP mają osoby korzystające z technologii ADSL (Neostrada). Taki adres jest zmienny, co znaczy, że raz na jakiś czas (np. co 24 godziny) jest zmieniane na inny losowy wybierany. Dynamiczne IP jest adresem zewnętrznym, co znaczy, że nie jest w żaden sposób blokowane.

Stałe IP, czyli takie, które nie zmienia się. Stałe IP może być :
- wewnętrzne - to IP wewnątrz sieci LAN, niewidoczne z zewnątrz sieci w której znajduje się komputer z tym adresem IP
- zewnętrzne - publiczne - jest to IP widoczne z zewnątrz sieci LAN, zazwyczaj posiada je serwer komunikujący się bezpośrednio z Internetem lub komputery nie posiadające połączenia internetowego rozdzielające routerem lub serwerem
darioush
Apr 23 2006, 11:38 AM
Musze jeszcze poszukac , ale moge podac nazwe modemu .
Nazwa : BT Voyager 105 USB ADSL Modem.
xseper
Apr 23 2006, 12:32 PM
adsl mówi ze dynamiczne ale firmy nie znam... powiedz w jakiej sieci masz? toya, tp ??

bieniol: dynamiczne ip zmienia przy rozłaczeniu i ponowym łaczeniu
darioush
Apr 23 2006, 02:43 PM
Internet mam w sieci : BT Broadband ( British Telecommunication )
To jest wersja lo-fi głównej zawartości. Aby zobaczyć pełną wersję z większą zawartością, obrazkami i formatowaniem proszę kliknij tutaj.
Invision Power Board © 2001-2010 Invision Power Services, Inc.