Bardzo prosze o sprawdzenie loga :)


(Vincent77) #1

ostatnio wykrylem skanerem on-line pare szpiegow ale nie ma pojecia jak je usunac. Prosze o pomoc.

A oto log:

Złączono Posta : 17.12.2005 (Sob) 18:49

aha chcialbym dodac ze raczej malo znam sie na komputerach wiec jakby to nie byl klopot to prosilbym o tlumaczenie lopatologiczne :lol:

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5


(Gutek) #2

Odinstaluj w całości Desktop Messenger,SetPoint i BackWeb od Logitecha. A wpisy hijackiem :wink:

plik recznie w trybie awaryjnym wpisy hijackiem


(Vincent77) #3

dziekuje! zaraz sprobuje ale czy dobrze zrozumialem ze po wykonaniu tych czynnosci spyware'y znikna??? :lol:


(Gutek) #4

No na czerwono masz plik śmiecia - a to co każe to elementy od Logitech - myszy ale to oficjalny szpieg - mysz powinna działaćbez [problemó nie pierwszy i nie ostatni odinsatlowujesz te elementy :wink:


(Vincent77) #5

no niestety ale po wykonaniu tych czynnosci skaner nadal wykrywa te same smieci....... co moge jeszcze zrobic????? :smiley:


(Gutek) #6

Proszę o LOG z Silent Runners

Silent opis: http://www.searchengines.pl/phpbb203/in ... opic=15989

A jakie dokładnie śmieci?


(Vincent77) #7

Oto log z sillent runera'a:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

"RAM Idle Professional" = "D:\Program Files\RAM Idle\RAM_XP.exe" [null data]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

"gcasServ" = ""D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

"odk_mon" = "C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe" ["FranmoSoft"]

"odk_rtlv" = "C:\Program Files\Odkurzacz 9.3 Pro\odk_rtlv.exe" ["RealTime LatestViruses"]

"KonektorTP" = ""c:\program files\konektortp\konektortp.exe" tray" [file not found]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1045" ["DAEMON'S HOME"]

"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {CLSID}\InProcServer32(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = "NAV Helper"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {CLSID}\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{6D0E6651-1CD8-11d6-92C4-0003479E4848}" = "NVIDIA NT4 Multimon Control Panel Extension"

-> {CLSID}\InProcServer32(Default) = "nvnt4cpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitu"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {CLSID}\InProcServer32(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

AVG7 Shell Extension(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Symantec.Norton.Antivirus.IEContextMenu(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Symantec.Norton.Antivirus.IEContextMenu(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Default executables:


.SCR: HKLM\SOFTWARE\Classes\AutoCADScript\shell\open\command\

INFECTION WARNING! "Default" = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Administrator" & "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:


"Norton AntiVirus - Skanuj komputer - Administrator" -> launches: "D:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]

-> {CLSID}\InProcServer32(Default) = "D:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

Norton AntiVirus Auto-Protect Service, navapsvc, ""D:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]

Norton AntiVirus Firewall Monitor Service, NPFMntor, "D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

adimon\Driver = "C:\WINDOWS\system32\adimon.dll" ["Autodesk, Inc."]

Lexmark Z600 Color Jetprinter LangMon\Driver = "LXBCSLM.DLL" ["Lexmark"]


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 44 seconds, including 18 seconds for message boxes)

to natomiast raport z panda active scan:

zdarzenie lokalizacja

spyware/marketscore C:\WINDOWS\SYSTEM32\rk.bin

spyware/new.net C:\WINDOWS\NDNuninstall6_98.exe

adware/ist.istbar C:\PROGRAM FILES\COMMON FILES\Totem Shared

spyware/altnet Windows Registry

Spyware/New.net C:\WINDOWS\NDNuninstall6_98.exe

Spyware/LinkReplacer C:\WINDOWS\system32\PreUninstallHL.exe


(Gutek) #8

Nie widac ich nigdzie wiec:

w trybie awaryjnym ręcznie usuwasz pliki

Zainstaluj Ewido http://www.searchengines.pl/phpbb203/lo ... 16762.html - zrób update i zeskanuj kompa :wink:


(Vincent77) #9

jestescie pewni ze trzeba usunac C:\WINDOWS\NDNuninstall6_98.exe???? bo tu mi wyskakuje ze to jest plik systemowy i cos tam moze przestac dzialac??? hehe :lol:


(Gutek) #10

C:\WINDOWS\NDNuninstall6_98.exe to Adware.NewDotNet pewny jestem użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\System32\rk.bin

C:\WINDOWS\System32\PreUninstallHL.exe

C:\WINDOWS\NDNuninstall6_98.exe i naciskasz X czerwony. Program poprosi o reset kompa ... czyli resetujesz.


(Vincent77) #11

HURAAA! !!

spyware/altnet w Windows Registry

a z tym badziewiem co zrobic??? :wink:


(Gutek) #12

to znaczy jake pliki? Skasowałeś wszytko?


(Vincent77) #13

te pliki skasowalem tak jak radziles:

C:\WINDOWS\SYSTEM32\rk.bin

C:\PROGRAM FILES\COMMON FILES\Totem Shared

C:\WINDOWS\NDNuninstall6_98.exe

C:\WINDOWS\system32\PreUninstallHL.exe


(Gutek) #14

Skasowałes i teraz co jeszcze wykazuje?

spyware/altnet w Windows Registry??? - użyj RegCleaner albo jv16 PowerTools

Ale pokaż mi screena infekcji :wink:


(Vincent77) #15

Tak. skasowalem te 4 pliki na C:\ i PAnda on-line (ale tylko ona) dalej wykrywa spyware/altnet w Windows Registry.

A screena nie wiem ja wkleic :lol:

Złączono Posta : 18.12.2005 (Nie) 15:11

Bardzo Wam Dziekuje za pomoc! !!