Dziwna infekcja. Niekontrolowane rozsyłanie wiadomości

Khaoss · 22 Grudzień 2006 16:02

Witam,

Piszę ponieważ nie mogę sobie poradzić z poniższym problemem. Przejrzałem to forum w szerz i wzdłuż, ale problemu nie udało mi się zlikwidować. Używam programu Norton AntiVirus + Kaspersky Anti-Hacker Firewall. Pewnego dnia zauważyłem, że skaner poczty zaczął wyświetlać na pulpicie okienka skanowanych wiadomości. Zasypało mi cały pulpit. Jakiś robak pomyślałem i wziąłem się za czyszczenie kompa.

Update Nortona + skan, czysto. Update mks_vir online, czysto, Update Ad-aware + skan, jakieś pierdoły. Update Trojan-remover + skan jakieś 3 trojany. Problem zniknął na około miesiąc czasu. Od dwóch dni jednak pojawił się na nowo. Jedyne co blokuje uruchamianie się skanera i rozsyłanie jakichś wiadomości pod przypadkowe adresy to rozłączenie się z siecią lub ustawienie w Kasperskym security level na “Block All”, ale to oczywiście jest jednoznaczne z brakiem możliwości korzystania z siecią.

Wykonałem niezbędne update’y i komp wydaje się czysty. Skorzystałem z Windows Worms Door Cleaner i Hijackthis w trybie awaryjnym systemu. Usunąłem podejrzane wpisy. Restart kompa + ponowny skan. Problem nadal występuję. Można go zblokować, ale co kilkanaście minut daje o sobie znać praktycznie uniemożliwiając jakąkolwiek pracę.

Nawet jeśli ten problem się nie pojawia to Kaspersky zgłasza albo blokowanie ataku Helkern, albo SYN flood attack, a nawet coś czego nazwy nie pamiętam… jakieś DDos denied service albo coś w tym stylu.

Przyznam się, że jestem kompletnie zrezygnowany i wizja formatowania staje się co raz bliższa…

Może ktoś podsunie mi jakiś pomysł??

Poniżej załączam świeżutkiego log’a.

Logfile of HijackThis v1.99.1 Scan saved at 17:01:32, on 2006-12-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Common Files\AOL\1160965721\ee\aolsoftware.exe c:\program files\common files\aol\1160965721\ee\aexplore.exe C:\Documents and Settings\Centaur\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Macromedia Flash - {AD03571F-C182-D851-A69F-96C80BF4B23B} - C:\WINDOWS\system\dlgctl32.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{5CF0D6A7-43F5-41C8-844A-BD9A934B51EC}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll O20 - AppInit_DLLs: O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Bieniol · 22 Grudzień 2006 16:06

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

Po zabiegach nowy log z Hijacka + log z Silent Runners

Khaoss · 22 Grudzień 2006 16:34

Dzięki za bardzo szybką reakcję i pomoc! W trybie awaryjnym usunąłem wpisy w Hijackthis. Podczas usuwania AppInit_DLLs pojawił się błąd, ale wpis zniknął z loga. Niestety nie odnalazłem żadnych folderów i plików na dysku twardym. Mimo tego, że w przypadku dlgctl32.dll jest podana pełna ścieżka dostępu… Szukałem tych plików wyszukiwarką, ale również nic nie namierzyła. Nie wiem jak to rozumieć.

Poniżej nowy Log z Hijackthis:

Logfile of HijackThis v1.99.1 Scan saved at 17:36:32, on 2006-12-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Common Files\AOL\1160965721\ee\aolsoftware.exe c:\program files\common files\aol\1160965721\ee\aexplore.exe C:\Documents and Settings\Centaur\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM…\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{5CF0D6A7-43F5-41C8-844A-BD9A934B51EC}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

A tutaj ze Silent Runner’a

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{783297FE-0670-1045-1126-040426050030}” = ““C:\Program Files\Common Files{783297FE-0670-1045-1126-040426050030}\Update.exe” mc-110-12-0000272” [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “STYLEXP” = “C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe” [“Simply Super Software”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper” -> {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “Skladnik rozszerzenia powloki CorelDRAW” -> {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll” [null data] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ <> “{3E898EEA-FEFA-451b-ACF2-7561F94B1191}” = “gkj” -> {HKCU…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\ert.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” -> {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Centaur” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Kaspersky Anti-Hacker” -> shortcut to: “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe /silence” [“Kaspersky Lab”] Enabled Scheduled Tasks: ------------------------ “Norton AntiVirus - Scan my computer - Centaur” -> launches: “C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Norton SystemWorks One Button Checkup” -> launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO” [“Symantec Corporation”] “Symantec Drmc” -> launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus” -> {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” -> {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{03C1C47F-0538-4645-8372-D3109B9FC636}(Default) = “Easy-WebPrint” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ASP.NET State Service, aspnet_state, “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe” [MS] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ATI Smart, ATI Smart, “C:\WINDOWS\system32\ati2sgag.exe” [empty string] Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] LiveUpdate, LiveUpdate, ““C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE”” [“Symantec Corporation”] Norton AntiVirus Auto-Protect Service, navapsvc, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”] Norton AntiVirus Firewall Monitor Service, NPFMntor, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe”” [“Symantec Corporation”] Norton Unerase Protection, NProtectService, “C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE” [“Symantec Corporation”] SAVScan, SAVScan, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe”” [“Symantec Corporation”] ScriptBlocking Service, SBService, “C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe” [“Symantec Corporation”] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Password Validation, ccPwdSvc, ““C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mspmsnsv.dll” [MS]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor iP2200\Driver = “CNMLM74.DLL” [“CANON INC.”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 59 seconds, including 18 seconds for message boxes)

adam9870 · 22 Grudzień 2006 16:39

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\ert.dll

Klikasz X czerwony i restart kompa.

Otwórz notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

Po wykonaniu pokaż nowy log z Silenta.

Khaoss · 22 Grudzień 2006 16:58

Witam

Piękne dzięki za kolejną podpowiedź

OK, wszystko zrobione zgodnie z podaną instrukcją.

Poniżej nowy log z Silent Runner’a

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “STYLEXP” = “C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe” [“Simply Super Software”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper” - {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “Skladnik rozszerzenia powloki CorelDRAW” - {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll” [null data] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” - {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ “{3E898EEA-FEFA-451b-ACF2-7561F94B1191}” = “gkj” - {HKCU…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\ert.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” - {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” - {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Centaur” “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” - shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Kaspersky Anti-Hacker” - shortcut to: “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe /silence” [“Kaspersky Lab”] Enabled Scheduled Tasks: ------------------------ “Norton AntiVirus - Scan my computer - Centaur” - launches: “C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Norton SystemWorks One Button Checkup” - launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO” [“Symantec Corporation”] “Symantec Drmc” - launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” - {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus” - {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” - {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{03C1C47F-0538-4645-8372-D3109B9FC636}(Default) = “Easy-WebPrint” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) - {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”] Norton AntiVirus Firewall Monitor Service, NPFMntor, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe”” [“Symantec Corporation”] Norton Unerase Protection, NProtectService, “C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE” [“Symantec Corporation”] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor iP2200\Driver = “CNMLM74.DLL” [“CANON INC.”] ---------- : Suspicious data at a malware launch point. : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 51 seconds. ---------- (total run time: 90 seconds)

adam9870 · 22 Grudzień 2006 17:02

Hmm… start => uruchom => wpisz regedit i kliknij ok => przejdź do lokalizacji:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

i będąc tam skasuj z prawokliku {3E898EEA-FEFA-451b-ACF2-7561F94B1191}

Potem możesz pokazać nowy log z Silenta.

Khaoss · 22 Grudzień 2006 17:13

Dzięki!

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “STYLEXP” = “C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TrojanScanner” = “C:\Program Files\Trojan Remover\Trjscan.exe” [“Simply Super Software”] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = “NAV Helper” - {HKLM…CLSID} = “CNavExtBho Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “Skladnik rozszerzenia powloki CorelDRAW” - {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll” [null data] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” - {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” - {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}” - {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” - {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Centaur” “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” - shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Kaspersky Anti-Hacker” - shortcut to: “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe /silence” [“Kaspersky Lab”] Enabled Scheduled Tasks: ------------------------ “Norton AntiVirus - Scan my computer - Centaur” - launches: “C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exe /task:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Norton SystemWorks One Button Checkup” - launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO” [“Symantec Corporation”] “Symantec Drmc” - launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” - {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus” - {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] “{327C2873-E90D-4C37-AA9D-10AC9BABA46C}” = “Easy-WebPrint” - {HKLM…CLSID} = “Easy-WebPrint” \InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{03C1C47F-0538-4645-8372-D3109B9FC636}(Default) = “Easy-WebPrint” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Canon\Easy-WebPrint\Toolband.dll” [null data] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) - {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”] Norton AntiVirus Auto-Protect Service, navapsvc, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”] Norton AntiVirus Firewall Monitor Service, NPFMntor, ““C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe”” [“Symantec Corporation”] Norton Unerase Protection, NProtectService, “C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE” [“Symantec Corporation”] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Symantec Core LC, Symantec Core LC, “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor iP2200\Driver = “CNMLM74.DLL” [“CANON INC.”] ---------- : Suspicious data at a malware launch point. : Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 37 seconds. ---------- (total run time: 80 seconds)

Bieniol · 22 Grudzień 2006 17:33

Czysto

Czy jest jeszcze problem?

Khaoss · 22 Grudzień 2006 17:41

Przed sekundą pojawił się komunikat w Kasperskym - o wykryciu ataku typu Helkern, ale skaner poczty na razie milczy. Dopóki atak jest blokowany z ustawieniem firewall’a na medium to jest OK. Po to jest, żeby blokował Najważniejsze, że pulpit mam czysty i mogę normalnie działać.

Ogromne dzięki za pomoc!

Bieniol · 22 Grudzień 2006 17:43

Skoro ataki są blokowane, to nie masz się czym przejmować