Nawirusowany link ;/ problem z gg

langi91 · 26 Grudzień 2006 13:15

Otóż to, bylem na tyle tępny ze wszedlem w linka, ktorego dostalem od kolezanki… nie myslalem ze to cos zlego gdyz mial on rozszezenie .jpg: "!

Bieniol · 26 Grudzień 2006 13:33

Już dzisiaj dwa razy to dostałem, więc nowe fałszywe łańcuszki krążą

W logu nic nie widać - czysto. Wrzuć jeszcze log z Silent Runners

Co do bana na gg, to musisz odczekać kilkanaście godzin

langi91 · 26 Grudzień 2006 14:12

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "bho2gr Class"

                   \InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"

  -> {HKLM...CLSID} = "eLicense Control"

                   \InProcServer32\(Default) = "C:\WINDOWS\lcmmfu.cpl" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"

                   \InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Krystian\Moje dokumenty\Moje obrazy\różne\tapetka.JPG"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Krystian\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Scheduled Tasks:

------------------------


"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

<> "TuneUp" = "file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]



HOSTS file

----------


C:\WINDOWS\System32\drivers\etc\HOSTS


maps: 4 domain names to IP addresses,

      3 of the IP addresses are *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]

SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]

StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 822 seconds, including 22 seconds for message boxes)

Prosze… a nie wydaje sie dziwne:

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

??

Powiem tylko ze po tym wszystkim w liscie procesow sie pokazal ten proces i nie da sie go zakonczyc…

Pozdr.

Bieniol · 26 Grudzień 2006 14:31

Ten log jest również czysty. Proces, o którym mówisz jest od firmy Sony. Jeżeli chcesz się pozbyć, to Start -> Uruchom -> services.msc -> zatrzymaj i wyłącz usługę: SecuROM User Access Service (V7)

langi91 · 26 Grudzień 2006 14:40

Czyli komp jest czysty? Moj kochany firefox nie przepuscil zadnego gowienka ? A bana na gg mam przez spam tym linkiem tak?, czy mozna przyspieszyc odblokowanie konta?

PS: do czego sluzy ten proces firmy sony?

Bieniol · 26 Grudzień 2006 14:45

O procesie poczytaj tutaj -> http://www.liutilities.com/products/win … aservice7/

Komp masz czysty, a momentu odblokowania gg niestety nie da się przyspieszyć - musisz cierpliwie czekać