Problem z gg i netlimiterem świrowanie połączeń - logi

Dla specjalistów Bezpieczeństwo
#1

Witam. Od dwóch dni mam pewien problem i nie mogę sobie poradzić z GG… Otóż dostaję bana na gg za rozsyłanie spamu albo czegoś innego… Ale problem leży chyba gdzieś indziej, używam programu NetLimiter do ograniczania łącza na dany proces (uTorrent np) by nie zapychać sieci lokalnej. Zauważyłem coś takiego… Ściągam coś operką a w netlimiterze adres ip z którego ściągam widnieje pod procesem gg.exe O_o No ale to nic… uTorrent to samo… Z listy peerów często znajduje pod gg.exe te same adresy IP… Z początku myślałem że to wina netlimitera, ale zainstalowałem xnetstatsa i wywaliłem net limitera i to samo… Potem pomyślałem o jakimś bagcylu ale żaden spyware remover nie pomógł, pare reklamiarzy tracking cookies itp…

Nie moge normalnie pracować bez gg A zmiana numeru nie wchodzi w rachube. Jeżeli to pomoże załączam loga z hijacka.

Logfile of Trend Micro HijackThis v2.0.2 

Scan saved at 15:51, on 2007-10-05 

Platform: Windows Vista (WinNT 6.00.1904) 

MSIE: Internet Explorer v7.00 (7.00.6000.16512) 

Boot mode: Normal 


Running processes: 

C:\Windows\system32\Dwm.exe 

C:\Windows\Explorer.EXE 

C:\Program Files\Windows Defender\MSASCui.exe 

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe 

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe 

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 

C:\Windows\system32\taskeng.exe 

C:\Program Files\Alwil Software\Avast4\ashDisp.exe 

C:\Program Files\Notebook Hardware Control\nhc.exe 

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe 

C:\Program Files\Synaptics\SynTP\SynToshiba.exe 

C:\Windows\RtHDVCpl.exe 

C:\Windows\WindowsMobile\wmdSync.exe 

C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe 

C:\Program Files\DAEMON Tools\daemon.exe 

C:\Windows\ehome\ehtray.exe 

C:\Windows\ehome\ehmsas.exe 

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 

C:\Program Files\Gadu-Gadu\gg.exe 

C:\Program Files\Opera\Opera.exe 

C:\Program Files\Mozilla Thunderbird\thunderbird.exe 

C:\Windows\notepad.exe 

C:\Windows\system32\cmd.exe 

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 

C:\Windows\system32\DllHost.exe 

C:\ComboFix\ERUNT.cfexe 


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll 

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide 

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE 

O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe 

O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe 

O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP 

O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL 

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe 

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe 

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 

O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe 

O4 - HKLM\..\Run: [OODefragTray] C:\Windows\system32\oodtray.exe 

O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet 

O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe 

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" 

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe 

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe 

O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE 

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe 

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray 

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA LOKALNA') 

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA') 

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA SIECIOWA') 

O4 - Global Startup: Bluetooth Manager.lnk = ? 

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll 

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll 

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll 

O9 - Extra button: eBay - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/4908-44618-9400-3/4 (file missing) 

O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing) 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL 

O13 - Gopher Prefix: 

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab 

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll 

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe 

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe 

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe 

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe 

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe 

O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe 

O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - D:\Gry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe 

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe 

O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe 

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe 

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe 

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe 

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe 


-- 

End of file - 7739 bytes

smitfraud

SmitFraudFix v2.237 


Scan done at 15:50:26,69, 2007-10-05 

Run from C:\Windows\System32\SmitfraudFix 

OS: Microsoft Windows [Wersja 6.0.6000] - Windows_NT 

The filesystem type is NTFS 

Fix run in normal mode 


»»»»»»»»»»»»»»»»»»»»»»»» Process 


C:\Windows\system32\csrss.exe 

C:\Windows\system32\wininit.exe 

C:\Windows\system32\csrss.exe 

C:\Windows\system32\services.exe 

C:\Windows\system32\lsass.exe 

C:\Windows\system32\lsm.exe 

C:\Windows\system32\winlogon.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\System32\svchost.exe 

C:\Windows\system32\Ati2evxx.exe 

C:\Windows\System32\svchost.exe 

C:\Windows\System32\svchost.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\system32\SLsvc.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\system32\Ati2evxx.exe 

C:\Windows\system32\svchost.exe 

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 

C:\Program Files\Alwil Software\Avast4\ashServ.exe 

C:\Windows\system32\Dwm.exe 

C:\Windows\Explorer.EXE 

C:\Windows\System32\spoolsv.exe 

C:\Program Files\Windows Defender\MSASCui.exe 

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe 

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe 

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\system32\taskeng.exe 

C:\Program Files\Alwil Software\Avast4\ashDisp.exe 

C:\Program Files\Notebook Hardware Control\nhc.exe 

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe 

C:\Program Files\Synaptics\SynTP\SynToshiba.exe 

C:\Windows\RtHDVCpl.exe 

C:\Windows\WindowsMobile\wmdSync.exe 

C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe 

C:\Program Files\DAEMON Tools\daemon.exe 

C:\Windows\ehome\ehtray.exe 

C:\Windows\ehome\ehmsas.exe 

C:\Windows\system32\agrsmsvc.exe 

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe 

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\system32\svchost.exe 

C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe 

C:\Windows\system32\TODDSrv.exe 

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe 

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe 

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe 

C:\Windows\System32\svchost.exe 

C:\Windows\system32\SearchIndexer.exe 

C:\Windows\system32\svchost.exe 

C:\Windows\system32\taskeng.exe 

C:\Program Files\Gadu-Gadu\gg.exe 

C:\Program Files\Opera\Opera.exe 

C:\Program Files\Mozilla Thunderbird\thunderbird.exe 

C:\Windows\system32\cmd.exe 

C:\Windows\system32\wbem\wmiprvse.exe 


»»»»»»»»»»»»»»»»»»»»»»»» hosts 


hosts file corrupted ! 


127.0.0.1 legal-at-spybot.info 

127.0.0.1 www.legal-at-spybot.info 


»»»»»»»»»»»»»»»»»»»»»»»» C:\ 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\SGR 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\SGR\Application Data 



»»»»»»»»»»»»»»»»»»»»»»»» Start Menu 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\SGR\FAVORI~1 



»»»»»»»»»»»»»»»»»»»»»»»» Desktop 



»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 



»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys 



»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components 




»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler 

!Attention, following keys are not inevitably infected! 


SrchSTS.exe by S!Ri 

Search SharedTaskScheduler's .dll 


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] 

"{E31004D1-A431-41B8-826F-E902F9D95C81}"="Windows DreamScene" 


[HKEY_CLASSES_ROOT\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32] 

@="%SystemRoot%\System32\DreamScene.dll" 


[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32] 

@="%SystemRoot%\System32\DreamScene.dll" 




»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs 

!Attention, following keys are not inevitably infected! 


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 

"AppInit_DLLs"="" 

"LoadAppInit_DLLs"=dword:00000000 



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System 

!Attention, following keys are not inevitably infected! 


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 



»»»»»»»»»»»»»»»»»»»»»»»» Rustock 




»»»»»»»»»»»»»»»»»»»»»»»» DNS 


Description: Realtek RTL8101 Family PCI-E Fast Ethernet NIC (NDIS 6.0) 

DNS Server Search Order: 194.204.159.1 

DNS Server Search Order: 194.204.152.34 


HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C505E08-3423-425A-8FE2-959AABBF7270}: DhcpNameServer=194.204.159.1 194.204.152.34 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{75F63330-5F77-4E6B-A483-34D27D7BA46A}: DhcpNameServer=192.168.0.1 

HKLM\SYSTEM\CS1\Services\Tcpip\..\{1C505E08-3423-425A-8FE2-959AABBF7270}: DhcpNameServer=194.204.159.1 194.204.152.34 

HKLM\SYSTEM\CS1\Services\Tcpip\..\{75F63330-5F77-4E6B-A483-34D27D7BA46A}: DhcpNameServer=192.168.0.1 

HKLM\SYSTEM\CS2\Services\Tcpip\..\{1C505E08-3423-425A-8FE2-959AABBF7270}: DhcpNameServer=194.204.159.1 194.204.152.34 

HKLM\SYSTEM\CS2\Services\Tcpip\..\{75F63330-5F77-4E6B-A483-34D27D7BA46A}: DhcpNameServer=192.168.0.1 

HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C505E08-3423-425A-8FE2-959AABBF7270}: DhcpNameServer=194.204.159.1 194.204.152.34 

HKLM\SYSTEM\CS3\Services\Tcpip\..\{75F63330-5F77-4E6B-A483-34D27D7BA46A}: DhcpNameServer=192.168.0.1 

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 194.204.152.34 

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 194.204.152.34 

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.204.159.1 194.204.152.34 



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection 



»»»»»»»»»»»»»»»»»»»»»»»» End

(problemy z hosts to wina spybota i immunizacji)

i combofix

#2

W logu czysto