Włamanie do gg


(Calma E Fredda) #1

Ktoś mi się włamuje do gg, a skanowanie antywirusem nic nie wykryło. Z góry dziękuję za pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 22:28:52, on 2006-10-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe

C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Microsoft Office\Office\1045\msoffice.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\DAP\DAP.EXE

C:\Documents and Settings\zosia\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe

O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe

O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C15F0EB-FF5F-40B1-BBCB-26045F43BB7C}: NameServer = 80.244.128.1,80.244.128.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{BE45E2A7-9199-4C59-B285-950E8132F5E4}: NameServer = 194.204.159.1,194.204.152.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{2C15F0EB-FF5F-40B1-BBCB-26045F43BB7C}: NameServer = 80.244.128.1,80.244.128.2

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

(adam9870) #2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jezeli któryś z nich bedzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Log masz ok.

Możesz skasować te wpisy:

Co masz na myśli pisząc "włamuje do gg" ??

Jeśli interesuje Cię optymalizacja to zajrzyj tutaj

PS. Proponuję zainstalować Service Pack 2 ponieważ poprawia on bezpieczeństwo i nie tylko.


(Calma E Fredda) #3

Ktoś gdy mnie nie ma przy komputerze, a gg jest włączone wysyła wiadomości do osób z listy kontaktów... Wiadomości są zupełnie bez sensu, np. "wp.pl google.p nvidia strowniki" - to cała wiadomość :frowning:


(Bbieniol) #4

Wrzuć jeszcze log z Silent Runners


(Calma E Fredda) #5

Wklejam loga z Silent Runners:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"iKeyWorks" = "C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" ["A4Tech Co.,Ltd."]

"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]

"DataLayer" = "C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe" ["Nokia Mobile Phone Ltd."]

"Nokia Tray Application" = "C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" ["Nokia"]

"WinFast Schedule" = "C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" ["Leadtek Research Inc."]

"WUSB54Gv4" = "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [null data]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitu"

  -> {HKLM...CLSID} = "Eksplorator pulpitu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer"

  -> {HKLM...CLSID} = "NOMAD Explorer"

                   \InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Touch\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"]

"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"

  -> {HKLM...CLSID} = "Microsoft Office Binder Unbind"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{51A881ED-45AD-414f-B513-C4FED5420BD8}" = "Nokia Phone Browser Common View"

  -> {HKCU...CLSID} = "Nokia Phone Browser Common View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 5\CommonView.dll" ["Nokia"]

"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 5\NokiaPhoneBrowser.dll" ["Nokia"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = (no title provided)

  -> {HKLM...CLSID} = "Skrót internetowy"

                   \InProcServer32\(Default) = "shdocvw.dll" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\zosia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\zosia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]



Startup items in "zosia" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"

  -> {HKLM...CLSID} = "Easy-WebPrint"

                   \InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\

"ButtonText" = "Run DAP"

"Exec" = "C:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

WUSB54Gv4SVC, WUSB54Gv4SVC, ""C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe"" ["GEMTEKS"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor i560\Driver = "CNMLM58.DLL" ["CANON INC."]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 117 seconds.

---------- (total run time: 277 seconds)

Z góry dzięki :slight_smile:


(Bbieniol) #6

Również czysto :slight_smile:

Przeczyść rejestr (polecam do tego jv16 PowerTools 2006 1.5.2.344), zrób defragmentację

Wejdź: Start --> uruchom --> msconfig i w zakładce uruchamianie odznacz (według Ciebie) niepotrzbne przy autostarcie programy :slight_smile:

Proponuję zainteresować się jakimś bezpieczniejszym komunikatorem - polecam Konnekta :slight_smile:


(Calma E Fredda) #7

Dziekuję :slight_smile:


(Gutek) #8

poczytaj regulamin zanim coś napiszesz