KaSE
(Genbub)
29 Grudzień 2006 14:28
#1
przed paroma minutami zawirusowalem se komputer KAV wykryl kilka trojanów lecz nie mogl ich usunąc, zablokowany został rownież menedżer zadań (WIN2000) oraz co jakisz czas komp sam sie resetuje
w CMD po sprawdzeniu netstatu komp nawiazuje b.dużo polączeń z różnymi adresami.
Przy starcie Systemu wyskakuja czasem różne błedy nieznanych mi aplikacji.
logi
Logfile of HijackThis v1.99.1 Scan saved at 15:20:29, on 2006-12-29 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\savedump.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\WINNT\system32\svchosts.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\inet20000\services.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\winnt\system32\winclean.exe C:\Program Files\Common Files{1A4A19DC-05B4-1045-0112-020331040030}\Update.exe C:\Program Files\Ipwindows\ipwins.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\internat.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINNT\inet20000\wpcem.exe C:\Program Files\Xfire\Xfire.exe C:\WINNT\inet20000\wpcem.exe C:\Downloads\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: run=C:\WINNT\inet20000\services.exe O1 - Hosts: 75.30.214.154 l2authd.lineage2.com O1 - Hosts: 75.30.214.154 l2testauthd.lineage2.com O1 - Hosts: 75.30.214.154 l2authd.lineage2.com O1 - Hosts: 75.30.214.154 l2testauthd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{3A4A1~1\Bar888.dll O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [OfficeGuard RegChecker] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe” O4 - HKLM…\Run: [AVPCC] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /wait O4 - HKLM…\Run: [winclean] c:\winnt\system32\winclean.exe O4 - HKLM…\Run: [{1A4A19DC-05B4-1045-0112-020331040030}] “C:\Program Files\Common Files{1A4A19DC-05B4-1045-0112-020331040030}\Update.exe” te-110-12-0000273 O4 - HKLM…\Run: [agent] C:\WINNT\system32\ppl.exe O4 - HKLM…\Run: [ipWins] C:\Program Files\Ipwindows\ipwins.exe O4 - HKLM…\Run: [Microsoft WPCEmail] C:\WINNT\inet20000\svchost.exe O4 - HKLM…\Run: [xp_system] C:\WINNT\inet20000\services.exe O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [steam] “d:\gry\steam\steam.exe” -silent O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [agent] C:\WINNT\system32\ppl.exe O4 - HKCU…\Run: [xp_system] C:\WINNT\inet20000\services.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Otwórz w nowym Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6/client/w uweb_site.cab?1013624408392 O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_24.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINNT\system32\fvlb32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing) O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e te-110-12-0000273 (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Silent Runner
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Steam” = ““d:\gry\steam\steam.exe” -silent” [file not found] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “DANT” = “(empty string)” [file not found] “agent” = “C:\WINNT\system32\ppl.exe” [file not found] “xp_system” = “C:\WINNT\inet20000\services.exe” [null data] “Aeee” = ““C:\DOCUME~1\ADMINI~1\DANEAP~1\FNTS~1\wuauclt.exe” -vt yazb” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Synchronization Manager” = “mobsync.exe /logon” [MS] “C-Media Speaker Configuration” = “C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER” [file not found] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS] “OfficeGuard RegChecker” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe”” [null data] “AVPCC” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /wait” [“Kaspersky Labs.”] “winclean” = “c:\winnt\system32\winclean.exe” [MS] “{1A4A19DC-05B4-1045-0112-020331040030}” = ““C:\Program Files\Common Files{1A4A19DC-05B4-1045-0112-020331040030}\Update.exe” te-110-12-0000273” [null data] “agent” = “C:\WINNT\system32\ppl.exe” [file not found] “(Default)” = (unknown data type) “Microsoft WPCEmail” = "C:\WINNT\inet20000\svchost.exe " [null data] “(Default)” = (unknown data type) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {67DB3C23-81B1-A548-C55A-FCCD5D6B85B0}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\dcrsz.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “CDRecorder026” = “{A3BC5E20-0235-1ABF-9CE1-00AA00512026}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\fvlb32.dll” [null data] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “run” = “C:\WINNT\inet20000\services.exe” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {FED7043D-346A-414D-ACD7-550D052499A7}(Default) = “dBpowerAMP Column Handler” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll” [“Kaspersky Labs.”] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll” [“Kaspersky Labs.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “CDRAutoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_SZ) 1 {User Configuration|Administrative Templates|System|Logon/Logoff| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Default User\Moje dokumenty\Moje obrazy\g20.jpg” Startup items in “Administrator” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart “Xfire” -> shortcut to: “C:\Program Files\Xfire\Xfire.exe” [“Xfire Inc.”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{C1B4DEC2-2623-438E-9CA2-C9043AB28508}” = “Bar888” -> {HKLM…CLSID} = “Bar888” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1{3A4A1~1\Bar888.dll” [null data] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{67DB3C23-81B1-A548-C55A-FCCD5D6B85B0}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\dcrsz.dll” [null data] HOSTS file ---------- C:\WINNT\System32\drivers\etc\HOSTS maps: 4 domain names to IP addresses, 2 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVP Control Centre Service, AVPCC, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /service” [“Kaspersky Labs.”] KAV Monitor Service, KAVMonitorService, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe” /service” [“Kaspersky Labs.”] NVIDIA Display Driver Service, NVSvc, “C:\WINNT\System32\nvsvc32.exe” [“NVIDIA Corporation”] System zdarzeń COM+, EventSystem, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\WINNT\System32\es.dll” [null data]} ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 124 seconds, including 4 seconds for message boxes)
adam9870
(adam9870)
29 Grudzień 2006 14:44
#2
Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę COM+ Messages następnie odpalasz HijackThis Misc Tools => Delete NT service => wpisz COM+ Messages => Ok i zresetuj komputer.
W trybie awaryjnym usuń:
Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
To Twój programik?
jeśli nie - także usuń.
KaSE
(Genbub)
29 Grudzień 2006 17:39
#3
Oto logi po wykonaniu tych operacji lecz dalej jest problem związany z menedżerem zadań (jest zablokowany) oraz taki, że dalej nawiazywane sa polaczenia z roznymi adresami (okolo 50/min) i nastepuje 20s timeout.
Nie podobaja mi sie również te logi(pomaranczowe) gdyz przy ostatnim sprawdzaniu nie widziałem ich
Logfile of HijackThis v1.99.1 Scan saved at 18:35:52, on 2006-12-29 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\WINNT\system32\internat.exe C:\Program Files\Skype\Phone\Skype.exe C:\DOCUME~1\ADMINI~1\DANEAP~1\FNTS~1\wuauclt.exe C:\WINNT\system32\rundll32.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\Avant Browser\avant.exe C:\Downloads\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {67DB3C23-81B1-A548-C55A-FCCD5D6B85B0} - C:\WINNT\system32\dcrsz.dll O1 - Hosts: 75.30.214.154 l2authd.lineage2.com O1 - Hosts: 75.30.214.154 l2testauthd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [OfficeGuard RegChecker] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe” O4 - HKLM…\Run: [AVPCC] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /wait O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [steam] “d:\gry\steam\steam.exe” -silent O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [Aeee] “C:\DOCUME~1\ADMINI~1\DANEAP~1\FNTS~1\wuauclt.exe” -vt yazb O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Otwórz w nowym Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 3624408392 O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_24.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Steam” = ““d:\gry\steam\steam.exe” -silent” [file not found] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “DANT” = “(empty string)” [file not found] “Aeee” = ““C:\DOCUME~1\ADMINI~1\DANEAP~1\FNTS~1\wuauclt.exe” -vt yazb” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Synchronization Manager” = “mobsync.exe /logon” [MS] “C-Media Speaker Configuration” = “C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER” [file not found] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS] “OfficeGuard RegChecker” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe”” [null data] “AVPCC” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /wait” [“Kaspersky Labs.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll” [empty string] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {FED7043D-346A-414D-ACD7-550D052499A7}(Default) = “dBpowerAMP Column Handler” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll” [“Kaspersky Labs.”] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll” [“Kaspersky Labs.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “CDRAutoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_SZ) 1 {User Configuration|Administrative Templates|System|Logon/Logoff| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Default User\Moje dokumenty\Moje obrazy\g20.jpg” Startup items in “Administrator” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart “Xfire” -> shortcut to: “C:\Program Files\Xfire\Xfire.exe” [“Xfire Inc.”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{67DB3C23-81B1-A548-C55A-FCCD5D6B85B0}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\dcrsz.dll” [null data] HOSTS file ---------- C:\WINNT\System32\drivers\etc\HOSTS maps: 4 domain names to IP addresses, 2 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVP Control Centre Service, AVPCC, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /service” [“Kaspersky Labs.”] KAV Monitor Service, KAVMonitorService, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe” /service” [“Kaspersky Labs.”] NVIDIA Display Driver Service, NVSvc, “C:\WINNT\System32\nvsvc32.exe” [“NVIDIA Corporation”] System zdarzeń COM+, EventSystem, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\WINNT\System32\es.dll” [null data]} ---------- <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 31 seconds, including 4 seconds for message boxes)
Joan
(Joan Sunshine)
29 Grudzień 2006 17:51
#4
W HJT odpalonym z trybie awaryjnym zaznaczasz wpisy i klikasz na dole “Fix checked” , to co na czerwono usuwasz ręcznie z dysku:
R3 - URLSearchHook: (no name) - {67DB3C23-81B1-A548-C55A-FCCD5D6B85B0} - C:\WINNT\system32\dcrsz.dll O4 - HKCU…\Run: [Aeee] “C:\DOCUME~1\ADMINI~1\DANEAP~1\FNTS~1\wuauclt.exe” -vt yazb > nie pomyl lokalizacji O4 - HKLM…\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER Otwórz notatnik i wklej w nim to: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “DANT”=- “Aeee”=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] “{67DB3C23-81B1-A548-C55A-FCCD5D6B85B0}”=- Plik - zapisz jako - zmień rozszerzenie na wszystkie pliki - zapisz pod nazwą FIX.REG Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa “DisableTaskMgr” = (REG_SZ) 1 {User Configuration|Administrative Templates|System|Logon/Logoff| Remove Task Manager} Menedżer zadań jest wyłączony ale raczej celowo, logujesz się na konto administratora?
KaSE
(Genbub)
29 Grudzień 2006 17:57
#5
Tak gdyż jest to moje główne konto na tym komputerze
a co do menadżera to osobiscie nie zmieniałem zadnych ustawień a zablokowanie nastapiło tuż po zawirusowaniu
PS. Być może zrobiłem to nieświadomie ale jak w takim razie odblokowac go ??
oraz co z tymi dwoma logami ?? są czyste?
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
Joan
(Joan Sunshine)
29 Grudzień 2006 18:04
#6
Start > Uruchom > regedit, znajdujesz klucz:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Poli cies\System
> wartość: DisableTaskMgr ustawiasz na 0 (teraz jest 1).
Wklej nowe logi
KaSE
(Genbub)
29 Grudzień 2006 18:23
#7
nie moge znalesc pliku wuauclt.exe tzn. znalazłem ale w dwoch różnych miejscach(nie w tej lokalizacji z hjacka)
wyglądaja jak oryginale windowsowskie pliki aktualizacyjne
C:\WINNT\system32\wuauclt.exe
oraz
C:\WINNT\ServicePackFiles\i386\wuauclt.exe
mam zostawic je czy usunąć ?
KaSE
(Genbub)
29 Grudzień 2006 18:47
#9
Logfile of HijackThis v1.99.1 Scan saved at 19:38:32, on 2006-12-29 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\rundll32.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe C:\WINNT\system32\internat.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\Avant Browser\avant.exe C:\Downloads\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 75.30.214.154 l2authd.lineage2.com O1 - Hosts: 75.30.214.154 l2testauthd.lineage2.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [OfficeGuard RegChecker] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe” O4 - HKLM…\Run: [AVPCC] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /wait O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [steam] “d:\gry\steam\steam.exe” -silent O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Otwórz w nowym Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 3624408392 O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_24.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Steam” = ““d:\gry\steam\steam.exe” -silent” [file not found] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Synchronization Manager” = “mobsync.exe /logon” [MS] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS] “OfficeGuard RegChecker” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe”” [null data] “AVPCC” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /wait” [“Kaspersky Labs.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINNT\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll” [empty string] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {FED7043D-346A-414D-ACD7-550D052499A7}(Default) = “dBpowerAMP Column Handler” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll” [empty string] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll” [“Kaspersky Labs.”] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\KAV Shared Files\AvpShlEx.dll” [“Kaspersky Labs.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “CDRAutoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_SZ) 0 {User Configuration|Administrative Templates|System|Logon/Logoff| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Default User\Moje dokumenty\Moje obrazy\g20.jpg” Startup items in “Administrator” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart “Xfire” -> shortcut to: “C:\Program Files\Xfire\Xfire.exe” [“Xfire Inc.”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 HOSTS file ---------- C:\WINNT\System32\drivers\etc\HOSTS maps: 4 domain names to IP addresses, 2 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVP Control Centre Service, AVPCC, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe” /service” [“Kaspersky Labs.”] KAV Monitor Service, KAVMonitorService, ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe” /service” [“Kaspersky Labs.”] NVIDIA Display Driver Service, NVSvc, “C:\WINNT\System32\nvsvc32.exe” [“NVIDIA Corporation”] System zdarzeń COM+, EventSystem, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\WINNT\System32\es.dll” [null data]} ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 34 seconds, including 4 seconds for message boxes)
polaczenia dalej sa nawiazywane
http://img217.imageshack.us/img217/1293/2ur8.jpg
http://img217.imageshack.us/img217/9536/3bq5.jpg
adam9870
(adam9870)
29 Grudzień 2006 18:51
#10
Logi są ok.
Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Czy jesteś w sieci lokalnej ?
adam9870
(adam9870)
29 Grudzień 2006 19:02
#12
W takim razie sprawdź czy inne komputery w sieci nie mają wpływu na nawiązywanie połączeń, o których wspomniałeś.
KaSE
(Genbub)
29 Grudzień 2006 19:24
#13
wyglada ze wszystko jest ok. mimo iż połączenia dalej sa nawiązywane lecz tylko z JEDNYM adresem ale za to bardzo czesto nie powoduje to timeouta
cmd->netstat pokazal
162.61.232.72.reverse.layerdtech.com:8080
oraz od czasu do czasu z jakimis adresami mailowymi
Bieniol
(Bbieniol)
29 Grudzień 2006 19:28
#14
Wykonaj to
Więcej nie jesteśmy niestety w stanie pomóc.