SafeGroupBezpieczeństwoPomoc po zainfekowaniu v
2 małe problemy :)

Tryby wyświetlania wątku
2 małe problemy :)
wojtAS Offline
Nowicjusz
Liczba postów: 19
Liczba wątków: 2
Dołączył: 25.11.2006
Reputacja: 0
#3
27.11.2006, 17:40
ok dzieki

nowy log z hijacka:
Cytat:
Logfile of HijackThis v1.99.1
Scan saved at 17:38:21, on 2006-11-27
Platform: Windows XP(WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesSygateSPFsmc.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSsystem32pctspk.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:PROGRA~1NEOSTR~1CnxMon.exe
C:PROGRA~1NEOSTR~1TaskbarIcon.exe
C:Program FilesThomsonSpeedTouch USBDragdiag.exe
C:WINDOWSSystem32RUNDLL32.EXE
C:WINDOWSSystem32ctfmon.exe
C:PROGRA~1NEOSTR~1NeostradaTP.exe
C:PROGRA~1NEOSTR~1ComComp.exe
C:PROGRA~1NEOSTR~1Watch.exe
C:Program FilesAntiVir PersonalEdition Classicavguard.exe
C:Program FilesAntiVir PersonalEdition Classicavgnt.exe
C:Program FilesAntiVir PersonalEdition Classicsched.exe
c:program filesinternet exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Documents and SettingsLida & wojtASPulpithijackthis.com

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar =

[Aby zobaczyć linki, zarejestruj się tutaj]

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =

[Aby zobaczyć linki, zarejestruj się tutaj]

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Neostrada TP
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:PROGRA~1NEOSTR~1SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:PROGRA~1TEXTwareQUICKF~1PlugInsIEHelp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O4 - HKLM..Run: [WooCnxMon]C:PROGRA~1NEOSTR~1CnxMon.exe
O4 - HKLM..Run: [WOOWATCH]C:PROGRA~1NEOSTR~1Watch.exe
O4 - HKLM..Run: [WOOTASKBARICON]C:PROGRA~1NEOSTR~1TaskbarIcon.exe
O4 - HKLM..Run: [SpeedTouch USB Diagnostics]"C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon
O4 - HKLM..Run: [NvCplDaemon]RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter]RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [avgnt]"C:Program FilesAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKLM..Run: [CountrySelection]pctptt.exe
O4 - HKLM..Run: [SmcService]C:PROGRA~1SygateSPFsmc.exe -startgui
O4 - HKCU..Run: [CTFMON.EXE]C:WINDOWSSystem32ctfmon.exe
O8 - Extra context menu item: Subskrybuj w RssSpeed -

[Aby zobaczyć linki, zarejestruj się tutaj]

FilesRssSpeedadd_feed.htm
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:Program FilesFree SurferFS20.exe
O9 - Extra ''Tools'' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:Program FilesFree SurferFS20.exe
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -

[Aby zobaczyć linki, zarejestruj się tutaj]

O17 - HKLMSystemCCSServicesTcpip..{89CF2CE1-B2A5-47E1-B9B5-A057EE89CDC5}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:WINDOWSSystem32textwareilluminatorbaseProtocol.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:Program FilesAntiVir PersonalEdition Classicsched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:Program FilesAntiVir PersonalEdition Classicavguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: IomegaAccess - Unknown owner - C:Program FilesIomegaTools_NTIOMEGAACCESS.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:WINDOWSsystem32pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:Program FilesSygateSPFsmc.exe
O23 - Service: ZipToA - Unknown owner - C:WINDOWSSystem32ZipToA.exe



kod z silent runners:
Cytat:
"Silent Runners.vbs", revision 49,

[Aby zobaczyć linki, zarejestruj się tutaj]

Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"CTFMON.EXE" = "C:WINDOWSSystem32ctfmon.exe" [MS]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"WooCnxMon" = "C:PROGRA~1NEOSTR~1CnxMon.exe" [empty string]
"WOOWATCH" = "C:PROGRA~1NEOSTR~1Watch.exe" ["France TĂŠlĂŠcom R&D"]
"WOOTASKBARICON" = "C:PROGRA~1NEOSTR~1TaskbarIcon.exe" ["France TĂŠlĂŠcom R&D"]
"SpeedTouch USB Diagnostics" = ""C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:WINDOWSSystem32NvMcTray.dll,NvTaskbarInit" [MS]
"avgnt" = ""C:Program FilesAntiVir PersonalEdition Classicavgnt.exe" /min" ["Avira GmbH"]
"CountrySelection" = "pctptt.exe" ["PCtel, Inc."]
"SmcService" = "C:PROGRA~1SygateSPFsmc.exe -startgui" ["Sygate Technologies, Inc."]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{C08DF07A-3E49-4E25-9AB0-D3882835F153}(Default) = (no title provided)
-> {HKLM...CLSID} = "QUICKfind BHO Object"
InProcServer32(Default) = "C:PROGRA~1TEXTwareQUICKF~1PlugInsIEHelp.dll" [null data]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
InProcServer32(Default) = "C:WINDOWSSystem32Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSSystem32nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
InProcServer32(Default) = "C:WINDOWSSystem32nvshell.dll" ["NVIDIA Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAntiVir PersonalEdition Classicshlext.dll" ["H+BEDV Datentechnik GmbH"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "C:Program FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKCU...CLSID} = (no title provided)
InProcServer32(Default) = ""C:Program FilesOpenOffice.ux.pl 2.0.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKCU...CLSID} = (no title provided)
InProcServer32(Default) = ""C:Program FilesOpenOffice.ux.pl 2.0.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKCU...CLSID} = (no title provided)
InProcServer32(Default) = ""C:Program FilesOpenOffice.ux.pl 2.0.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKCU...CLSID} = (no title provided)
InProcServer32(Default) = ""C:Program FilesOpenOffice.ux.pl 2.0.2programshlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLMSoftwareClassesFoldershellexColumnHandlers
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "C:Program FilesAdobeAcrobat 7.0ActiveXPDFShell.dll" ["Adobe Systems, Inc."]

HKLMSoftwareClasses*shellexContextMenuHandlers
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAntiVir PersonalEdition Classicshlext.dll" ["H+BEDV Datentechnik GmbH"]
TzShell(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
InProcServer32(Default) = "C:PROGRA~1TUGZipTzShell.dll" [null data]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "C:Program FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "C:Program FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAntiVir PersonalEdition Classicshlext.dll" ["H+BEDV Datentechnik GmbH"]
TzShell(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
InProcServer32(Default) = "C:PROGRA~1TUGZipTzShell.dll" [null data]


Default executables:
--------------------

HKCUSoftwareClasses.bat(Default) = (value not set)

HKCUSoftwareClasses.cmd(Default) = (value not set)

HKCUSoftwareClasses.com(Default) = (value not set)

HKCUSoftwareClasses.exe(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:Documents and SettingsLida & wojtASUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:Documents and SettingsLida & wojtASDane aplikacjiMicrosoftInternet ExplorerTapeta programu Internet Explorer.bmp"


Enabled Screen Saver:
---------------------

HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "C:WINDOWSKROLEW~2.SCR" (Krolewskie-4.scr) [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32mswsock.dll [MS] , 01 - 03, 06 - 15
%SystemRoot%system32rsvpsp.dll [MS] , 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLMSoftwareMicrosoftInternet ExplorerExplorer Bars

HKLMSoftwareClassesCLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = "Volet Wanadoo"
Implemented Categories{00021494-0000-0000-C000-000000000046} [horizontal bar]
InProcServer32(Default) = "C:PROGRA~1NEOSTR~1audienceaudience.dll" [empty string]

HKLMSoftwareClassesCLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = "ToolBand Class"
Implemented Categories{00021494-0000-0000-C000-000000000046} [horizontal bar]
InProcServer32(Default) = "C:PROGRA~1NEOSTR~1audienceaudience.dll" [empty string]

HKLMSoftwareClassesCLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = "Volet Wanadoo"
Implemented Categories{00021494-0000-0000-C000-000000000046} [horizontal bar]
InProcServer32(Default) = "C:PROGRA~1NEOSTR~1audienceaudience.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLMSoftwareMicrosoftInternet ExplorerExtensions
{AFC3FA82-AD07-45CD-8B57-983435B9899E}
"ButtonText" = "Free Surfer"
"MenuText" = "Free Surfer"
"Exec" = "C:Program FilesFree SurferFS20.exe" ["EMS-Project 2002 ©"]


Miscellaneous IE Hijack Points
------------------------------

HKCUSoftwareMicrosoftInternet ExplorerURLSearchHooks
<<H>> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
-> {HKLM...CLSID} = "Search Class"
InProcServer32(Default) = "C:PROGRA~1NEOSTR~1SEARCH~1.DLL" [empty string]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:Program FilesAntiVir PersonalEdition Classicavguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:Program FilesAntiVir PersonalEdition Classicsched.exe" ["Avira GmbH"]
NVIDIA Display Driver Service, NVSvc, "C:WINDOWSSystem32nvsvc32.exe" ["NVIDIA Corporation"]
Sygate Personal Firewall, SmcService, "C:Program FilesSygateSPFsmc.exe" ["Sygate Technologies, Inc."]
W2k PCtel speaker phone, Pctspk, "C:WINDOWSsystem32pctspk.exe" ["PCtel, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:WINDOWSSystem32wdfmgr.exe" [MS]


----------
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 343 seconds.
---------- (total run time: 1162 seconds)
Szukaj
Odpowiedz


Wiadomości w tym wątku
2 małe problemy :) - przez wojtAS - 25.11.2006, 19:11
Re: 2 małe problemy :) - przez Bieniol - 25.11.2006, 19:48
Re: 2 małe problemy :) - przez wojtAS - 27.11.2006, 17:40
Re: 2 małe problemy :) - przez Mrówek - 27.11.2006, 19:34
Re: 2 małe problemy :) - przez wojtAS - 30.11.2006, 10:20
;] - przez dymek9229 - 03.12.2006, 20:43
Re: 2 małe problemy :) - przez Serafin - 03.12.2006, 20:53
Re: 2 małe problemy :) - przez wojtAS - 13.12.2006, 15:19
Re: 2 małe problemy :) - przez Serafin - 13.12.2006, 15:39
Re: 2 małe problemy :) - przez wojtAS - 22.12.2006, 18:34
Re: 2 małe problemy :) - przez Bieniol - 22.12.2006, 18:51
Re: 2 małe problemy :) - przez wojtAS - 24.12.2006, 12:45
Re: 2 małe problemy :) - przez Serafin - 24.12.2006, 13:29
Re: 2 małe problemy :) - przez wojtAS - 24.12.2006, 14:27
Re: 2 małe problemy :) - przez phancy - 24.12.2006, 18:54
Re: 2 małe problemy :) - przez wojtAS - 27.12.2006, 14:13
Re: 2 małe problemy :) - przez phancy - 27.12.2006, 16:29
Re: 2 małe problemy :) - przez wojtAS - 28.12.2006, 12:29
Re: 2 małe problemy :) - przez Serafin - 28.12.2006, 13:18
Re: 2 małe problemy :) - przez Bieniol - 28.12.2006, 16:29
Re: 2 małe problemy :) - przez wojtAS - 28.12.2006, 18:43
Re: 2 małe problemy :) - przez Bieniol - 28.12.2006, 20:20
Re: 2 małe problemy :) - przez wojtAS - 29.12.2006, 11:51
Re: 2 małe problemy :) - przez phancy - 29.12.2006, 13:26
Re: 2 małe problemy :) - przez wojtAS - 29.12.2006, 13:39
Re: 2 małe problemy :) - przez phancy - 29.12.2006, 14:29
Re: 2 małe problemy :) - przez wojtAS - 30.12.2006, 12:58
Re: 2 małe problemy :) - przez Bieniol - 30.12.2006, 13:28
Re: 2 małe problemy :) - przez wojtAS - 13.11.2011, 10:42

Skocz do:


Użytkownicy przeglądający ten wątek: 2 gości