Tradycyjnie problem z systemem
Witam.Mam prośbę o sprawdzenie dwóch logów:1 z HiJackThis, a drugi z silent runner.W ciągu 2 tygodni drugi raz pada system(po pierwszym razie zrobiłem format)Żaden antyvirus ani ad–aware nic nie moźe znaleźć a wiem,źe na pewno coś gdzieś siedzi.Tego progamu od Ati juź nie ma.Na tą chwilę nie działają:antyvir,firewall i spyboot(choć ikony są wyświetlone i to jako enable).Oczywiście obciąźenie procesora 100% i to właśnie przez te wcześniej wymienione programy.Natomiast jak uruchamiam netstat to wyświtla listę długą jak droga mleczna połączeń mojego kompa z..... moim kompen z tym,źe róźne porty.
1 log:
Logfile of HijackThis v1.99.1
Scan saved at 01:28:31, on 2005–05–05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\devldr32.exe
C:\DOCUME~1\corratec\USTAWI~1\Temp\Rar$EX40.9031\procexp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\corratec\Moje dokumenty\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: Norton Personal Firewall – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 – Toolbar: Norton Personal Firewall – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 – HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe"
O4 – Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy (ccProxy) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\system32\CTsvcCDA.exe
O23 – Service: Deepsight Extractor (DeepsightExtractor) – Unknown owner – C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 – Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) – Unknown owner – C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 – Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) – Unknown owner – C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 – Service: ISSvc (ISSVC) – Symantec Corporation – C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc (SPBBCSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
O23 – Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) – TuneUp Software GmbH – C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
2 log:
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TuneUp MemOptimizer" = ""C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"rfagent" = ""C:\Program Files\RFA\rfagent.exe"" ["KsL Software"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"eTrustPPAP" = ""C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"" ["Computer Associates"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"Run StartupMonitor" = "StartupMonitor.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PCTools.com"]
{9ECB9560–04F9–4bbc–943D–298DDF1699E1}\(Default) = "Norton Personal Firewall"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{B56A7D7D–6927–48C8–A975–17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FA010552–4A27–4cb1–A1BB–3E2D697F1639}" = "SpySubtract Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FA010552–4A27–4cb1–A1BB–3E2D697F1639}" = "SpySubtract Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
Enabled Wallpaper and Active Desktop:
–––––––––––––––––––––––––––––––––––––
Active Desktop is disabled.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"
Startup items in "corratec" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\corratec\Menu Start\Programy\Autostart
"SpySubtract" –> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe –autostart" ["InterMute, Inc."]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"SpySubtract" –> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe –autostart" ["InterMute, Inc."]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"1–Click Maintenance" –> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3–8D69–4B9E–9B19–A37C9A5676A7}"
–> {CLSID}\(Default) = "Norton Personal Firewall"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3–8D69–4B9E–9B19–A37C9A5676A7}"
–> {CLSID}\(Default) = "Norton Personal Firewall"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A–8670–49D9–A1A5–4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1–940F–48E0–8DFD–E38F1D501021}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
Deepsight Extractor, DeepsightExtractor, "C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe" [null data]
DeepSight Extractor Service for NPF04, ExtractorServiceNPF04, "C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe" [null data]
ISSvc, ISSVC, ""C:\Program Files\Norton Personal Firewall\ISSVC.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
(W załączniku jest ten drugi log).
I mam jeszcze jedno pytanie w opisie jednej z pozycj w logu z hijackthis widniała informacja,źe zmianę w rejestrze spowodował jakiś IKERNEL32.Vbs ale nigdzie nie znalazłem do niego opisu natomiast u siebie znalazłem pliki:ikernel.exe
1 log:
Logfile of HijackThis v1.99.1
Scan saved at 01:28:31, on 2005–05–05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
C:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\devldr32.exe
C:\DOCUME~1\corratec\USTAWI~1\Temp\Rar$EX40.9031\procexp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\corratec\Moje dokumenty\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: Norton Personal Firewall – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 – Toolbar: Norton Personal Firewall – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 – HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart
O4 – HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe"
O4 – Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy (ccProxy) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\system32\CTsvcCDA.exe
O23 – Service: Deepsight Extractor (DeepsightExtractor) – Unknown owner – C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 – Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) – Unknown owner – C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 – Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) – Unknown owner – C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 – Service: ISSvc (ISSVC) – Symantec Corporation – C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc (SPBBCSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
O23 – Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) – TuneUp Software GmbH – C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
2 log:
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TuneUp MemOptimizer" = ""C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
"Komunikator" = "C:\Program Files\Tlen.pl\tlen.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"rfagent" = ""C:\Program Files\RFA\rfagent.exe"" ["KsL Software"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"eTrustPPAP" = ""C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"" ["Computer Associates"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"Run StartupMonitor" = "StartupMonitor.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PCTools.com"]
{9ECB9560–04F9–4bbc–943D–298DDF1699E1}\(Default) = "Norton Personal Firewall"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{B56A7D7D–6927–48C8–A975–17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FA010552–4A27–4cb1–A1BB–3E2D697F1639}" = "SpySubtract Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FA010552–4A27–4cb1–A1BB–3E2D697F1639}" = "SpySubtract Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
Enabled Wallpaper and Active Desktop:
–––––––––––––––––––––––––––––––––––––
Active Desktop is disabled.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"
Startup items in "corratec" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\corratec\Menu Start\Programy\Autostart
"SpySubtract" –> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe –autostart" ["InterMute, Inc."]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"SpySubtract" –> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe –autostart" ["InterMute, Inc."]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"1–Click Maintenance" –> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3–8D69–4B9E–9B19–A37C9A5676A7}"
–> {CLSID}\(Default) = "Norton Personal Firewall"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3–8D69–4B9E–9B19–A37C9A5676A7}"
–> {CLSID}\(Default) = "Norton Personal Firewall"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A–8670–49D9–A1A5–4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1–940F–48E0–8DFD–E38F1D501021}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
Deepsight Extractor, DeepsightExtractor, "C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe" [null data]
DeepSight Extractor Service for NPF04, ExtractorServiceNPF04, "C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe" [null data]
ISSvc, ISSVC, ""C:\Program Files\Norton Personal Firewall\ISSVC.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
(W załączniku jest ten drugi log).
I mam jeszcze jedno pytanie w opisie jednej z pozycj w logu z hijackthis widniała informacja,źe zmianę w rejestrze spowodował jakiś IKERNEL32.Vbs ale nigdzie nie znalazłem do niego opisu natomiast u siebie znalazłem pliki:ikernel.exe
Odpowiedzi: 3
Dziwne jest to ze tak naprawde niczego wielkiego nie widac, ale programy szaleją – jak mówisz.
Jeszcze pozostaje pytanie czym objawia sie to szaleństwo.
Ten VBS został zablokowany, czy jednak zmodyfikował RUN ??
Znajdz go na dysku i otworz notatnikiem, podaj albo samodzielenie przeanalizuj tresc tego skryptu.
Masz uruchomione jakies dodatkowe procesy w tasku oprocz tych, ktore HiJackThis wypisał ??
Sprobuj jeszcze dodatkowo odpalić system w awaryjnym i moze stamtąd przeskanowac dysk.
Sciagnij StarDreck i standardowo log zrób
Jesli nadal nic widac nie bedzie to trzeba bedzie program PV zastartować.
Jeszcze pozostaje pytanie czym objawia sie to szaleństwo.
Ten VBS został zablokowany, czy jednak zmodyfikował RUN ??
Znajdz go na dysku i otworz notatnikiem, podaj albo samodzielenie przeanalizuj tresc tego skryptu.
Masz uruchomione jakies dodatkowe procesy w tasku oprocz tych, ktore HiJackThis wypisał ??
Sprobuj jeszcze dodatkowo odpalić system w awaryjnym i moze stamtąd przeskanowac dysk.
Sciagnij StarDreck i standardowo log zrób
Jesli nadal nic widac nie bedzie to trzeba bedzie program PV zastartować.
Norton to tylko firewall , którego zresztą juź wywaliłem.Spyware Doctor instalowałem jak juź było "zle". Restrykcji nie nakładałem(przynajmniej świadomie) i nie wiem skąd są.Skrypt VBS zmodyfikował wszystie pozycje 04.Myślałem,źe ten Norton coś moźe powodować(ponoć gryzie się z SP2),ale po deinstalacji antywir nadal zaczyna szaleć jak i pozostały jeden program anty–spy pozostałe wywaliłem a i jeszcze jak uruchamiam aplikacje sprawdzające uruchomione procesy komp wręcz się wiesza.
Otoz musze Cie zmartwić albo i nie ale niczego wiekszego w logu nie widać.
W logu widze tylko watpliwej reputacji program 'Spyware Doctor', ktorego osobiscie bym sie pozbył.
Nastepnie zastanawia mnie obecnosc dwuch antywirusow pracujących w tle (Avast + Norton), odinstaluj jeden z nich bo jest duze prawdopodobienstwo, ze sie nie lubią.
W logu do sprzatniecia:
Tą restrykcje wprowadzałes osobiscie przy pomocy, ktoregoś z programów ??
Silent wypluwa takie informacje:
ikernel.exe to od InstallShield
Jakie pozycje w rejestrze probował modyfikowac ten skrypt VBS ??
W logu widze tylko watpliwej reputacji program 'Spyware Doctor', ktorego osobiscie bym sie pozbył.
Nastepnie zastanawia mnie obecnosc dwuch antywirusow pracujących w tle (Avast + Norton), odinstaluj jeden z nich bo jest duze prawdopodobienstwo, ze sie nie lubią.
W logu do sprzatniecia:
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe"
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
Tą restrykcje wprowadzałes osobiscie przy pomocy, ktoregoś z programów ??
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
Silent wypluwa takie informacje:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PCTools.com"]
{B56A7D7D–6927–48C8–A975–17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A–8670–49D9–A1A5–4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1–940F–48E0–8DFD–E38F1D501021}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
ikernel.exe to od InstallShield
Jakie pozycje w rejestrze probował modyfikowac ten skrypt VBS ??
Strona 1 / 1