Złośliwe przekierowywanie stron z wyszukiwarki Google
Od pewnego czasu, po wpisaniu hasła w googlach, po wbraniu jednego z nich i kliknięciu (otwórz w nowym oknie) zamiast iść do tego adresu, jestem przekierowywana na tę stronę:
http://213.83.55.150/promo.html
Tylko na tę i tylko w tym wypadku (tzn nie uzywam innych wyszuiwarek to nie mogę powiedzieć, ale tylko przy tej czynnośći)
Nie dzieje to się zawsze, tylko czasami...
Co to moźę być?
Szukałam tutaj,ale nie odnalazłam nic takiego :(
http://213.83.55.150/promo.html
Tylko na tę i tylko w tym wypadku (tzn nie uzywam innych wyszuiwarek to nie mogę powiedzieć, ale tylko przy tej czynnośći)
Nie dzieje to się zawsze, tylko czasami...
Co to moźę być?
Szukałam tutaj,ale nie odnalazłam nic takiego :(
Odpowiedzi: 6
tak, weathercasta mam od paru lat juz– sama chcialam, nawet jesli wiem, iz to spyware :( a to cos siedzi mi od jakiegos tygodnia..
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{91EA030F–F78B–4848–A36C–E5403752D865}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\seclpgon.dll" [null data]
Jakaś podróbka seclogona.
Szpiego–pogodynkę WeatherCast instalowałaś sama, czy przyplątał się w pakiecie razem z innym programem?
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WeatherCast" = ""C:\Program Files\WeatherCast\Weather.exe" /q" [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Babylon Client" = "C:\Program Files\Babylon\Babylon.exe –AutoStart" ["Babylon Ltd."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"LWBMOUSE" = "C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [empty string]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{91EA030F–F78B–4848–A36C–E5403752D865}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\seclpgon.dll" [null data]
{A8F38D8D–E480–4D52–B7A2–731BB6995FDD}\(Default) = "NAV Helper"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{AA58ED58–01DD–4d91–8333–CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{00020D75–0000–0000–C000–000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5–5146–11D5–A672–00B0D022E945}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D–699D–49B2–BE16–7F82CB4C59CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D–699D–49B2–BE16–7F82CB4C59CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Ania" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\Ania\Menu Start\Programy\Autostart
"Nortin Antivir" –> shortcut to: "C:\Program Files\Norton AntiVirus\NAVAPW32.exe" [null data]
"TrayIt!" –> shortcut to: "C:\Documents and Settings\Ania\Ustawienia lokalne\Temp\Rar$EX00.141\TrayIt!.exe" ["Igor Nys"]
"Zone Alarm" –> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" ["Zone Labs, LLC"]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Gamma Loader" –> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Service Manager" –> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"Norton AntiVirus – Uruchom pełne skanowanie systemu – Ania" –> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{C4069E3A–68F1–403E–B40E–20066696354B}" = "Norton AntiVirus" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C4069E3A–68F1–403E–B40E–20066696354B}" = "Norton AntiVirus"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614–B795–46B1–85F4–E737A8DC09AD}\ = "Shell Search Band" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC–0015–0000–0006–ABCDEFFEDCBC}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{92780B25–18CC–41C8–B9BE–3C9C571A8263}\
"ButtonText" = "Badanie"
{B13B4423–2647–4CFC–A4B3–C7D56CB83487}\
"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423–2647–4cfc–A4B3–C7D56CB83487}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]
{E5D12C4E–7B4F–11D3–B5C9–0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe –sMSSQLSERVER" [MS]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe –service" ["Zone Labs, LLC"]
Usługa Auto–Protect programu Norton AntiVirus, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Usługa Norton Protection Center, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
–––––––––––––––
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 48 seconds, including 4 seconds for message boxes)
To by bylo cos takiego :)
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WeatherCast" = ""C:\Program Files\WeatherCast\Weather.exe" /q" [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Babylon Client" = "C:\Program Files\Babylon\Babylon.exe –AutoStart" ["Babylon Ltd."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"LWBMOUSE" = "C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [empty string]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{91EA030F–F78B–4848–A36C–E5403752D865}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\seclpgon.dll" [null data]
{A8F38D8D–E480–4D52–B7A2–731BB6995FDD}\(Default) = "NAV Helper"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{AA58ED58–01DD–4d91–8333–CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{00020D75–0000–0000–C000–000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5–5146–11D5–A672–00B0D022E945}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D–699D–49B2–BE16–7F82CB4C59CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D–699D–49B2–BE16–7F82CB4C59CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Ania\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Ania" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\Ania\Menu Start\Programy\Autostart
"Nortin Antivir" –> shortcut to: "C:\Program Files\Norton AntiVirus\NAVAPW32.exe" [null data]
"TrayIt!" –> shortcut to: "C:\Documents and Settings\Ania\Ustawienia lokalne\Temp\Rar$EX00.141\TrayIt!.exe" ["Igor Nys"]
"Zone Alarm" –> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" ["Zone Labs, LLC"]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Gamma Loader" –> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Service Manager" –> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"Norton AntiVirus – Uruchom pełne skanowanie systemu – Ania" –> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{C4069E3A–68F1–403E–B40E–20066696354B}" = "Norton AntiVirus" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C4069E3A–68F1–403E–B40E–20066696354B}" = "Norton AntiVirus"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1–4965–11D4–9B18–009027A5CD4F}" = "&Google" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614–B795–46B1–85F4–E737A8DC09AD}\ = "Shell Search Band" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC–0015–0000–0006–ABCDEFFEDCBC}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{92780B25–18CC–41C8–B9BE–3C9C571A8263}\
"ButtonText" = "Badanie"
{B13B4423–2647–4CFC–A4B3–C7D56CB83487}\
"ButtonText" = "Share in Hello"
"MenuText" = "Share in H&ello"
"CLSIDExtension" = "{B13B4423–2647–4cfc–A4B3–C7D56CB83487}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hello\PicasaCapture.dll" ["Picasa, Inc."]
{E5D12C4E–7B4F–11D3–B5C9–0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe –sMSSQLSERVER" [MS]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe –service" ["Zone Labs, LLC"]
Usługa Auto–Protect programu Norton AntiVirus, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Usługa Norton Protection Center, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
–––––––––––––––
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 48 seconds, including 4 seconds for message boxes)
To by bylo cos takiego :)
Wolałbym jednak zobaczyć tego loga, skrypt SR uruchamiasz klikając nań dwa razy, po kilkunastu sekundach zaalarmuje, źe skonczył robotę i w katalogu gdzie się znajduje pojawić się powinien plik Startup Programs... jego treść by mnie interesowała.
Zrobiłam skan hijackiem i nic mi nie wykazalo :(
a tym drugim nie potrafie sie obsluzyc nawet :(
:(
a tym drugim nie potrafie sie obsluzyc nawet :(
:(
Cóź więcej napisać niź, źe prawdopodobnie masz w systemie jakiegoś "gościa".
Skorzystaj z Hijack This i Silent Runners.
Skorzystaj z Hijack This i Silent Runners.
Strona 1 / 1