Hilfe! Hijackthis.log - Gdzie jestes netsec?!?!

[brusli1]

Pomozcie!

Logfile of HijackThis v1.99.0
Scan saved at 15:58:59, on 20.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: earch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate
Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Programme\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Programme\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) -
www.t058.com/b/Click_Yes_to_Continue.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) -
static.topconverting.com/activex/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
- www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

[netsec]

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: earch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [SurfSideKick 2] C:\Programme\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Programme\SurfSideKick 2\Ssk.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) -
www.t058.com/b/Click_Yes_to_Continue.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) -
static.topconverting.com/activex/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
www.bitdefender.com/scan/Msie/bitdefender.cab

[brusli1]

Hello,

wczoraj administrator zrobil ghosta i w ten sposob problem ostatecznie zniknal -
nie bylo sensu szukac tego wirusa - ghost ostatecznie zajmuje mniej czasu i nerwow.
Dzieki za pomoc.
Pozdrawiam!

[netsec]

To co w poprzednim poście do usunięcia w HiJack, po tym wklej nowy log z Hijack.

[brusli1]

Dzieki. Gdzie mam go wkleic?

Nowy log

[brusli1]

Nowy log wyglada tak:
(ale przed chwila znowy mi sie wlaczyl IE (normalnie nie uzywam) i pokazal
jakies stronki...)

Logfile of HijackThis v1.99.0
Scan saved at 11:11:33, on 21.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

[brusli1]

Pomocy! to ponizej pojawia sie za kazdym razem - nawet kiedy to wywale Hijackiem!
Co teraz? Format c: :)?

O1 - Hosts: 69.20.16.183 search.netscape.com
> O1 - Hosts: 69.20.16.183 auto.search.msn.com
> O1 - Hosts: 69.20.16.183 ieautosearch

[netsec]

Tylko spokojnie te wpisy to nie problem, miałeś wkleić cały log z HIJack!

Caly log

[brusli1]

Prosze:

Logfile of HijackThis v1.99.0
Scan saved at 12:06:47, on 21.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

[netsec]

Ściągnij CWShredder cwshredder.net/bin/CWShredder.exe

> O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
> O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
> O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
> O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

NIE KASUJ TEGO w HiJack, padanie ci sieć.
Usuwanie ręczne jest niewykonalne. Plik aklsp.dll jest bowiem zintegrowany z
łańcuchem Winsock LSP, który z punktu widzenia usera jest niedytowalny.
Jest to bardzo rzadka i hardcorowa metoda infekcji. Nieprawidłowe usunięcie tego
trojana z systemu powoduje całkowitą utratę połączenia internetowego, które nie
może zostać naprawione nawet poprzez przeinstalowanie Windows!

1. Ze względów bezpieczeństwa NIE usuwamy tych wpisów poprzez HijackThis tylko
za pomocą darmowego narzędzia naprawiającego łańcuch Winsock LSP-Fix
www.cexx.org/lspfix.htm
(alternatywny link www.majorgeeks.com/download4180.html).
Odpalasz lspfix.exe i zaznaczasz 'I known what I'm doing', jeśli faktycznie
jesteś pewny ;) W okienku Keep podświetlasz tylko i wyłącznie plik aklsp.dll i
za pomocą strzałki przenosisz do okienka Remove, dalej Finish.

Po tym opalasz CWShredder i FIX.

Po tym nowy log wklej.

[brusli1]

Postapilem jak poleciles.
Co z tymi: ???

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

Oto log

Logfile of HijackThis v1.99.0
Scan saved at 14:08:22, on 21.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\Office\EXCEL.EXE
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} -
bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

[netsec]

Teraz przeleć system Spybot:
forum.gazeta.pl/forum/72,2.html?f=23618&w=16148176

[brusli1]

Spybot chyba nie daje rady bo to sie ciagle pojawia.
Moze AdAware? Mam wersje 6.0 - jest jakas nowsza?

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

Dziekuje za poswiecony mi czas.

[netsec]

Odinstaluj ad-aware 6.0 zainstaluj nowsze 1.05 SE i przeskanuj system:
forum.gazeta.pl/forum/72,2.html?f=23618&w=16148176
Ściągnij te pliki:

80.53.91.142/netsec/tools/Zone_map.zip
80.53.91.142/netsec/tools/windowsupdate_on.zip
80.53.91.142/netsec/tools/IErestore_fix.zip
Zamknij wszystkie okna Internet Explorer'a
Pojedyńczo wypakuj każdy z plików kliknij i zatwierdź modyfikacje.
To są wpisy do rejestru przywracające oryginalne ustawienia systemu, które
zostały zmodyfikowane przez trojana.

Stań myszką na pulpicie, prawym klwiszem myszki wybierz Właściwości.
Dalej przejdź do zakładki Pulpit i ustaw Tło na Brak. Nstępnie przejdź do
Dostosuj Pulpit i dalej Sieć Web, usuń lub odznacz pozycje które tu są.
Na koniec potwierdź zmiany OK.

Wklej cały log z HiJack.

[brusli1]

Chyba nie wszystko sie udalo...
Oto log:

Logfile of HijackThis v1.99.0
Scan saved at 12:14:51, on 22.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

Silent Runners

[netsec]

Poprawiony link 80.53.91.142/netsec/tools/Silent_Runners.zip

[brusli1]

Log:

"Silent Runners.vbs", revision 27, launched at: 12:35
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"internat.exe" = "internat.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe""
["Symantec Corporation"]
"ccRegVfy" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe""
["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security
Center\UsrPrmpt.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media
Player"
\StubPath =
"C:\WINNT\system32\setup\wmpocm.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = ** WARNING

Aha - cos jeszcze

[brusli1]

Ad Aware pokazuje ze ma problem z tym:
C:\\WINNT\System32\g8lmli3118.dll

[netsec]

Z menu START wybierz Uruchom i wpisz:
Regsvr32.exe /u C:\WINNT\system32\h0l2la3o1d.dll
i OK
Jeszcze ten, ale raczej nie będzie go:
Regsvr32.exe /u C:\WINNT\System32\g8lmli3118.dl
i OK
Po ty uruchom kompa ponownie i wklej log z Silent Runners

Silent Runners log

[brusli1]

Tego drugiego faktycznie nie bylo.
To przywrocenie oryginalnych wrtosci rejestru dla IE tez sie chyba nie powiodlo
- nie uzywam IE ale itak mi sie wlacza co jakis czas i pokazuje glupie strony z
jakimis bzdetami. Moze jednak zrobic Ghosta?
Oto log:

"Silent Runners.vbs", revision 27, launched at: 13:10
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"internat.exe" = "internat.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe""
["Symantec Corporation"]
"ccRegVfy" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe""
["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security
Center\UsrPrmpt.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media
Player"
\StubPath =
"C:\WINNT\system32\setup\wmpocm.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = ** WARNING

[netsec]

Usuń ten plik f0l0la3m1d.dll, wcześniej sprawdź w opcje Folderów czy masz
włączone pokazywanie ukrytych plików i folderów.
Po tym wklej log z HiJack.

[brusli1]

Usunalem.

Logfile of HijackThis v1.99.0
Scan saved at 14:59:24, on 22.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

[netsec]

Usuń w Hijack te pozycje:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

Zobaczymy jak będzie po restarcie.

[brusli1]

Hej,

Jestes pewien co do: O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe
/logon ???
Sprawdzilem na wszystkich 15 komputerach w firmie i tez go maja w autostarcie -
ale nikt nie ma takich problemow jak ja...
pozdr

[netsec]

Synchronization Manager, fakt zapomniałem że to 2000.
Domyślnie i tak się pojawi mimo usunięcia, możesz tego nie kasować.
Jak się przedstawia teraz log z hijack i Silent Runners?

log z Hijack

[brusli1]

Logfile of HijackThis v1.99.0
Scan saved at 12:59:08, on 23.12.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\Office\EXCEL.EXE
I:\Programme\combit\amw\amwin.OVL
F:\amw\TM.EXE
C:\Dokumente und Einstellungen\user\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBA55AA9-08EA-4230-8F75-49787047B2A7}:
NameServer = 194.204.152.34,212.14.1.66
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation -
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation -
C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame
Dateien\Symantec Shared\Security Center\SymWSC.exe

log Silent Runners

[brusli1]

"Silent Runners.vbs", revision 27, launched at: 13:01
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"internat.exe" = "internat.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe""
["Symantec Corporation"]
"ccRegVfy" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe""
["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security
Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media
Player"
\StubPath =
"C:\WINNT\system32\setup\wmpocm.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = ** WARNING

Dzialamy Dalej?

[brusli1]

[netsec]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Explorer\DLLName"= "C:\WINNT\system32\irrol5931.dll" [null
data]

Jak widzisz biblioteka dll uruchamiana w tym kluczu jest stale podmieniana w
zmylenia rzeczywistego źródła, jest to tzw. córka.
Właściwa biblioteka jest wywoływana z innym miejscu i ma zupełnie inną nazwę.
Znalezienie jej jest bardzo skomplikowane.

Tymczasowo można usunąć te wpisy w HiJack:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Następnie znajdź plik hosts i we właściwościach pliku ustaw atrybut tylko do
odczytu.
Mało prawdopodobne aby się udało, ale może..
Jest to działanie raczej neutralizujące, i nie usuwa intruza.

Jeśli masz zainstalowane ad-aware 1.05 SE ściągnij VX2 Cleaner
www.lavasoft.de/software/addons/vx2cleaner.shtml
Zamknij Internet Explorer i innne programy, zainstaluj VX2 Cleaner.
Uruchom Ad-aware przejdź do Ad-ons wybierz(stań na nim) VX2 Cleaner i kliknij
na dole Run Tool.
Po tym uruchom kompa ponownie i sprawdź jak tam biblioteka w Silent Running, czy
się pojawiła?

Po VX2 Cleaner

[brusli1]

Oto tresc Silent Runners:

"Silent Runners.vbs", revision 27, launched at: 13:37
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"internat.exe" = "internat.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe""
["Symantec Corporation"]
"ccRegVfy" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe""
["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security
Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media
Player"
\StubPath =
"C:\WINNT\system32\setup\wmpocm.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) =
"C:\WINNT\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = ** WARNING

[netsec]

Czy VX2 cleaner coś znalazł?

[brusli1]

Nie

[netsec]

A jak sprawa plików hosts i tych wpisów?

Hosts i wpisy

[brusli1]

Na Hosts i te wpisy nic nie moge poradzic....

[netsec]

Teraz sam odszukaj właściwy pliki dll tzw matkę:
według tego opisu:
www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&#entry101267

Problem

[brusli1]

Nie moge z tej strony sciagnac tego narzedzia...

[netsec]

Tu masz link i opis jak rozwiązać Twój problem:
www.searchengines.pl/phpbb203/index.php?showtopic=12510&st=0&p=109496&#entry109496
a tu link do DLLcopare
www.atribune.org/downloads/DllCompare.exe

[netsec]

Dodatkowo ściągnij i wykonaj raport tym narzędziem, loga z niego wklej na forum.
80.53.91.142/netsec/tools/Silent Runners.zip

Log zostanie utworzony w tym samym folderze co wypakowany plik vbs.