proszę o sprawdzenie logów

IP: 82.139.21.* 20.10.05, 05:55
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\wznstrm.dll Thu 2005-10-20 4:15:28 ..S.R
234 098 228,61 K
C:\WINDOWS\SYSTEM32\dud8.dll Thu 2005-10-20 4:13:16 ..S.R
234 098 228,61 K
C:\WINDOWS\SYSTEM32\mmrepl40.dll Thu 2005-10-20 0:14:50 ..S.R
234 736 229,23 K
C:\WINDOWS\SYSTEM32\siobject.dll Thu 2005-10-20 1:29:48 ..S.R
236 317 230,78 K
C:\WINDOWS\SYSTEM32\rxgapi.dll Thu 2005-10-20 0:30:02 ..S.R
234 736 229,23 K
C:\WINDOWS\SYSTEM32\mrang.dll Thu 2005-10-20 2:34:38 ..S.R
234 098 228,61 K
C:\WINDOWS\SYSTEM32\imxmontr.dll Thu 2005-10-20 2:45:40 ..S.R
234 098 228,61 K
C:\WINDOWS\SYSTEM32\lv0s09~1.dll Thu 2005-10-20 2:32:50 ..S.R
236 317 230,78 K
________________________________________________

1 331 items found: 1 331 files (8 H/S), 0 directories.
Total of file sizes: 267 256 936 bytes 254,88 M

Administrator Account = True

--------------------End log---------------------


"Silent Runners.vbs", revision 36, www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized"
["Skype Technologies S.A."]
"RoboForm" = ""C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"" ["Siber Systems"]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe""
["Zone Labs LLC"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe""
[empty string]
"CTStartup" = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run"
["Creative Technology Ltd."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
[null data]
"Cobian Backup 7 Interface" = ""C:\Program Files\Cobian Backup 7\cobui.exe"
-service" ["Luis Cobian"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil
Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) =
"C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program
Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll"
[null data]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Symantec\Norton
Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]
"{4C061DFE-76C1-4FE8-A5D7-A49E083F7CA0}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mrang.dll" [null
data]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell
Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend
Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro
Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend
Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "load" = "C:\YDPDict\watch.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"


Startup items in "slawas2001" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {CLSID}\(Default) = "&RoboForm"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI
RoboForm\roboform.dll" ["Siber Systems"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {CLSID}\(Default) = "&RoboForm"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI
RoboForm\roboform.dll" ["Siber Systems"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {CLSID}\(Default) = "&RoboForm"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI
RoboForm\roboform.dll" ["Siber Systems"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Y
    • Gość: Kolobos Re: proszę o sprawdzenie logów IP: *.warszawa.sdi.tpnet.pl 20.10.05, 09:49
      Log z silent sie nie zmiescil.

      Sciagnij sobie to:
      www.downloads.subratam.org/l2mfix.exe
      rozpakuj, uruchom l2mfix.bat, wybierz opcje #1, a utworzony log wyslij mi na
      kolobos1@gazeta.pl dolacz tez logi z silent oraz hijackthis.
      • Gość: slawas2001 Re: proszę o sprawdzenie logów IP: 82.139.21.* 20.10.05, 15:53
        z silent jest wcześniej a z l2fix daje tutaj:

        L2MFIX find log 1.04a
        These are the registry keys present
        **********************************************************************************
        Winlogon/notify:
        Windows Registry Editor Version 5.00

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\crypt32chain]
        "Asynchronous"=dword:00000000
        "Impersonate"=dword:00000000
        "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
        6c,00,00,00
        "Logoff"="ChainWlxLogoffEvent"

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\cryptnet]
        "Asynchronous"=dword:00000000
        "Impersonate"=dword:00000000
        "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
        6c,00,6c,00,00,00
        "Logoff"="CryptnetWlxLogoffEvent"

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\cscdll]
        "DLLName"="cscdll.dll"
        "Logon"="WinlogonLogonEvent"
        "Logoff"="WinlogonLogoffEvent"
        "ScreenSaver"="WinlogonScreenSaverEvent"
        "Startup"="WinlogonStartupEvent"
        "Shutdown"="WinlogonShutdownEvent"
        "StartShell"="WinlogonStartShellEvent"
        "Impersonate"=dword:00000000
        "Asynchronous"=dword:00000001

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\ScCertProp]
        "DLLName"="wlnotify.dll"
        "Logon"="SCardStartCertProp"
        "Logoff"="SCardStopCertProp"
        "Lock"="SCardSuspendCertProp"
        "Unlock"="SCardResumeCertProp"
        "Enabled"=dword:00000001
        "Impersonate"=dword:00000001
        "Asynchronous"=dword:00000001

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\Schedule]
        "Asynchronous"=dword:00000000
        "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
        6c,00,6c,00,00,00
        "Impersonate"=dword:00000000
        "StartShell"="SchedStartShell"
        "Logoff"="SchedEventLogOff"

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\sclgntfy]
        "Logoff"="WLEventLogoff"
        "Impersonate"=dword:00000000
        "Asynchronous"=dword:00000001
        "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
        6c,00,6c,00,00,00

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\SensLogn]
        "DLLName"="WlNotify.dll"
        "Lock"="SensLockEvent"
        "Logon"="SensLogonEvent"
        "Logoff"="SensLogoffEvent"
        "Safe"=dword:00000001
        "MaxWait"=dword:00000258
        "StartScreenSaver"="SensStartScreenSaverEvent"
        "StopScreenSaver"="SensStopScreenSaverEvent"
        "Startup"="SensStartupEvent"
        "Shutdown"="SensShutdownEvent"
        "StartShell"="SensStartShellEvent"
        "PostShell"="SensPostShellEvent"
        "Disconnect"="SensDisconnectEvent"
        "Reconnect"="SensReconnectEvent"
        "Unlock"="SensUnlockEvent"
        "Impersonate"=dword:00000001
        "Asynchronous"=dword:00000001

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\termsrv]
        "Asynchronous"=dword:00000000
        "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
        6c,00,6c,00,00,00
        "Impersonate"=dword:00000000
        "Logoff"="TSEventLogoff"
        "Logon"="TSEventLogon"
        "PostShell"="TSEventPostShell"
        "Shutdown"="TSEventShutdown"
        "StartShell"="TSEventStartShell"
        "Startup"="TSEventStartup"
        "MaxWait"=dword:00000258
        "Reconnect"="TSEventReconnect"
        "Disconnect"="TSEventDisconnect"

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\wlballoon]
        "DLLName"="wlnotify.dll"
        "Logon"="RegisterTicketExpiredNotificationEvent"
        "Logoff"="UnregisterTicketExpiredNotificationEvent"
        "Impersonate"=dword:00000001
        "Asynchronous"=dword:00000001

        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
        NT\CurrentVersion\Winlogon\Notify\wzcnotif]
        "DLLName"="wzcdlg.dll"
        "Logon"="WZCEventLogon"
        "Logoff"="WZCEventLogoff"
        "Impersonate"=dword:00000000
        "Asynchronous"=dword:00000000


        • Gość: slawas2001 Re: proszę o sprawdzenie logów IP: 82.139.21.* 20.10.05, 16:07
          niemogę wysłać całego loga ponieważ mnie gazeta blokuje :(

          z silenta jest powyżej z l2fix tutaj, zresztą wszystkie powinny być tutaj
          forum.viruscenter.pl/index.php?showtopic=569&st=0&gopid=4214&#entry4214
          • Gość: Kolobos Re: proszę o sprawdzenie logów IP: *.warszawa.sdi.tpnet.pl 20.10.05, 21:19
            Dlatego chcialem na maila bo wiem, ze tutaj sie nie mieszcz.

            Zlapales VX2 :P
            Odlacz sie od sieci, uruchom jeszcze raz l2mfix.bat wybierz opcje #2
            Po tej operacji utworzy sie log, ktory wklej na forum lub na maila.

            • Gość: slawas2001 Re: proszę o sprawdzenie logów IP: 82.139.21.* 20.10.05, 23:41
              nie wiedziałem gdzie to wrzucić a Twojego maila też nie mogłem nigdzie znaleźć,
              więć pozwoliłem sobie wysłać to tutaj :)

              groups.google.pl/group/alt.pl.test/browse_frm/thread/89a2e6f58ced5b46/9da7fa637c344279?hl=pl#9da7fa637c344279
              2 logi:
              1 tryb awaryjny bez sieci
              2 tryb zwykły z secią,dziwne że data pliku loga się nie zgadzała
              • Gość: Kolobos Re: proszę o sprawdzenie logów IP: *.warszawa.sdi.tpnet.pl 20.10.05, 23:56
                Maila chyba podalem Ci w pierwszym poscie ;-)
                Przeciez napisalem, ze masz wybrac opcje #2 w tym programie, nastepnie komputer
                sie zresetuje i znikna ikony itd ale nic nie rob tylko poczekaj az sie skonczy,
                na koniec zostany utworzony log i to ten log masz wkleic, oczywiscie wszystko
                robisz przy odlaczonym internecie.
                • Gość: slawas Re: proszę o sprawdzenie logów IP: 82.139.21.* 21.10.05, 10:23
                  wysłałem loga w mailu, mam nadzieję że doszedł, oba logi które podałem post
                  wyżej były robione w opcji 2 ten pierwszy z wyłączoną siecią

                  Pozdrawiam
                  S.
                  • Gość: Kolobos Re: proszę o sprawdzenie logów IP: *.warszawa.sdi.tpnet.pl 21.10.05, 10:54
                    Jeszcze troche i moze otrzymam wlasciwy log ;-)
                    W sumie kawalek juz dostalem ale to dalej za malo.
Pełna wersja