prosze o sprawdzenie loga hijackthis, SR

IP: *.proxy.aol.com 20.12.06, 16:26
    • Gość: Kolobos Re: prosze o sprawdzenie loga hijackthis, SR IP: *.crowley.pl 20.12.06, 20:05
      Po co wklejasz dwa razy to samo i zakladasz dwa watki?! Przez Ciebie musze sie logowac i usuwac Twoje posty! Log z SR sie nie zmiescil jak zapewne widzisz, wklej go w kolejnym poscie.
      • Gość: loszko Re: prosze o sprawdzenie loga hijackthis, SR IP: *.proxy.aol.com 20.12.06, 20:32
        Mój błąd, przepraszam.


        "Silent Runners.vbs", revision 49, www.silentrunners.org/
        Operating System: Windows XP SP2
        Output limited to non-default values, except where indicated by "{++}"


        Startup items buried in registry:
        ---------------------------------

        HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
        "CTFMON.EXE" = "C:\WINNT\system32\ctfmon.exe" [MS]
        "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file
        not found]
        "LeechGet" = "(empty string)" [file not found]
        "OE" = ""C:\Program Files\Trend Micro\Internet Security 2007
        \TMAS_OE\TMAS_OEMon.exe"" ["Trend Micro Inc."]

        HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
        "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe""
        ["Sun Microsystems, Inc."]
        "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
        "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
        ["ATI Technologies, Inc."]
        "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
        "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
        "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
        "THotkey" = "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" ["TOSHIBA"]
        "TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]
        "DSLSTATEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon"
        ["GlobespanVirata, Inc."]
        "DSLAGENTEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [null
        data]
        "%FP%Friendly fts.exe" = ""C:\Program Files\VoyagerTest\fts.exe"" ["Friendly
        Technologies"]
        "AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America
        Online, Inc"]
        "RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe
        SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
        "NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Nero AG"]
        "HostManager" = "C:\Program Files\Common Files\AOL\1165951596
        \ee\AOLSoftware.exe" ["America Online, Inc."]
        "pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2007
        \pccguide.exe"" ["Trend Micro Inc."]

        HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
        {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
        -> {HKLM...CLSID} = "AcroIEHlprObj Class"
        \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat
        5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
        {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
        -> {HKLM...CLSID} = "SSVHelper Class"
        \InProcServer32\(Default) = "C:\Program
        Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

        HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
        "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
        wyświetlania"
        -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
        \InProcServer32\(Default) = "deskpan.dll" [file not found]
        "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
        -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
        \InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll"
        ["Hilgraeve, Inc."]
        "{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
        -> {HKLM...CLSID} = "IE Microsoft AutoComplete"
        \InProcServer32\(Default) = "C:\WINNT\system32\browseui.dll"
        [MS]
        "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
        -> {HKLM...CLSID} = "History Band"
        \InProcServer32\(Default) = "C:\WINNT\system32\shdocvw.dll"
        [MS]
        "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
        -> {HKLM...CLSID} = (no title provided)
        \InProcServer32\(Default) = "C:\Program
        Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
        "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
        -> {HKLM...CLSID} = "Portable Media Devices Menu"
        \InProcServer32\(Default) = "C:\WINNT\system32\Audiodev.dll"
        [MS]
        "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
        -> {HKLM...CLSID} = "WinRAR"
        \InProcServer32\(Default) = "C:\Program
        Files\WinRAR\rarext.dll" [null data]
        "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
        -> {HKLM...CLSID} = (no title provided)
        \InProcServer32\(Default) = "C:\Program Files\Microsoft
        Office\OFFICE11\msohev.dll" [MS]
        "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
        -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
        \InProcServer32\(Default) = "C:\Program Files\Common
        Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
        "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
        -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
        \InProcServer32\(Default) = "C:\Program Files\Common
        Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
        "{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
        -> {HKLM...CLSID} = "VBPropSheet"
        \InProcServer32\(Default) = "C:\Program Files\Trend
        Micro\Internet Security 2007\VBProp.dll" ["Trend Micro Inc."]
        "{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
        -> {HKLM...CLSID} = "TMD Shell Extension"
        \InProcServer32\(Default) = "C:\Program Files\Trend
        Micro\Internet Security 2007\Tmdshell.dll" ["Trend Micro Inc."]

        HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
        <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

        HKLM\Software\Classes\PROTOCOLS\Filter\
        <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
        -> {HKLM...CLSID} = (no title provided)
        \InProcServer32\(Default) = "C:\Program Files\Common
        Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

        HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
        {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default)
        = "NeroDigitalExt.NeroDigitalColumnHandler"
        -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
        \InProcServer32\(Default) = "C:\Program Files\Common
        Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

        HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
        LeechGet\(Default) = "{EBDF1F20-C829-14D1-8234-1420AF3E97A9}"
        -> {HKLM...CLSID} = "LeechGet "Copy Here" Shell Extension"
        \InProcServer32\(Default) = "C:\Program Files\LeechGet 2006
        \ShellExtension.dll" [null data]
        WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
        -> {HKLM...CLSID} = "WinRAR"
        \InProcServer32\(Default) = "C:\Program
        Files\WinRAR\rarext.dll" [null data]

        HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
        LeechGet\(Default) = "{EBDF1F20-C829-14D1-8234-1420AF3E97A9}"
        -> {HKLM...CLSID} = "LeechGet "Copy Here" Shell Extension"
        \InProcServer32\(Default) = "C:\Program Files\LeechGet 2006
        \ShellExtension.dll" [null data]
        WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
        -> {HKLM...CLSID} = "WinRAR"
        \InProcServer32\(Default) = "C:\Program
        Files\WinRAR\rarext.dll" [null data]

        HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
        LeechGet\(Default) = "{EBDF1F20-C829-14D1-8234-1420AF3E97A9}"
        -> {HKLM...CLSID} = "LeechGet "Copy Here" Shell Extension"
        \InProcServer32\(Default) = "C:\Program Files\LeechGet 2006
        \ShellExtension.dll" [null data]
        WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
        -> {HKLM...CLSID} = "WinRAR"
        \InProcServer32\(Default) = "C:\Program
        Files\WinRAR\rarext.dll" [null data]


        Group Policies {GPedit.msc branch and setting}:
        -----------------------------------------------

        Note: detected settings may not have
        • Gość: Kolobos Re: prosze o sprawdzenie loga hijackthis, SR IP: *.crowley.pl 20.12.06, 22:26
          Dalej nie caly, doklej brakujaca czesc w kolejnym poscie ;-)
        • Gość: loszko Re: prosze o sprawdzenie loga hijackthis, SR IP: *.proxy.aol.com 20.12.06, 22:56
          Group Policies {GPedit.msc branch and setting}:
          -----------------------------------------------

          Note: detected settings may not have any effect.

          HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

          "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
          {Computer Configuration|Windows Settings|Security Settings|Local
          Policies|Security Options|
          Shutdown: Allow system to be shut down without having to log on}

          "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
          {Computer Configuration|Windows Settings|Security Settings|Local
          Policies|Security Options|
          Devices: Allow undock without having to log on}


          Active Desktop and Wallpaper:
          -----------------------------

          Active Desktop may be disabled at this entry:
          HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

          Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
          HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
          "Wallpaper" = "C:\WINNT\system32\config\systemprofile\Ustawienia lokalne\Dane
          aplikacji\Microsoft\Wallpaper1.bmp"

          Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
          HKCU\Control Panel\Desktop\
          "Wallpaper" = "C:\WINNT\ACD Tapeta.bmp"


          Startup items in "Michał" & "All Users" startup folders:
          --------------------------------------------------------

          C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
          "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common
          Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
          "AOL 9.0 Tray Icon" -> shortcut to: "C:\Program Files\AOL 9.0a\aoltray.exe -
          check" ["America Online, Inc."]


          Winsock2 Service Provider DLLs:
          -------------------------------

          Namespace Service Providers

          HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
          \Catalog_Entries\ {++}
          000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
          000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
          000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

          Transport Service Providers

          HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
          \Catalog_Entries\ {++}
          0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
          %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
          %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


          Toolbars, Explorer Bars, Extensions:
          ------------------------------------

          Explorer Bars

          HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
          {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
          -> {HKLM...CLSID} = "Real.com"
          \InProcServer32\(Default) = "C:\WINNT\system32\Shdocvw.dll"
          [MS]

          HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default)
          = "&Badanie"
          Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
          InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

          Extensions (Tools menu items, main toolbar menu buttons)

          HKLM\Software\Microsoft\Internet Explorer\Extensions\
          {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
          "MenuText" = "Sun Java Console"
          "CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
          -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
          \InProcServer32\(Default) = "C:\Program
          Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
          -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
          \InProcServer32\(Default) = "C:\Program
          Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

          {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
          "ButtonText" = "Badanie"

          {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
          "ButtonText" = "Real.com"

          {FB5F1910-F110-11D2-BB9E-00C04F795683}\
          "ButtonText" = "Messenger"
          "MenuText" = "Windows Messenger"
          "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


          Running Services (Display Name, Service Name, Path {Service DLL}):
          ------------------------------------------------------------------

          AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common
          Files\AOL\ACS\AOLAcsd.exe"" ["America Online, Inc."]
          Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI
          Technologies Inc."]
          LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark
          International, Inc."]
          STI Simulator, STI Simulator, "C:\WINNT\System32\PAStiSvc.exe" [null data]
          Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1
          \PcCtlCom.exe" ["Trend Micro Inc."]
          Trend Micro Personal Firewall, TmPfw, "C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe"
          ["Trend Micro Inc."]
          Trend Micro Protection Against Spyware , PcScnSrv, ""C:\PROGRA~1\TRENDM~1
          \INTERN~1\PcScnSrv.exe"" ["Trend Micro Inc."]
          Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe"
          ["Trend Micro Inc."]
          Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1
          \Tmntsrv.exe" ["Trend Micro Inc."]
          Windows User Mode Driver Framework, UMWdf, "C:\WINNT\system32\wdfmgr.exe" [MS]


          Print Monitors:
          ---------------

          HKLM\System\CurrentControlSet\Control\Print\Monitors\
          Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
          Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


          ----------
          <<!>>: Suspicious data at a malware launch point.

          + This report excludes default entries except where indicated.
          + To see *everywhere* the script checks and *everything* it finds,
          launch it from a command prompt or a shortcut with the -all parameter.
          + The search for DESKTOP.INI DLL launch points on all local fixed drives
          took 77 seconds.
          --------
    • Gość: Kolobos Re: prosze o sprawdzenie loga hijackthis, SR IP: *.crowley.pl 20.12.06, 23:14
      Log masz ok, jedyne co moze obciazac to Trend Micro lub to cos od AOL.

      W hjt usun:
      O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
      • Gość: loszko Re: prosze o sprawdzenie loga hijackthis, SR IP: *.proxy.aol.com 20.12.06, 23:56
        Dziękuję!
Pełna wersja