Pokaż pełną wersje : Keylogger na GG?
Krótko i zwięźle, wczoraj na GG dostałem coś w tym stylu:
Aktywny
Wizua Keylogger v 5.2 by -=Lukasz=-
Wyślę za ...3
I go zablokowałem, potem rozłączyłem połączenie z Internetem :|
I tutaj moje pytanie:
Czy może coś w tym byc, czy ten łepek poprostu robi sobie jaja?
Kiedyś dostałem coś w stylu trojana, i avast (<3) wykrył mi trojana w emotce.
Mam się bac? :|
btw. Hijackthis nic nie wykrył, ale wole się upewnic ;>
Pokaż logi z hijackthis + silent runners. A i użyj tego: http://www.zoom.idg.pl/ftp/pc_3477/Windows%20Worms%20Doors%20Cleaner%201.3.html
I skonfiguruj proxy w GG ;)
Hijackthis:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
C:\Program Files\Alwil Software\Avast4\ashServ*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\system32\svchost*****
C:\Program Files\Alwil Software\Avast4\ashMaiSv*****
C:\Program Files\Alwil Software\Avast4\ashWebSv*****
C:\WINDOWS\system32\Ati2evxx*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\RTHDCPL*****
C:\WINDOWS\ALCMTR*****
C:\Program Files\ATI Technologies\ATI.ACE\cli*****
C:\PROGRA~1\NEOSTR~1\CnxMon*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
C:\Program Files\Winamp\winampa*****
C:\WINDOWS\system32\ctfmon*****
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray*****
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl*** **
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08*****
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01*****
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08*****
C:\WINDOWS\system32\HPZipm12*****
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08*****
C:\Program Files\Mozilla Firefox\firefox*****
C:\WINDOWS\system32\wuauclt*****
C:\Documents and Settings\Martin\Pulpit\hijackthis\HijackThis*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck*****
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli*****" runtime
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon*****
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch*****
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa*****
O4 - HKCU\..\Run: [CTFMON*****] C:\WINDOWS\system32\ctfmon*****
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray*****
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl*** ** /DropDisc
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI*****
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01*****.lnk = ?
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs*****
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{58688700-CD5E-45CD-914D-3DED86D7A93C}: NameServer = 194.204.159.1 217.98.63.164
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv*****
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx*****
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag*****
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ*****
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12*****
Silent Runners:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON*****" = "C:\WINDOWS\system32\ctfmon*****" [MS]
"InstantTray" = "C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray*****" ["Pinnacle Systems"]
"IW_Drop_Icon" = "C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl*** ** /DropDisc" ["Pinnacle Systems GmbH."]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg*****" /tray" ["Gadu-Gadu S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"RTHDCPL" = "RTHDCPL*****" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR*****" ["Realtek Semiconductor Corp."]
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck*****" [empty string]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx*****" ["ATI Technologies, Inc."]
"(Default)" = "(empty string)" [file not found]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli*****" runtime" [null data]
"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon*****" [empty string]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon" ["THOMSON Telecom Belgium"]
"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch*****" ["France Télécom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon*****" ["France Télécom R&D"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp*****" ["ALWIL Software"]
"WinampAgent" = "C:\Program Files\Winamp\winampa*****" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
-> {HKLM...CLSID} = "CD Copy Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
-> {HKLM...CLSID} = "CD Wizard Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension"
-> {HKLM...CLSID} = "InstantWrite Shellextension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\iwshex.dll" ["VOB Computersysteme GmbH"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE*****" = "C:\WINDOWS\System32\logon*****" [MS]
Startup items in "Martin" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI***** SystemTray" [null data]
"hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08*****" ["Hewlett-Packard Co."]
"hpoddt01*****" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01*****" ["Hewlett-Packard"]
Enabled Scheduled Tasks:
------------------------
"FRU Task #Hewlett-Packard#hp psc 1200 series#1186679234" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl***** -I "#Hewlett-Packard#hp psc 1200 series#1186679234"" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
-> {HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx*****" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ*****"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv*****"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv*****" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv*****" /service" ["ALWIL Software"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12*****" ["HP"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
---------- (launch time: 2007-08-10 11:54:42)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 30 seconds, including 5 seconds for message boxes)
Po włączeniu tego programiku mam coś takiego:
http://images23.fotosik.pl/53/9461ce053159282a.jpg (www.fotosik.pl)
Coś zainfekowało svchost, ale w logach nic nie widać. :/
Hym, czyli co zrobic? Bo ja się na tym wogóle nie znam (TIBJA RZONDZI) :|
Aaaa, jeśli to coś pomoże, to wczoraj miałem formata :>
To zrób formata jeszcze raz, póki nie masz nic cennego na kompie. I nie używaj gg ;)
Dark Sven
10-08-2007, 13:47
Zmień Avasta na coś innego. Ja też byłem zaślepiony jego 'superowatością' gdy Panda mi nie wykryła 60 wirusów.
Przeskanuj tym:
http://www.pandasoftware.com/activescan/pol/activescan_principal.htm
Uther, po co sobie tym głowę zaprzątasz, będzie Ci żal takiego tibiarza, który może stracić sens życia?
Trojan w emotce, dobre sobie.
Zresztą tutaj i tak wypowiadają się tzw. eksperci, którzy i tak doradzą format. Niech idzie z tym na jakieś forum software, a nie pisze z tym na forum o Tibii. Notabene ja tutaj widzę przyklejony temat...
Uther, po co sobie tym głowę zaprzątasz, będzie Ci żal takiego tibiarza, który może stracić sens życia?
Trojan w emotce, dobre sobie.
Zresztą tutaj i tak wypowiadają się tzw. eksperci, którzy i tak doradzą format. Niech idzie z tym na jakieś forum software, a nie pisze z tym na forum o Tibii. Notabene ja tutaj widzę przyklejony temat...
Dobra, dobra wszystko ok. Ale nie wiem dokładnie, o co Ci chodzi z tym tibiarzem. Nie znasz mnie, więc możesz tak uważac, ale jesteś w błędzie. Tibia jest dla mnie niczym w porównaniu z RL.
Kthxbye :)
@Moderatorzy
Uprzejmie proszę o zamknięcie tematu :)
vBulletin® v3.7.0, Copyright ©2000-2025, Jelsoft Enterprises Ltd.