Tibia.pl - oficjalna fan strona

pl4tin3 · 20-08-2007, 17:10

Witam,
Mam problem ponieważ od paru dni wchodzę na konto to zawsze jestem w innym miejscu, pozatym czasami dostaje kicka i pisze bad password i muszę zmienić hasło aby wejśc - myślę, że jest to keylogger i daje tutaj screena z Activeports pokazane gdzie sie łączy oprócz Tibi.

Shot at 2007-08-20

Please pomóżcie mi sie pozbyć tego keyloggera, daje jeszcze log z HijackThis

Kod:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:00:08, on 2007-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss*****
C:\WINDOWS\system32\csrss*****
C:\WINDOWS\system32\winlogon*****
C:\WINDOWS\system32\services*****
C:\WINDOWS\system32\lsass*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\System32\svchost*****
C:\Program Files\Sygate\SPF\smc*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\spoolsv*****
C:\WINDOWS\Explorer*****
C:\WINDOWS\system32\nvsvc32*****
C:\Program Files\Spyware Doctor\svcntaux*****
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****
C:\WINDOWS\RTHDCPL*****
C:\Program Files\Winamp\Winampa*****
C:\Program Files\Spyware Doctor\SDTrayApp*****
C:\Program Files\Gadu-Gadu\gg*****
C:\Program Files\Microsoft ActiveSync\wcescomm*****
C:\Program Files\Spybot - Search & Destroy\TeaTimer*****
C:\Program Files\FreeCall.com\FreeCall\FreeCall*****
C:\Program Files\Logitech\SetPoint\SetPoint*****
C:\Program Files\Spyware Doctor\swdsvc*****
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR*****
C:\PROGRA~1\MICROS~2\rapimgr*****
C:\WINDOWS\system32\svchost*****
C:\WINDOWS\system32\wbem\wmiprvse*****
C:\WINDOWS\System32\alg*****
C:\WINDOWS\system32\wscntfy*****
C:\PROGRA~1\MOZILL~1\FIREFOX*****
C:\WINDOWS\system32\wbem\wmiprvse*****
C:\Program Files\Trend Micro\HijackThis\HijackThis*****

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz***** /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR*****
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL*****
O4 - HKLM\..\Run: [SkyTel] SkyTel*****
O4 - HKLM\..\Run: [Alcmtr] ALCMTR*****
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa*****"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp*****"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc***** -startgui
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg*****" /tray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm*****"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer*****
O4 - HKCU\..\Run: [FreeCall] "C:\Program Files\FreeCall.com\FreeCall\FreeCall*****" -nosplash -minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON*****] C:\WINDOWS\system32\CTFMON***** (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint*****
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{76F1139B-2670-48BE-8528-DB921E8B0C81}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp*****
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32*****
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux*****
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc*****
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc*****

--
End of file - 4136 bytes

Kyrfal · 20-08-2007, 17:13

samo to ze wlogowujesz sie w innych miejscach niz sie wylogowales swiadczy o tym ze cos jest nie tak
co do hijacthisa (czy jak to sie pisze):
http://www.hijackthis.de/

wejdz tutaj, wpisz swoj log i to ci pokaze co jest podejrzane i potem zaznaczasz te ktore zostaly wykryte jako cos negatywnego i powinno byc po problemie

ja sie na tym tak dobrze nie znam ale mowie co wiem

@down
nie mam zielonego pojęcia. moze i tak ze jest sprytnie zamaskowany

pl4tin3 · 20-08-2007, 17:44

ok zrobiłem to co kazałeś i nic złego nie wykryło.
Podam jeszcze ze podobno mam keylogga o nazwie "TibiaFucker" i jego nie pokazuje w Hijackthis, czy to prawda?

WoodstockSms · 20-08-2007, 19:08

1) Wejdz na - www.ip-adress.com , albo inną stronke na której można sprawdzić IP.
2) Wpisz tam adres IP który Cię interesuje - w tym wypadku 62.146.47.45

Czary mary i w magicznym okienku wyskakują dane Cipsoftu - nie wieżysz sprawdź sam.

Wg mnie zaden keyloger tylko drugie połaczenie z serwerem.

Uther92 · 20-08-2007, 21:58

Daj logi z silent runners i combofix.

Imm0rtal · 20-08-2007, 22:27

To oczywiste, że masz keyloggera -.-", hasło się samo nie zmienia, a postać sama też nie chodzi w inne miejsca...Weź zainstaluj sobie taki program XoftSpy i zrób scan kompa.

pl4tin3 · 20-08-2007, 22:39

Silent Runner

Kod:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg*****" /tray" ["Gadu-Gadu S.A."]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\wcescomm*****"" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer*****" ["Safer Networking Limited"]
"FreeCall" = ""C:\Program Files\FreeCall.com\FreeCall\FreeCall*****" -nosplash -minimized" ["FreeCall"]
"Steam" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz***** /install" ["NVIDIA Corporation"]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" /icon" ["THOMSON Telecom Belgium"]
"Logitech Hardware Abstraction Layer" = "KHALMNPR*****" ["Logitech Inc."]
"RTHDCPL" = "RTHDCPL*****" ["Realtek Semiconductor Corp."]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa*****"" [null data]
"SDTray" = ""C:\Program Files\Spyware Doctor\SDTrayApp*****"" ["PC Tools"]
"NvCplDaemon" = "RUNDLL32***** C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc***** -startgui" ["Sygate Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
  -> {HKLM...CLSID} = "Mobile Device"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Wcesview.dll" [MS]
"{EBDF1F20-C829-11D1-8233-0020AF3E97A6}" = "ATS Context Menu Shell Extension"
  -> {HKLM...CLSID} = "ATS Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ATS2\contmenu.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ContMenu\(Default) = "{EBDF1F20-C829-11D1-8233-0020AF3E97A6}"
  -> {HKLM...CLSID} = "ATS Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ATS2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ContMenu\(Default) = "{EBDF1F20-C829-11D1-8233-0020AF3E97A6}"
  -> {HKLM...CLSID} = "ATS Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ATS2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ContMenu\(Default) = "{EBDF1F20-C829-11D1-8233-0020AF3E97A6}"
  -> {HKLM...CLSID} = "ATS Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ATS2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Startup items in "Pawel Michalski" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint*****" ["Logitech Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32*****" ["NVIDIA Corporation"]
Spyware Doctor Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\svcntaux*****" ["PC Tools"]
Spyware Doctor Service, sdCoreService, "C:\Program Files\Spyware Doctor\swdsvc*****" ["PC Tools"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc*****" ["Sygate Technologies, Inc."]


---------- (launch time: 2007-08-20 21:23:48)
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 11 seconds for message boxes)

Combofix

Kod:

ComboFix 07-07-30.2 - "Pawel Michalski" 2007-08-20 21:25:34.2 [GMT 2:00] - NTFS 
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1033.18.True


(((((((((((((((((((((((((   Files Created from 2007-07-20 to 2007-08-20  )))))))))))))))))))))))))))))))


2007-08-20 12:49	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2007-08-20 12:42	23,203,560	--a------	C:\kav7.0.0.125pl_[programosy.pl]*****
2007-08-20 12:35	20,096,728	--a------	C:\kav6.0.2.621pl*****
2007-08-20 12:32	<DIR>	d--------	C:\Program Files\ATS2
2007-08-20 12:30	6,514,881	--a------	C:\ats2*****
2007-08-16 19:17	<DIR>	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\FreeCall
2007-08-16 19:16	<DIR>	d--------	C:\Program Files\FreeCall.com
2007-08-16 19:15	3,557,552	--a------	C:\setupfreecall*****
2007-08-16 14:19	<DIR>	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\teamspeak2
2007-08-15 18:20	83,096	--a------	C:\WINDOWS\system32\SSSensor.dll
2007-08-15 18:20	60,496	--a------	C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-15 18:20	21,075	--a------	C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-15 18:20	14,568	--a------	C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-15 18:20	14,568	--a------	C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-15 18:20	14,568	--a------	C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-15 18:20	14,568	--a------	C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-15 18:20	<DIR>	d--------	C:\Program Files\Sygate
2007-08-15 00:07	<DIR>	d--------	C:\WINDOWS\system32\appmgmt
2007-08-10 20:43	<DIR>	d--------	C:\Program Files\Headshot Player
2007-08-10 20:41	4,957,909	--a------	C:\hsplayer_setup*****
2007-08-07 17:18	299,008	--a------	C:\BESTplayer_(www.programs.pl)*****
2007-08-06 22:40	23,702,824	--a------	C:\SkypeSetup*****
2007-08-06 18:35	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Test Drive Unlimited
2007-08-06 00:24	49,664	--a------	C:\WINDOWS\unvise32*****
2007-08-06 00:24	<DIR>	d--------	C:\Program Files\Active Ports
2007-08-04 23:00	83,024	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-04 23:00	57,424	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-04 23:00	53,840	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-04 23:00	39,376	--a------	C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-04 23:00	29,264	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2007-08-04 23:00	<DIR>	d--------	C:\Program Files\Spyware Doctor
2007-08-04 23:00	<DIR>	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\PC Tools
2007-08-04 22:59	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-08-04 22:52	27,383,448	--a------	C:\sdsetup*****
2007-08-04 22:37	50,688	--a------	C:\ATF-Cleaner*****
2007-08-02 15:46	<DIR>	d--h-----	C:\WINDOWS\PIF
2007-08-01 00:38	597,885	--a------	C:\XviD1.0-RC3-29022004*****
2007-08-01 00:38	<DIR>	d--------	C:\Program Files\XviD
2007-08-01 00:34	0	--a------	C:\AVICodecPackLite3*****
2007-07-31 22:45	51,200	--a------	C:\WINDOWS\nircmd*****
2007-07-31 22:44	1,376,079	--a------	C:\ComboFix*****
2007-07-31 22:13	812,344	--a------	C:\HJTInstall*****
2007-07-31 22:13	<DIR>	d--------	C:\Program Files\Trend Micro
2007-07-31 19:37	624,128	--a------	C:\findit*****
2007-07-31 19:32	6,467,408	--a------	C:\trsetup*****
2007-07-31 19:10	<DIR>	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Lavasoft
2007-07-31 19:09	<DIR>	d--------	C:\Program Files\Lavasoft
2007-07-31 19:03	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-31 18:59	2,855,080	--a------	C:\aawsepersonal(programosy.pl)*****
2007-07-31 18:57	7,686,911	--a------	C:\spybotsd15*****
2007-07-30 02:28	<DIR>	d--------	C:\Program Files\TibiaBot NGGG
2007-07-29 21:48	<DIR>	d-a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-29 21:48	<DIR>	d--------	C:\Program Files\TibiaBot NG
2007-07-29 21:47	165,133	--a------	C:\WINDOWS\PowerHEX Uninstaller*****
2007-07-29 21:47	<DIR>	d--------	C:\Program Files\PowerHEX
2007-07-29 21:47	<DIR>	d--------	C:\Program Files\Common Files\Thraex Software
2007-07-29 20:17	<DIR>	d--------	C:\Program Files\HyCam2
2007-07-29 19:35	5,888	---------	C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-29 19:35	127,488	---------	C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-29 19:32	476,320	---------	C:\WINDOWS\system32\ImagXpr7.dll
2007-07-29 19:32	471,040	---------	C:\WINDOWS\system32\ImagXRA7.dll
2007-07-29 19:32	364,544	---------	C:\WINDOWS\system32\TwnLib4.dll
2007-07-29 19:32	262,144	---------	C:\WINDOWS\system32\ImagXR7.dll
2007-07-29 19:32	155,648	--a------	C:\WINDOWS\system32\NeroCheck*****
2007-07-29 19:32	106,496	--a------	C:\WINDOWS\system32\TwnLib20.dll
2007-07-29 19:32	1,568,768	---------	C:\WINDOWS\system32\ImagX7.dll
2007-07-29 19:32	<DIR>	d--------	C:\Program Files\Common Files\Ahead
2007-07-29 19:32	<DIR>	d--------	C:\Program Files\Ahead
2007-07-28 18:01	<DIR>	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Help
2007-07-27 16:46	85,376	--a------	C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-27 16:46	78,464	--a------	C:\WINDOWS\system32\drivers\usbvideo.sys
2007-07-27 16:46	59,264	--a------	C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-07-27 16:46	53,760	--a------	C:\WINDOWS\system32\vfwwdm32.dll
2007-07-27 16:46	5,504	--a------	C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-27 16:46	19,328	--a------	C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-27 16:46	17,024	--a------	C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-27 16:46	15,360	--a------	C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-27 16:46	11,136	--a------	C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-27 16:46	10,880	--a------	C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-27 15:34	7,552	--a------	C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-07-27 12:09	<DIR>	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Ventrilo
2007-07-27 12:08	<DIR>	d--------	C:\Program Files\VentriloMIX


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 21:26	8587296	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-20 21:25	124448	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-20 12:28	77523	--a------	C:\WINDOWS\system32\drivers\klif.cab
2007-08-20 12:07	14540	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-20 12:07	102812	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-30 02:28	---------	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Tibia
2007-07-28 09:54	---------	d--------	C:\Program Files\Tibia Auto
2007-07-27 15:56	---------	d--------	C:\Program Files\Gadu-Gadu
2007-07-17 20:23	---------	d--------	C:\Program Files\Microsoft ActiveSync
2007-07-17 15:05	---------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 15:01	---------	d--------	C:\Program Files\Kaspersky Lab
2007-07-17 14:48	---------	d--------	C:\Program Files\Agnitum
2007-07-15 00:56	---------	d--------	C:\Program Files\EEset
2007-07-14 12:59	1165	--a------	C:\WINDOWS\mozver.dat
2007-07-14 02:59	75932	--a------	C:\WINDOWS\system32\drivers\klick.dat
2007-07-14 02:59	74396	--a------	C:\WINDOWS\system32\drivers\klin.dat
2007-07-14 00:26	---------	d--------	C:\Program Files\Tibia
2007-07-13 23:01	---------	d--------	C:\Program Files\K-Lite Codec Pack
2007-07-13 23:00	---------	d--------	C:\Program Files\Winamp
2007-07-13 22:57	---------	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Real
2007-07-13 15:56	---------	d--------	C:\Program Files\Common Files\SpeechEngines
2007-07-13 15:56	---------	d--------	C:\Program Files\Common Files\ODBC
2007-07-13 14:48	---------	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Gadu-Gadu
2007-07-13 14:45	---------	d--------	C:\Program Files\GIGABYTE
2007-07-13 14:44	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-07-13 14:44	---------	d--------	C:\Program Files\Realtek
2007-07-13 14:24	---------	d--------	C:\Program Files\Logitech
2007-07-13 14:24	---------	d--------	C:\Program Files\Common Files\Logitech
2007-07-13 14:24	---------	d--------	C:\DOCUME~1\PAWELM~1\APPLIC~1\Logitech
2007-07-13 14:23	0	--a------	C:\WINDOWS\nsreg.dat
2007-07-13 14:17	---------	d--------	C:\Program Files\Thomson
2007-07-13 14:17	---------	d--------	C:\Program Files\Common Files\InstallShield
2007-07-13 14:07	0	-rahs----	C:\MSDOS.SYS
2007-07-13 14:07	0	-rahs----	C:\IO.SYS
2007-07-13 14:07	0	--a------	C:\CONFIG.SYS
2007-07-13 14:07	0	--a------	C:\AUTOEXEC.BAT
2007-07-13 14:07	---------	d--------	C:\Program Files\microsoft frontpage
2007-07-13 14:06	---------	d--h-----	C:\Program Files\WindowsUpdate
2007-07-13 14:05	---------	d--------	C:\Program Files\Common Files\MSSoap
2007-07-13 14:04	21640	--a------	C:\WINDOWS\system32\emptyregdb.dat
2007-07-13 14:04	---------	d--------	C:\Program Files\Movie Maker
2007-07-13 14:03	---------	d--------	C:\Program Files\Windows NT
2007-07-13 14:03	---------	d--------	C:\Program Files\Online Services
2007-07-13 14:03	---------	d--------	C:\Program Files\MSN Gaming Zone
2007-07-13 14:03	---------	d--------	C:\Program Files\Messenger
2007-06-03 14:31	10752	--a------	C:\WINDOWS\system32\ff_vfw.dll
2007-05-31 08:44	740442	--a------	C:\WINDOWS\system32\divx.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz*****" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz*****]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag*****" [2004-01-26 11:38]
"Logitech Hardware Abstraction Layer"="KHALMNPR*****" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR*****]
"RTHDCPL"="RTHDCPL*****" [2006-07-21 10:56 C:\WINDOWS\RTHDCPL*****]
"WinampAgent"="C:\Program Files\Winamp\Winampa*****" [2003-04-02 04:20]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp*****" [2007-06-27 13:54]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc*****" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg*****" [2007-05-10 16:36]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm*****" [2005-11-15 19:44]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer*****" [2007-06-15 10:41]
"FreeCall"="C:\Program Files\FreeCall.com\FreeCall\FreeCall*****" [2007-04-17 14:28]
"Steam"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint***** [2007-07-13 14:24:07]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 Teefer;Teefer for NT;C:\WINDOWS\system32\Drivers\Teefer.sys
R1 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
R1 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
R1 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
R1 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\system32\Drivers\wg6n.sys
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport;C:\WINDOWS\system32\DRIVERS\alcaudsl.sys
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 21:26:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 21:27:48
C:\ComboFix-quarantined-files.txt ... 2007-08-20 21:27
C:\ComboFix2.txt ... 2007-08-05 18:07

	--- E O F ---

20-08-2007, 17:13	#2
Kyrfal Użytkownik Forum Data dołączenia: 19 08 2007 Posty: 98	samo to ze wlogowujesz sie w innych miejscach niz sie wylogowales swiadczy o tym ze cos jest nie tak co do hijacthisa (czy jak to sie pisze): http://www.hijackthis.de/ wejdz tutaj, wpisz swoj log i to ci pokaze co jest podejrzane i potem zaznaczasz te ktore zostaly wykryte jako cos negatywnego i powinno byc po problemie ja sie na tym tak dobrze nie znam ale mowie co wiem @down nie mam zielonego pojęcia. moze i tak ze jest sprytnie zamaskowany __________________ Ostatnio edytowany przez Kyrfal - 20-08-2007 o 17:48.

20-08-2007, 21:58	#5
Uther92 Użytkownik Forum Data dołączenia: 19 05 2006 Lokacja: Za górami, za lasami.... Wpisy bloga: 1 Posty: 1,388 Stan: Na Emeryturze Profesja: Rookstayer	Daj logi z silent runners i combofix. __________________ * † Jarosław Krasuski (1974-2007) * Może wstawisz mi notkę ? *** Masz problem z keyloggerem ? Nie jesteś pewien co do swojego bezpieczeństwa ? Chętnie ci pomogę

20-08-2007, 17:44	#3
pl4tin3 Użytkownik forum Data dołączenia: 12 07 2006 Posty: 8	ok zrobiłem to co kazałeś i nic złego nie wykryło. Podam jeszcze ze podobno mam keylogga o nazwie "TibiaFucker" i jego nie pokazuje w Hijackthis, czy to prawda?

20-08-2007, 19:08	#4
WoodstockSms Użytkownik forum Data dołączenia: 13 05 2007 Posty: 3	1) Wejdz na - www.ip-adress.com , albo inną stronke na której można sprawdzić IP. 2) Wpisz tam adres IP który Cię interesuje - w tym wypadku 62.146.47.45 Czary mary i w magicznym okienku wyskakują dane Cipsoftu - nie wieżysz sprawdź sam. Wg mnie zaden keyloger tylko drugie połaczenie z serwerem.

Użytkowników czytających ten temat: 1 (zarejestrowanych: 0, gości: 1)

Tibia.pl - oficjalna fan strona

Jesteś tu: Tibia.pl / Forum