není tam špicl? Vyřešeno

[karlos]

Mám pocit, že mi zaměstnavatel "kouká přes rameno", nemá tam něco spuštěné? Dík.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:06, on 11.11.2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\WTablet\TabUserW.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\benes.petr\Dokumenty\iconoid\Iconoid\iconoid.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\benes.petr\Dokumenty\Nová složka\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cep-czechia.scherdel.com:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Iconoid] "C:\Documents and Settings\benes.petr\Dokumenty\iconoid\Iconoid\iconoid.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: TabletServicePen - Unknown owner - C:\WINNT\system32\Pen_Tablet.exe (file missing)

--
End of file - 3964 bytes

[Reklama]

[jaro3]

Spusť znovu HJT a klikni na Open the Misc Tools section.
Pak klikni na Open Uninstall Manager.Klikni na Save List a ulož si ho do dokumentů.Celý obsah sem zkopíruj.

Stáhni si RSIT (by random/random)
- spusť ho, objeví se ti okno, tak pro pokračování klikni na Continue
- počkej až program proběhne a zobrazí se ti log jinak ho najdeš zde: C:\rsit\log.txt zkopíruj sem prosím celý jeho obsah

[karlos]

32 Bit HP BiDi Channel Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9 - Czech
Aktualizace systému Windows Media Player (9 Series)
ATI Control Panel
ATI Display Driver
BitScope DSO
CCleaner (remove only)
Control Techniques Communications Server
CP210x USB to UART Bridge Controller
Crouzet Logic Software M2 v1.3.6
CTSoft
CWGenericBase-Runtime Setup
EDK Control
EL-sizing
Flexi Soft Designer 1.2.0.70
FLV Player 1.3.3
FPWIN Pro 5
FST 4.02 (English)
GTWIN
HijackThis 2.0.2
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
IrfanView (remove only)
Java(TM) 6 Update 13
Microsoft .NET Framework 2.0
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 Premium
Microsoft Visual C++ 6.0 Introductory Edition
Mozilla Firefox (3.5.4)
Mozilla Thunderbird (2.0.0.14)
MV2Player (remove only)
NOD32 Antivirus System
PCWAY English
ProfiCAD
Softarová utilita ATI - Odinstalovat
SoundMAX
Synaptics Pointing Device Driver
Tablet
Unitronics U90 Ladder
Unitronics VisiLogic_C
Zelio Soft 2 v2.0.7

Na spuštění RSIT nemám bohužel oprávnění (only administrátor)

[jaro3]

OK.
Tak jen EDK Control /docházka?
http://www.coptm.cz/manualy_data/sw/edk_control_v14.pdf
To neznám , ale keylogger to není...

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:
Návod

Kód: Vybrat vše

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
icwconn1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


Ten proxy znáš:

Kód: Vybrat vše

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cep-czechia.scherdel.com:3128

Zkus toto , ale asi taky nepůjde:

Stáhni si a spusť DDS (by sUBs)
a ulož si ho na plochu.
- spusť ho, objeví se ti okno a tak do něho neklikej a počkej až program proběhne
- po ukončení své činnosti program vytvoří 2 logy a vyhodí ti informativní okno. To zavři přes OK
- vlož sem pak oba logy z DDS

Nebo:
Stáhni si tools:
http://www.edisk.cz/stahni/41162/tools.rar_7.06MB.html

Rozbal si archiv do svého adresáře. Soubory jsou záměrně pojmenované jinak než jsou původní programy.
itr - RSIT
buss - DDS
VerTerm - Combofix
pokud ti pojede VerTerm, tak sem vlož z něho log.

Stáhni si a spusť DDS (by sUBs)

[karlos]

EDK je opravdu docházka, proxy znám a pokračovat budu až zítra, protože jsem již z práce doma. Zatím dík.

[karlos]

Nové ráno, nový den, tvářím se radostně a vkládám požadované logy.


DDS (Ver_09-10-26.01) - NTFSx86
Run by benes.petr at 7:17:28,15 on źt 12.11.2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_13
Microsoft Windows 2000 Professional 5.0.2195.4.1250.420.1029.18.1023.691 [GMT 1:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\WTablet\TabUserW.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\benes.petr\Dokumenty\iconoid\Iconoid\iconoid.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\benes.petr\Plocha\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = proxy.cep-czechia.scherdel.com:3128
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [internat.exe] internat.exe
uRun: [Iconoid] "c:\documents and settings\benes.petr\dokumenty\iconoid\iconoid\iconoid.exe"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Promon.exe] Promon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\nabdka~1\programy\posput~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: c:\winnt\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\benes~1.pet\dataap~1\mozilla\firefox\profiles\3s9wizp8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz
FF - prefs.js: network.proxy.ftp - proxy.cep-czechia.scherdel.com
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - proxy.cep-czechia.scherdel.com
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - proxy.cep-czechia.scherdel.com
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - proxy.cep-czechia.scherdel.com
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - proxy.cep-czechia.scherdel.com
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\benes.petr\data aplikací\mozilla\firefox\profiles\3s9wizp8.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}\components\mintray-9178506d-2005072516-trunk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.jit.chrome", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\winnt\system32\drivers\nod32drv.sys [2009-3-31 15424]
R2 Iprip;Služba RIP Listener;c:\winnt\system32\svchost.exe -k netsvcs [2003-7-3 7952]
R3 openhci;Ovladač otevřeného hostitelského řadiče USB;c:\winnt\system32\drivers\openhci.sys [2003-7-3 24784]
R3 usbhub20;Podpora rozbočovače sběrnice USB;c:\winnt\system32\drivers\usbhub20.sys [2009-3-31 49776]
S2 TabletServicePen;TabletServicePen;c:\winnt\system32\pen_tablet.exe --> c:\winnt\system32\Pen_Tablet.exe [?]
S3 ctndrvd;CTNet NT Driver;c:\winnt\system32\drivers\ctndrv2.sys [2009-3-31 6488]

=============== Created Last 30 ================

2009-11-12 06:17:28 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_418.dat
2009-11-12 05:51:58 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_298.dat
2009-10-30 06:56:41 70 ----a-w- c:\winnt\wininit.ini
2009-10-13 09:15:28 0 d-----w- c:\program files\PonyProg

==================== Find3M ====================

2009-10-01 11:39:29 3356026 ----a-w- c:\winnt\REGBK01.ZIP
2009-09-21 09:16:23 3354775 ----a-w- c:\winnt\REGBK00.ZIP
2009-09-21 08:51:18 34048 ----a-w- c:\winnt\system32\eEmpty.exe
2009-03-31 15:59:11 271 ---h--w- c:\program files\desktop.ini
2009-03-31 15:59:11 22034 ---h--w- c:\program files\folder.htt
2003-07-03 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 7:17:39,08 ===============



Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 11.12.2009 7:50:58 (-696 hours ago)

Motherboard: Compaq | | 07F4
Processor: Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz | J1 | 1794/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 20 GiB total, 13,586 GiB free.
D: is FIXED (NTFS) - 92 GiB total, 91,135 GiB free.
E: is CDROM ()
F: is NetworkDisk (NTFS) - 197 GiB total, 99,836 GiB free.
G: is NetworkDisk (NTFS) - 197 GiB total, 99,836 GiB free.
H: is NetworkDisk (NTFS) - 197 GiB total, 99,836 GiB free.
J: is Removable
K: is Removable
L: is Removable
M: is NetworkDisk (NTFS) - 197 GiB total, 99,836 GiB free.
N: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: Řadič jednoduché komunikace pro sběrnici PCI
Device ID: PCI\VEN_11C1&DEV_0450&SUBSYS_04501468&REV_02\4&139E449D&0&20F0
Manufacturer:
Name: Řadič jednoduché komunikace pro sběrnici PCI
PNP Device ID: PCI\VEN_11C1&DEV_0450&SUBSYS_04501468&REV_02\4&139E449D&0&20F0
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP BiDi Channel Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9 - Czech
Aktualizace systému Windows Media Player (9 Series)
ATI Control Panel
ATI Display Driver
BitScope DSO
CCleaner (remove only)
Control Techniques Communications Server
CP210x USB to UART Bridge Controller
Crouzet Logic Software M2 v1.3.6
CTSoft
CWGenericBase-Runtime Setup
EDK Control
EL-sizing
Flexi Soft Designer 1.2.0.70
FLV Player 1.3.3
FPWIN Pro 5
FST 4.02 (English)
GTWIN
HijackThis 2.0.2
Iconoid Version 3.8.5
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
IrfanView (remove only)
Java(TM) 6 Update 13
Microsoft .NET Framework 2.0
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 Premium
Microsoft Visual C++ 6.0 Introductory Edition
Mozilla Firefox (3.5.4)
Mozilla Thunderbird (2.0.0.14)
MV2Player (remove only)
NOD32 Antivirus System
PCWAY English
PonyProg v1.17h
ProfiCAD
Softarová utilita ATI - Odinstalovat
SoundMAX
Synaptics Pointing Device Driver
Tablet
Unitronics U90 Ladder
Unitronics VisiLogic_C
WebFldrs
Zelio Soft 2 v2.0.7

==== End Of File ===========================

[jaro3]

Aktualizuj javu:
Java SE Runtime Environment 6u17
Vyber OS ( předpokládám Windows), dej zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u17-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.

Máš zbytky po MWAVu.

použij T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

pozn. před stažením T-Cleaneru a po dobu čištění deaktivuj AVG či Avast, následně T-Cleaner smaž a zapni si AVG.



Nic tam závadného nevidím, ani keylogger.
WebFldrs - to je tuším něco se spravováním vzdálených souborů . Takže asi nic.

[karlos]

Díky. Patrně je šéf opravdu jasnovidec Vždycky ví naprosto přesně, kde mě nachytá na švestkách, asi budu muset začít pracovat...