| |
|
|
thanks for comm :lol
|
 |
|
|
Thế mất ăn mất ngủ được mấy hôm rồi?
lnvlslble có hiểu cái lệnh mà bác conmale đưa ở trên để làm gì không? trả lời được thì bàn tiếp. Còn không thì cứ ở đó mà mất ăn với cả mất ngủ nhé.
em chỉ hiểu câu lệnh netstat -na dùng để hiện thị các cổng mở trong hệ thống, nhưng nhìn vào ko hiểu cái nào đang kết nối từ bên ngoài vào 
netstat -na | find "1434" chắc là tìm cổng 1434  -))
|
|
|
|
light.phoenix wrote:
Worm Slammer tấn công ngẫu nhiên các máy bằng cách broadcast gói tin UDP chứa đoạn mã khai thác lỗi.Máy bạn không có cài SQL server 2000, tức là port 1434 của dịch vụ này không sử dụng, nên không thể bị ảnh hưởng bởi gói tin nhận được này. Chương trình KIS của bạn có DB chứa signature về gói tin của slammer, nên cảnh báo vậy thôi.
Tóm lại là bạn không phải làm gì hết  Máy bạn cũng chưa hề nhiễm Slammer.
PS: Mình không hiểu sao OneNote lại liên quan gì ở đây  ?
chết chết em òy -)) hồi trước lâu rùi em có cài SQL server 2000 định làm localhost để test. Nhưng cài ko được em gỡ luôn lúc đó. Không biết lúc cài thế nó dính rùi bi giờ nó vẫn còn ở trong máy phải ko bác.? -)) VD bi giờ nó còn ở trong máy thì nó phá hoại cái gì.? 1 khi SQL server 2000 đã ko còn trong máy thì có ảnh hưởng bởi con này ko bác.? -))
Thanks for comm..
Edit: cho dù đã uninstall SQL Server 2000 ra khỏi PC nhưng port 1434 hiện tại vẫn mở và nó vẫn attack vào được phải ko bác.? Muốn đóng port 1434 vào thì đóng bằng cách nào.? Em mất ăn mất ngủ với con này quá -))
|
|
|
|
í bác là ghost lại win.?  hay ghost gì hả bác.? Win em mới ghost hôm qua xong -)) nhưng vẫn bị attack -))
|
|
|
|
trời -)) nó có ảnh hưởng gì ko bác.? Mức độ ảnh hưởng cụ thể thế nào hả bác.? nó có vào máy mình down và up load được ko.? Vì em dùng gói "chơi nhiêu tính nhiêu" của Viettel nên sợ đến tháng trả tiền mệt nghỉ á -)) -))
chài tự nhiên bị dính con này -)) -))
thanks bác
|
|
|
|
lnvlslble wrote:
Code:
Tracing route to 222.178.47.9 over a maximum of 30 hops
1 18 ms <1 ms <1 ms 192.168.1.1
2 8 ms 6 ms 6 ms 125.234.64.1
3 7 ms 6 ms 6 ms 203.113.188.252
4 7 ms 6 ms 7 ms 203.113.158.28
5 945 ms 925 ms 904 ms if-4-1.core1.HK2-HongKong.teleglobe.net [216.6.95.109]
6 865 ms 816 ms 820 ms if-9-0.core1.TV2-Tokyo.teleglobe.net [209.58.61.1]
7 851 ms 847 ms 896 ms if-3-3.mcore3.LAA-LosAngeles.teleglobe.net [216.6.84.25]
8 853 ms
Code:
Tracing route to 222.81.8.46 over a maximum of 30 hops
1 17 ms <1 ms <1 ms 192.168.1.1
2 8 ms 6 ms 6 ms 125.234.64.1
3 7 ms 6 ms 6 ms 203.113.188.252
4 6 ms 6 ms 6 ms 203.113.158.28
5 667 ms 695 ms 713 ms 202.97.4.241
6 728 ms 722 ms 772 ms 202.97.33.177
7 868 ms 856 ms 856 ms 202.97.33.37
8 981 ms 947 ms * 202.97.34.133
9 1073 ms 1052 ms 1054 ms 202.97.38.206
10 881 ms 857 ms 849 ms 202.97.72.30
11 * 1158 ms 1134 ms 202.97.72.102
12 916 ms 911 ms 943 ms 222.83.17.86
13
Code:
Tracing route to 61.153.13.53 over a maximum of 30 hops
1 18 ms <1 ms <1 ms 192.168.1.1
2 7 ms 6 ms 6 ms 125.234.64.1
bác vọc hộ em với ) thanks
|
|
|
|
Code:
Tracing route to 222.178.47.9 over a maximum of 30 hops
1 18 ms <1 ms <1 ms 192.168.1.1
2 8 ms 6 ms 6 ms 125.234.64.1
3 7 ms 6 ms 6 ms 203.113.188.252
4 7 ms 6 ms 7 ms 203.113.158.28
5 945 ms 925 ms 904 ms if-4-1.core1.HK2-HongKong.teleglobe.net [216.6.95.109]
6 865 ms 816 ms 820 ms if-9-0.core1.TV2-Tokyo.teleglobe.net [209.58.61.1]
7 851 ms 847 ms 896 ms if-3-3.mcore3.LAA-LosAngeles.teleglobe.net [216.6.84.25]
8 853 ms
Code:
Tracing route to 222.81.8.46 over a maximum of 30 hops
1 17 ms <1 ms <1 ms 192.168.1.1
2 8 ms 6 ms 6 ms 125.234.64.1
3 7 ms 6 ms 6 ms 203.113.188.252
4 6 ms 6 ms 6 ms 203.113.158.28
5 667 ms 695 ms 713 ms 202.97.4.241
6 728 ms 722 ms 772 ms 202.97.33.177
7 868 ms 856 ms 856 ms 202.97.33.37
8 981 ms 947 ms * 202.97.34.133
9 1073 ms 1052 ms 1054 ms 202.97.38.206
10 881 ms 857 ms 849 ms 202.97.72.30
11 * 1158 ms 1134 ms 202.97.72.102
12 916 ms 911 ms 943 ms 222.83.17.86
13
bác vọc hộ em với ) thanks
|
|
|
|
tmd wrote:
Cái log này đâu có gì lạ lùng .
PS :Nhưng máy này Ram không đủ để chạy tốt hết software đó. cidaemon.exe, cisvc.exe chạy lên kìa. Gở bớt software nào đó không sài ra. Trong gói office đó có nhiều thứ không sài, gở bớt ra. Windows có bảng quyền, nếu cài office vào, "linh kiện" của windows, Office tự update, tự chạy nhiều->tốn Ram. Cài Soft chạy hiệu quả cao-> tốn Ram.
thanks bác đã check và tư vấn, đúng là RAM em rất phẽo, chỉ 256 thôi 
|
|
|
|
em dùng firewall của trình KIS như trên hình được ko bác.? bác chỉ em cách đóng port 1434 này vào được ko.? e bị attack hoài à 
Em cài nguyên bộ Office trong đó có Onenote khi mới cài win luôn, em cài vào nhưng cũng chả đụng đến nó chỉ đụng đến word, excel, powerpoint thui
đường dẫn của nó thì đây, toàn bộ bộ office nằm ở đây C:\Program Files\Microsoft Office\Office12
|
|
|
|
Bác xem hộ em phát ) thanks man..!
Code:
Logfile of HijackThis v1.99.1
Scan saved at 11:54:00 PM, on 3/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\YTBSDK.exe
D:\UniKey\UniKey.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.vn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IEbho Class - {68C55168-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7pro - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Ctrl+Alt+7 - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172488014656
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
 |
|
|
|
|
update: mình có thể đóng cái port 1434 đó lại được không.? Đóng lại bằng cách nào và nó có ảnh hưởng gì khi mình vào mạng ko.?
|
|
|
|
các bác cho em hỏi trong khoang 1 - 2 ngày gần đây mạng nhà em bị hiện tượng lạ này khi truy cập vào các site trong đó có cả HVA này. Hiện tượng nó là ntn (
Network Error (tcp_error)
A communication error occurred: "Operation timed out"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
For assistance, contact your network support team.
mình F5 vài 3 lần thì hết bị hiện tượng này, xong dùng được 1 lúc thì nó lại hiện ra cái Network error này >> lại F5 thì dung đc...
còn trình duyệt IE thì nó lâu lâu cũng hiện ra lỗi don't send như thế này
bác nào đã từng bị hiện tượng trên chỉ em cách fix với. Thanks u.! )
|
|
|
|
Bộ sources php hỗ trợ down thằng Rapidshare.com/.de - Megaupload..
các bác vào trang rapileech.org, down bộ source php về. Up nguyên bộ đó lên host ( yêu cầu host hỗ trợ gì thì vào rapileech đọc ) xong CHMOD cho toàn bộ thành 777. Đến đây là okie roài
Việc tiếp theo là mở đường dẫn đến file index ( VD: _http://tênhost.com/getlink/index.html ) copy link prapid hay mega roài paste nó vào ( cần dùng proxy thì thêm vào ) đợi nó leech về host mình --> việc cuối cùng là down nó về bằng IDM hat Flashget....
Ưu điểm: leech nhanh down nhanh chóng mặt. Nếu có 1 host xịn và kết hợp với dùng proxy nữa thì Okie. Tôi leech 1 part phim 129MB về trong vòng 3 phút, và down nó về trong vòng hơn 7 phút. Dùng cái này good hơn sử dụng các tool phổ biến như hiện nay.
Khuyết điểm lớn nhất là các host kén thằng này.
1 số free host dùng để chơi các file dưới 60MB
ctrlalthost.com <-- thằng này okie, nhưng phải leech file dưới 60MB thôi. Trên 60MB nó banned host. Dùng host này để down các soft thì cool lắm.
webs4000.com <-- thằng này ngon nhưng khi leech xong rùi nhớ change đuôi file nhé, VD .zip thì thành .txt hay đại loại thì mới down về được.
|
|
|
|
|
thanks các bác đã reply. Đúng là em ko chạy cái SQLSERVER nào mà tự nhiên đi update bản patch thì vô lý thật. Mà bị attack vào cái SQLSERVER thì càng chuối hơn.
|
|
|
|
thanks các bác đã reply )
Cái log này thấy ở khắp nơi. Thông tin con worm đó có nói, http://www.viruslist.com/en/news?id=59188, http://www.viruslist.com/en/viruslist.html?id=59159
Nếu có internet, cắm cáp cho chạy nét bình thường, rồi gỏ lại cái lệnh của Mod Conmale lần nửa . Có gì update bản patch theo hướng dẫn trong link.
The patch for MS SQL Server 2000 is available at: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602
Vào 2 link trên của bác nó đều bảo vào theo đường dẫn này để update bản patch, nhưng khi click vào thì Microsoft lại báo là The download you requested is unavailable -))
Nên trường hợp của bạn, giống như đạn lạc bay vào người đã mặc áo giáp ấy. Tất nhiên là sẽ có vết trên áo giáp
bi giờ em muốn ko bị attack thì làm thế nào hả bác.? Em cũng biết là đã có giáp nhưng vấn đề là làm sao fix không cho nó attack mình nữa đó bác. Chứ bị vậy hoài bực mình thiệt
Cũng không tự nhiên mà máy này bị con worm đó phá rồi. Cũng phái có chuyện gì đó. Có thể do vô số ứng dụng có liên quan tới db trên máy. Tui nghỉ vậy. Tui đoán là bộ cài Onenote... có gì đó rồi.
PS: Bạn có thể tường thuật một số hiện tượng trước khi có cái báo lỗi. Khi cài software của Microsoft, rồi quá trình sử dụng. Để bà con học hỏi với.
Em nghĩ hơi vô lý, máy em ko dùng làm web server, ko chia sẻ file upload hay download với ai, ko làm localhost luôn mà. Bác nói bộ cài Onenote là gì hả bác.? bác có thể cho em biết rõ 1 chút ko.?
Trước và sau khi nó attack em thì chả có hiện tượng gì cả, vẫn duyệt web ngon lành. Khi nó attack thì trình KIS nó báo như hình này thôi. Em có vào phần banned hosts của thằng KIS này thì có cái IP của nó nằm ở đây. Con worm này có đặc điểm là thay IP liên tục mỗi lần nó attack. Các bác nhìn hình thì cũng rõ -))
Vấn đề em muốn giúp đỡ là làm cách nào để ko bị attack nữa, chỉ sợ nó attack vào rùi nó download hay upload gì đó thì đến tháng nhà em trả tiền NET chết luôn quá. -))
thanks for comm )
Edit: mình có thể đóng cái port 1434 đó lại được không.? Đóng lại bằng cách nào và nó có ảnh hưởng gì khi mình vào mạng ko.?
|
|
|
|
|
thanks, nhưng nó có ảnh hưởng gì ko bác.?
|
|
|
|
cám ơn các bác đã reply sớm ) mong các bác check hộ em. Thanks.!
Logfile of HijackThis v1.99.1
Scan saved at 1:48:12 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.vn/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IEbho Class - {68C55168-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7pro - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Ctrl+Alt+7 - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172488014656
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{117C654D-70A6-4E2B-B7B2-44D7AB3D4B9A}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{117C654D-70A6-4E2B-B7B2-44D7AB3D4B9A}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{117C654D-70A6-4E2B-B7B2-44D7AB3D4B9A}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
|
|
|
|
* Microsoft SQL Server. SQL Server có thể cho phép những kẻ tấn công (và sâu) thay đổi nội dung CSDL, tải xuống thông tin riêng tư hoặc chiếm quyền kiểm soát tất cả máy chủ. Vô hiệu hóa SQL/MSDE Monitor Service trên cổng UDP 1434.
đọc được đoạn này sợ quá
bác nào có miếng vá này cho em với, em đang bị attack liên tuc, mặc dù máy đang dùng KIS Máy em ko sử dụng để làm server hay thậm chí chả dùng để làm localhost luôn. Bị cái Intrusion.Win.MSSQL.worm này làm phiền thì ức chế vãi các bác a. Máy thì luôn update sercurity từ Microsoft. Mong đc giúp đỡ, thanks
Logfile of HijackThis v1.99.1Up To Date Version of HijackThis
You are using the latest version of HijackThis. Check www.merijn.org frequently for updates.
Scan saved at 12:00:03 PM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exeSmss.exe
What is it?
Session Manager SubSystem - smss.exe
What does it do?
smss.exe - This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
Additional Reading:
Smss.exe does not resolve forward references in environment
You will not be able to end this through task manager!
More info
--------------------------------------------------------------------------------
Virus Precaution:
The smss.exe which is from Microsoft is located at c:windowsSystem32smss.exe . We've been able to find several viruses that run as smss to trick you.
Adware.Advision - Symantec Corporation
Adware.DreamAd - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
W32.Dalbug.Worm - Symantec Corporation
W32.Resdoc - Symantec Corporation
C:\WINDOWS\system32\winlogon.exeWinlogon.exe
What is it?
Windows Logon Process - Winlogon.exe
What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.
Search MS for more info: Link
Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.
Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro
C:\WINDOWS\system32\services.exeservices.exe
services.exe is a part of Windows that manages the processes. Anytime a service starts or stops it is through services.exe. During system startup and shutdown is when this process sees most of its action. You should never end this process unless it is running outside of your windows system folder.
C:\WINDOWS\system32\lsass.exelsass.exe
What is it?
Local Security Authentication Server - lsass.exe
What does it do?
lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.
You will not be able to end this through task manager!
From MS
--------------------------------------------------------------------------------
The lsass.exe which is from Microsoft is located at c:windowsSystem32lsass.exe . there's a few viruses that have been found to run as lsass.exe to hide from you.
C:\WINDOWS\system32\svchost.exeSvchost.exe
What is it?
Service Host Process - svchost.exe
What does it do?
Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesS ervice
If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.
1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt
Here's an example of what I got when I issued this command if you'd like to take a look at an example.
A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses.
C:\WINDOWS\System32\svchost.exeSvchost.exe
What is it?
Service Host Process - svchost.exe
What does it do?
Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesS ervice
If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.
1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt
Here's an example of what I got when I issued this command if you'd like to take a look at an example.
A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses.
C:\WINDOWS\system32\spoolsv.exeSpoolsv.exe
What is it?
SPOOLer SerVice - spoolsv.exe
What does it do?
spoolsv.exe - The spooler service is responsible for managing spooled print/fax jobs
You will be able to end this through task manager!
More info
--------------------------------------------------------------------------------
Virus Precaution:
The spoolsv.exe which is from Microsoft is located at c:windowsSystem32spoolsv.exe . We've been able to find several viruses that run as spoolsv to trick you.
Backdoor.Ciadoor.B - Symantec Corporation
Hacktool.Privshell - Symantec Corporation
VBS.Masscal.Worm (vbs) - Symantec Corporation
Graybird-A @ Sophos
C:\WINDOWS\Explorer.EXEexplorer.exe
What is it?
Windows Explorer - explorer.exe
What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:
This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.
I have found that stopping this process is needed sometimes to stop some other processes.
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.
Deloder-A @ Sophos
MyDoom.B @ Symantec
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeavp.exe
avp.exe - This third party application seems to be harmless, currentely not sure what it does.
C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
C:\WINDOWS\system32\ctfmon.exectfmon.exe
What is it?
Language bar AKA Alternative User Input Services - ctfmon.exe
What does it do?
ctfmon.exe - it's an ever annoying helper tool that comes rather unexpectedly at times and liked by nearly nobody.
Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
Loads of information can be found on microsoft's site here.
Unless you're using anything in that list above you'll want to stop this file from loading!
How do I get rid of it?
There's been a number of threads in our forum as well as others about this. A typical thread can be found here.
control panel --> regional and language options --> languages tab --> details button --> language bar button
Virus Precaution:
Just like so many of the other files I've written about so far, ctfmon.exe is located in the c:windowsSystem32ctfmon.exe. At the time of this writing there isn't any spyware, viruses or anything like that masking itself as this file. If you find any info on one then please let me know!
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exeaDefragService.exe
We Don't know! Please post a comment with information about this file
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exeGoogleToolbarNotifier.exe
We Don't know! Please post a comment with information about this file
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exeavp.exe
avp.exe - This third party application seems to be harmless, currentely not sure what it does.
C:\WINDOWS\system32\svchost.exeSvchost.exe
What is it?
Service Host Process - svchost.exe
What does it do?
Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesS ervice
If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.
1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt
Here's an example of what I got when I issued this command if you'd like to take a look at an example.
A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses.
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
What is it?
Internet Explorer - iexplore.exe
What does iexplore.exe do?
This is the main executable to the browser brought to you by Microsoft. If you're using this then please look into Firefox. This browser is a security hazard
Microsoft's information page.
Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of iexplore.exe is C rogram FilesInternet Exploreriexplore.exe There's a LOT of bugs you need to worry about if the exe is running in any location other than that one.
search Trend Micro.
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\YTBSDK.e xeYTBSDK.exe
We Don't know! Please post a comment with information about this file
C:\WINDOWS\system32\msiexec.exeMsiExec.exe
MsiExec.exe is the executable for the windows installer. This should only be running while you are running an installer. If this is still running after the installer has completed it should be safe to end this process.
C:\HijackThis.exeHijackThis.exe
This is our favorite application for fighting against malware and other trashy application that bog systems down. Our guide to using this software can be found here. We have also taken the time to write a system to process the log files created from this application here.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...e.htmlInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco...oo.comInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com.vn/Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/...oo.comInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...h.htmlInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/...oo.comInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco...oo.comInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllDefault Search Page
When using the search toolbar this is your default search. Should be either yahoo, msn or google cause all others suck
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dllUnnamed BHO
IDMIECC.dll - Internet Download Manager http://www.internetdownloadmanager.com/index.html
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllUnnamed BHO
Ycomp*_*_*_*.dll yt.dll - Yahoo Companion http://companion.yahoo.com/
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)File Missing
When a file is missing, you should always have HijackThis fix the item.
O2 - BHO: IEbho Class - {68C55168-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLUnnamed BHO
GrooveShellExtensions.dll GRA8E1~1.DLL - Groove Virtual Office http://www.groove.net/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllgoogletoolbar.dll googletoolbar*.dll googlenav.dll googletoolbar_en_*.**-big.dll googletoolbar_en_*.
googletoolbar.dll googletoolbar*.dll googlenav.dll googletoolbar_en_*.**-big.dll googletoolbar_en_*.*.**-deleon.dll - Google Toolbar http://toolbar.google.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"AVP
"Added by the MUTBO-A TROJAN!"
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\WinTools\RAM Saver Pro\ramsaverpro.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeCtfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exeswg
"Companion to the Google Toolbar that lets you keep Google as your default search engine and prevents this setting from being changed without your consent. Shouldn't remain in memory after the feature is disabled as it's a bug - see here"
O8 - Extra context menu item: &Define - file://C:\Program Files\IEToys\Webster.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: &Delete Images - file://C:\Program Files\IEToys\CleanDom.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: &Google - file://C:\Program Files\IEToys\Google.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: &MSN - file://C:\Program Files\IEToys\MSN.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Access&Keys - file://C:\Program Files\IEToys\AccessKeys.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000Internet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Encyclopedia &Lookup - file://C:\Program Files\IEToys\WebEncyc.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: HTML So&urce - file://C:\Program Files\IEToys\HTMLSrc.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: I&mage List - file://C:\Program Files\IEToys\ImageList.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Linkif&y && Open - file://C:\Program Files\IEToys\Linkify.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmInternet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O9 - Extra button: IE7pro - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O9 - Extra 'Tools' menuitem: IE7pro Ctrl+Alt+7 - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dllRogers Yahoo! Services
SBC_Yahoo!_Browser_realted Note: File is found in Crogram FilesYahoo!Common folder.
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLResearch
Microsoft Office related
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeWindows Messenger
Related to Microsoft's Windows Messenger.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeWindows Messenger
Related to Microsoft's Windows Messenger.
O9 - Extra button: ProxyPick - {FFFFF28F-A66E-4D5D-996F-1A4450298FFF} - "C:\Program Files\IEToys\ProxyPick.exe" (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O9 - Extra 'Tools' menuitem: ProxyPick - {FFFFF28F-A66E-4D5D-996F-1A4450298FFF} - "C:\Program Files\IEToys\ProxyPick.exe" (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O9 - Extra button: Clear all browsing history - {FFFFFF9F-A66E-4D5D-996F-1A4450298FFF} - C:\Program Files\IEToys\ClearTracks.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O11 - Options group: [INTERNATIONAL] International*IE Advanced Options
This is rarely modified by programs.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204Unnamed BHO
http://www.microsoft.com/genuine/dow...displaylang=en
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dllUnnamed BHO
yinst0401.cab - Yahoo Messenger Installer
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cabfscax.cab
Related to F-Secure Online Virus Scanner.
O17 - HKLM\System\CCS\Services\Tcpip\..\{117C654D-70A6-4E2B-B7B2-44D7AB3D4B9A}: NameServer = 208.67.222.222,208.67.220.220Internet Settings
These may not be bad if your internet connection is set manually
O17 - HKLM\System\CS1\Services\Tcpip\..\{117C654D-70A6-4E2B-B7B2-44D7AB3D4B9A}: NameServer = 208.67.222.222,208.67.220.220Internet Settings
These may not be bad if your internet connection is set manually
O17 - HKLM\System\CS2\Services\Tcpip\..\{117C654D-70A6-4E2B-B7B2-44D7AB3D4B9A}: NameServer = 208.67.222.222,208.67.220.220Internet Settings
These may not be bad if your internet connection is set manually
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLExtra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllExtra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL LExtra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dllAppInit _DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dllAppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dllShellServic eObjectDelayLoad Registry key autorun
HJT automatically weeds out the good ones here so we'll flag this as bad. Consult a HJT expert before cleaning anything.
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeAdobe LM Service
Required for PhotoshopCS
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exeAshampooDefragService
Related to Ashampoo Magic Defrag Utility
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeUnknown Item
|
|
|
|
|
|
|
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
