Ne mogu da koristim MIRC - virus

Kada pokrenem MIRC od Zone Alarm-a dobijem sledecu poruku:

erver CA is trying to act as server
Identification: Not avaliable in Zone Alarm
Application: erver CA
Source IP: 0.0.0.0: Port 59

Ne dozvolim mu da radi kao server. Kad u MIRC-u kliknem na Connect dobijem novi zahtjev od Zona Alarm-a:

erver CA is trying to access the Internet
Identification: Not avaliable in Zone Alarm
Application: erver CA
Source IP: 67.15.49.81: Port 6667

Ako ga ne pustim na Internet on ne dozvoljava MIRC-u da se konektuje na server.
Kada pokrenem AdAware on pronadje gomilu Cookies i jedan MRU object. Sve to obrisem, restartujem komp i onda sam miran do sledeceg restarta, pa opet sve iz pocetka.

Samo da napomenem da erver CA cesto mijenja ime. Cesto se predstavlja kao: agentsvr.exe, mirc.exe a nekad je bez ikakvog imena.

Da li neko zna o cemu se radi i kako da se rijesim ove napasti?

To prvo za sta te Zone Alarm pita je mIRC DCC Server koji radi preko porta 59, znaci nije nikakav virus, vec deo mIRC programa. A port 6667 se inace koristi za irc, preko tog porta se mIRC ali i svi drugi irc klijenti konektuju na net i na kanale. Znaci slobodno kad pokrenes mIRC pusti te komponente da se konektuju na net, inace kao sto si i sam primetio mIRC ne moze da se konektuje na server.

---

Ne sjecam se da sam nesto cackao u MIRC podesavanjima. Ovu verziju MIRC-a koristim duze vrijema a problemi su poceli prije 30-ak dana. I dalje mi je to cudno i sumnjivo.

To je sve po defaultu, kao sto ti je kolega gore rekao, to je sve ok. Osim ako nisi skinuo neku "hacking" skriptu koja rusi servere, uzima kanale, nickove itd, ili je puna nekih war addona pa si sa njom pun gluposti..

Koristim skriptu ali ne neku "hacking". Do sada nisam imao nikakvih problema.
Ono sto mi je neobicno je to da taj erver CA poslije intervencije AdAware-om neko vrijeme ne trazi izlaz na Internet. A posebno mi je neobicno da mijenja ime.
Ne znam da li je to normalno ali meni ne izgleda tako?

Pa cim promenis neki program onda te firewall pita da li da ga pusti, to je normlano. A kako si ubacio skripte,te skripte su promenile program, ali ne mogu ti sigurno reci da li to treba da menja imena posto ne koristim mIRC. Vidim na guglu da agentsvr.exe cesto zna biti koristen od malwarea, tako da je moguce da imas neki malware. Skeniraj comp sa nekim antivirusom, mozes sa besplatnim Avira Antivir ili AVG. Skeniraj racunar i sa hijackthis pa okaci ovde log file.

---

NOD32 nije pronasao nista a evo sta kaze HiJackThis:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:41:43, on 19.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Lazo\LOCALS~1\Temp\Application\mFormat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\winlogon.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Opera\Opera.exe
D:\Razno\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://online.bancaintesabeograd.com/retail/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Quickbar] C:\DOCUME~1\Lazo\LOCALS~1\Temp\Application\mFormat.exe /RunInst 512
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1659004503-287218729-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Stefan')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{55DDFD45-0CD0-4B18-BEB2-4AA608320148}: NameServer = 195.178.32.2,212.200.13.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{55DDFD45-0CD0-4B18-BEB2-4AA608320148}: NameServer = 195.178.32.2,212.200.13.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{55DDFD45-0CD0-4B18-BEB2-4AA608320148}: NameServer = 195.178.32.2,212.200.13.13
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6413 bytes

Log je sasvim u redu. Nema sumnjivih vrednosti...

Da, log je u redu. Da li primecujes ikakve promene sistema, da ti sporije radi ili nesto slicno sto bi moglo uputiti na virus? Ako nisi nista primetio, vec ti je samo bilo sumnjivo ponasanje ZA, onda ti je sistem verovatno cist.

---

Nista neobicno se ne desava osim sto ne mogu MIRC da koristim normalno.
Evo vec dva dana i MIRC koristim bez problema, ali vec sutra ce erver CA ( a mozda ce biti i pod nekim drugim imenom ) traziti izlaz na Internet i ako ga ne pustim on nece pustiti MIRC.

Pa to su delovi mIRC-a i normalno da ako ih ne pustis, mIRC nece moci izaci na net.

---