groh1
(Groh V)
12 Grudzień 2007 17:15
#1
Logfile of HijackThis v1.99.1
Scan saved at 17:44, on 2007-12-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Option\GlobeTrotter Mobility Manager\GlobeTrotter Mobility Manager.exe
C:\Program Files\Option\GlobeTrotter Mobility Manager\VirtualWirelessDevice.exe
C:\Documents and Settings\kix\Pulpit\HijackThis 1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
O1 - Hosts: 82.146.60.44 postbank.de
O1 - Hosts: 82.146.60.44 www.postbank.de
O1 - Hosts: 82.146.60.44 banking.postbank.de
O1 - Hosts: 82.146.60.44 direkt.postbank.de
O1 - Hosts: 82.146.60.44 www.smile.co.uk
O1 - Hosts: 82.146.60.44 smile.co.uk
O1 - Hosts: 82.146.60.44 cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.co.uk
O1 - Hosts: 82.146.60.44 cahoot.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.com
O1 - Hosts: 82.146.60.44 co-operativebank.com
O1 - Hosts: 82.146.60.44 personal.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.co.uk
O1 - Hosts: 82.146.60.44 ibank.barclays.co.uk
O1 - Hosts: 82.146.60.44 www.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.touchclarity.com
O1 - Hosts: 82.146.60.44 hsbc.co.uk
O1 - Hosts: 82.146.60.44 www.hsbc.co.uk
O1 - Hosts: 82.146.60.44 hsbc.touchclarity.com
O1 - Hosts: 82.146.60.44 www1.member-hsbc-group.com
O1 - Hosts: 82.146.60.44 lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 www.lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 lloydstsb.com
O1 - Hosts: 82.146.60.44 www.lloydstsb.com
O1 - Hosts: 82.146.60.44 mi.lloydstsb.com
O1 - Hosts: 82.146.60.44 www.woolwich.co.uk
O1 - Hosts: 82.146.60.44 woolwich.co.uk
O1 - Hosts: 82.146.60.44 www.deutsche-bank.de
O1 - Hosts: 82.146.60.44 deutsche-bank.de
O1 - Hosts: 82.146.60.44 meine.deutsche-bank.de
O1 - Hosts: 82.146.60.44 www.anbusiness.com
O1 - Hosts: 82.146.60.44 anbusiness.com
O1 - Hosts: 82.146.60.44 www.abbeyinternational.com
O1 - Hosts: 82.146.60.44 www.barclays.com
O1 - Hosts: 82.146.60.44 barclays.com
O1 - Hosts: 82.146.60.44 ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.60.44 offshore.hsbc.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
boczi
(boczi)
12 Grudzień 2007 17:33
#2
Proszę poprawić temat na konkretny, obrazujący problem, używając opcji Edytuj
Gutek
(Gutek)
12 Grudzień 2007 23:28
#3
sam to wszystko ustawiałeś?
groh1
(Groh V)
13 Grudzień 2007 22:23
#4
Laptop nie jest mój. Kumpela pożyczyła go koleżankom w akademiku. Poistalowały jej Kaaze i inne syfy.
Wyczyściłem go z “grubsza”(trojany, wirusy). Pozostały mi właśnie te wpisy i nadal nie mogę uruchomić go w trybie awaryjnym.
groh1
(Groh V)
13 Grudzień 2007 22:46
#6
Czego dotycz ą te wpisy w logu HijackThis?
Jeszcze ten z Combo.
ComboFix 07-08-14.4 2007-12-13 23:27:57.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.149 [GMT 1:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\MSNAPI32.DLL ((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 ))))))))))))))))))))))))))))))) 2007-12-12 17:36 2007-12-12 17:36 2007-12-12 17:36 2007-12-12 16:59 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-12-12 16:59 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-12 16:59 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-12-12 16:59 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-12-12 16:59 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-12-12 16:59 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-12-12 16:59 2007-12-12 16:59 2007-12-11 18:29 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-12-11 18:29 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-11 18:29 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-11 18:29 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-12-11 18:29 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-11 18:29 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-11 18:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-11 18:29 2007-12-03 21:07 2007-12-03 21:04 2007-11-27 15:49 2007-11-25 08:47 71,612 --a------ C:\WINDOWS\system32\luaPUMlw.exe 2007-11-25 08:47 228,603 --a------ C:\WINDOWS\system32\vCjIAlVO.exe 2007-11-25 08:47 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-11-25 08:47 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys 2007-11-25 08:46 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-11-25 08:46 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys 2007-11-24 19:37 69,632 --a------ C:\WINDOWS\system32\gate.exe 2007-11-20 12:17 221,611 --a------ C:\WINDOWS\system32\gPAfogIX.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-12-12 19:28 --------- d-------- C:\Program Files\eMule 2007-12-12 17:41 --------- d-------- C:\Program Files\Winamp ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMAXPnP”=“C:\Program Files\Analog Devices\Core\smax4pnp.exe” [2005-05-20 09:11] “SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” [2005-05-06 13:06] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 12:03] “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2006-03-03 17:46] “WatchDog”=“C:\Program Files\InterVideo\DVD Check\DVDCheck.exe” [2005-11-08 11:59] “HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-16 22:11] “Cpqset”=“C:\Program Files\HPQ\Default Settings\cpqset.exe” [2006-01-26 13:35] “PTHOSTTR”=“C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe” [2006-02-14 10:56] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-05-14 23:22] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00] “SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-12-12 18:59] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-03-12 19:05:48] SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @=“Driver Group” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs] @=“Service” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}] @=“DiskDrive” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}] @=“Hdc” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}] @=“Keyboard” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}] @=“Mouse” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}] @=“System” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @=“Volume” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys R3 GTEDGWModem;Option NV GTEDGWModem;C:\WINDOWS\system32\DRIVERS\GTEDG.sys R3 GTEDGWWNIC;Option NV GTEDGWWNIC;C:\WINDOWS\system32\DRIVERS\GTEDGNet.sys R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys R3 OptionWWSC;GT EDGE SIM Card Reader;C:\WINDOWS\system32\DRIVERS\GTEDGSC.sys S3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500);C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys S3 FTDIBUS;USB Serial Converter Driver;C:\WINDOWS\system32\drivers\ftdibus.sys S3 FTSER2K;USB Serial Port Driver;C:\WINDOWS\system32\drivers\ftser2k.sys S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b608ad78-9ad9-11dc-8b9c-a6a7847bfa0f}] AutoRun\command- G:\ open\Command- G:.\autorun.exe explore [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cc6c1ec0-8c37-11dc-8b86-f452f75cf15f}] AutoRun\command- G:\ open\Command- .\autorun.exe explore [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e2d87232-f8e7-11db-8a41-001a73010f2f}] AutoRun\command- G:\ open\Command- G:.\autorun.exe explore Contents of the ‘Scheduled Tasks’ folder 2007-11-26 19:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-13 23:30:52 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???0T??7?3?6?2??? ??4B???hB? ???0T? scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-12-13 23:31:53 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-12-13 23:31 — E O F —
asterisk
(Asterisk)
13 Grudzień 2007 23:42
#7
groh1 - byłeś proszony o zmianę tematu.
Więcej próśb nie będzie
Gutek
(Gutek)
14 Grudzień 2007 22:18
#8
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
przeskanuj pliki na http://virusscan.jotti.org/
Pobierz program SDFix
groh1
(Groh V)
15 Grudzień 2007 16:32
#9
Tryb awaryjny naprawiony.
Co z plikami luaPUMlw.exe i vCjIAlVO.exe. Usunąć?
Skąd te wpisy pod 01(zostały usunięte).
Log z SDFix’a.