gumik
(gumik)
24 Maj 2007 22:37
#1
Walczyłem właśnie z usunięciem kilku trojanów z komputera mojej połówki. Złapała je przez nieroztropne używanie IE.
Część widzę, że udało mi się usunąć. Niestety nie mogę użyć SmifraudFix, komputer nie uruchamia się w trybie awaryjnym (nie łapie logowania, bo loguje się do domeny)
Proszę zobaczcie czy coś w nim jeszcze zostało
Logfile of HijackThis v1.99.1 Scan saved at 00:22:27, on 2007-05-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\FTRTSVC.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\tp4serv.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\AplusC\uplook\AnuTest.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\SAGEM WiFi manager\WLANUTL.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM…\Run: [s3TRAY2] S3Tray2.exe O4 - HKLM…\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM…\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM…\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM…\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM…\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM…\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM…\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM…\Run: [uC_Start] C:\Program Files\IBM\Updater\ucstartup.exe O4 - HKLM…\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKLM…\Run: [updateManager] “c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r O4 - HKLM…\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM…\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM…\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM…\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM…\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM…\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise O4 - HKLM…\Run: [AnuTest] C:\Program Files\AplusC\uplook\AnuTest.exe O4 - HKLM…\Run: [OBSWATCH] C:\PROGRA~1\OrangeBs\Watch.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart O4 - HKCU…\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ? O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe O23 - Service: WebClient WebClientTermService (WebClientTermService) - Unknown owner - C:\WINDOWS\system32\amcompatt.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Gutek
(Gutek)
24 Maj 2007 22:41
#2
Daj log z Combofix i wtedy usuniemy syf
gumik
(gumik)
24 Maj 2007 23:12
#3
coś wolno mi działa combofix
jedyne na razie co się dzieje, to pojawia się ikonka G w trayu z informacją, że zostały zmienione ustawienia wyszukiwania
Złączono Posta : 25.05.2007 (Pią) 0:36
mam coś takiego:
“emaz” - 2007-05-25 1:13:23 Dodatek Service Pack 2 ComboFix 07-05.24.7.V - Running from: “C:\Documents and Settings\emaz\pulpit” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\WINDOWS\system32~.exe” “C:\WINDOWS\system32\pfxzmtaim.dll” “C:\WINDOWS\system32\pfxzmtforum.dll” “C:\WINDOWS\system32\pfxzmtgtal.dll” “C:\WINDOWS\system32\pfxzmticq.dll” “C:\WINDOWS\system32\pfxzmtsmt.dll” “C:\WINDOWS\system32\pfxzmtsmtspm.dll” “C:\WINDOWS\system32\pfxzmtwbmail.dll” “C:\WINDOWS\system32\pfxzmtymsg.dll” “C:\WINDOWS\system32\rsvp32_2.dll” “C:\DOCUME~1\EMAZUR~1\DANEAP~1\Install.dat” “C:\WINDOWS\system32\msvcrl.dll” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 )))))))))))))))))))))))))))))))))) 2007-05-25 00:00 4,674 --a------ C:\WINDOWS\system32\tmp.reg 2007-05-24 23:59 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-05-24 23:59 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-05-24 23:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-05-24 22:49 2007-05-24 11:12 2007-05-24 11:11 2007-05-23 20:55 0 --a------ C:\WINDOWS\nsreg.dat 2007-05-23 20:55 2007-05-23 20:49 2007-05-23 20:22 2007-05-23 19:00 2007-05-22 23:33 2007-05-22 23:33 2007-05-16 16:02 8,704 --a------ C:\WINDOWS\system32\sporder.dll 2007-05-16 16:02 30,720 --a------ C:\WINDOWS\ll.exe 2007-05-16 16:01 331 --ahs---- C:\WINDOWS\system32\3505933998.dat 2007-05-16 16:01 31,608 -r-hs---- C:\WINDOWS\system32\amcompatt.exe 2007-05-16 16:01 0 --a------ C:\WINDOWS\system32\FAC46819.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-24 23:23:55 -------- d-----w C:\Program Files\Symantec AntiVirus 2007-05-24 23:13:26 -------- d—a-w C:\DOCUME~1\EMAZUR~1\DANEAP~1\Skype 2007-05-24 23:05:26 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-24 09:13:09 -------- d—a-w C:\DOCUME~1\EMAZUR~1\DANEAP~1\Lavasoft 2007-05-23 18:43:40 -------- d-----w C:\Program Files\IBM 2007-05-23 17:26:08 -------- d-----w C:\Program Files\ewido anti-spyware 4.0 2007-05-23 17:15:11 -------- d-----w C:\Program Files\a-squared 2007-04-24 07:21:10 -------- d-----w C:\Program Files\OrangeBs 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-13 08:29:05 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-25 12:04:48 68,752 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 12:04:48 439,776 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-21 12:57:42 -------- d—a-w C:\DOCUME~1\EMAZUR~1\DANEAP~1\AdobeUM 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-12 22:21:07 -------- d-----w C:\Program Files\Elfin 2007-03-11 21:04:51 -------- d-----w C:\Program Files\JoWood 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-05 20:19:48 185,856 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47] {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2003-10-22 10:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “S3TRAY2”=“S3Tray2.exe” [2001-10-12 08:32 C:\WINDOWS\system32\S3Tray2.exe] “TrackPointSrv”=“tp4serv.exe” [2003-11-13 12:12 C:\WINDOWS\system32\tp4serv.exe] “IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2003-12-16 02:20] “HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2003-12-16 02:07] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 09:44 C:\WINDOWS\system32\bthprops.cpl] “TPKMAPHELPER”=“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe” [2003-10-24 08:39] “TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe” [2004-03-10 19:10] “BMMLREF”=“C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE” [2003-12-25 10:36] “BMMMONWND”=“C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll” [2003-12-25 10:36] “EZEJMNAP”=“C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe” [2003-12-25 11:04] “UC_Start”=“C:\Program Files\IBM\Updater\ucstartup.exe” [2003-10-01 00:39] “ibmmessages”=“C:\Program Files\IBM\Messages By IBM\ibmmessages.exe” [2004-01-20 23:28] “UpdateManager”=“c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 10:01] “dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2003-10-22 10:04] “IBMPRC”=“C:\IBMTOOLS\UTILS\ibmprc.exe” [2004-03-19 21:12] “QCWLICON”=“C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE” [2004-03-12 12:10] “Synchronization Manager”="%SystemRoot%\system32\mobsync.exe" [] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2005-05-16 15:52] “vptray”=“C:\PROGRA~1\SYMANT~1\VPTray.exe” [2005-05-20 18:18] “Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2005-10-24 20:37] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2005-08-05 14:27] “googletalk”=“C:\Program Files\Google\Google Talk\googletalk.exe” [2007-01-01 23:22] “ibmmessages”=“C:\Program Files\IBM\Messages By IBM\ibmmessages.exe” [2004-01-20 23:28] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-02-07 14:26] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoWelcomeScreen”=1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages scecli pwdmon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BTTray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk backup=C:\WINDOWS\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnuTest] C:\Program Files\AplusC\uplook\AnuTest.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class] “C:\Program Files\Sony Ericsson\Wireless Manager\GCXXManager.exe” -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OBSWATCH] C:\PROGRA~1\OrangeBs\Watch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX] tp4ex.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070524-232644-252 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) ???4 backup-20070524-232650-525 O23 - Service: uplook agent tracer - A plus C Sp. z o.o. - C:\WINDOWS\system32\svuhost.exe backup-20070524-232644-472 O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime backup-20070524-232216-424 O4 - HKCU…\Run: [brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe Contents of the ‘Scheduled Tasks’ folder 2004-09-17 20:29:18 C:\WINDOWS\tasks\BMMTask.job 2004-10-15 22:54:57 C:\WINDOWS\tasks\Przypomnienie o rejestracji 3.job ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-25 01:24:33 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ******************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001115-0000-1000-8000-00805f9b34fb}] Completion time: 2007-05-25 1:30:02 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-25 01:29 — E O F — (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\WINDOWS\system32~.exe” “C:\WINDOWS\system32\pfxzmtaim.dll” “C:\WINDOWS\system32\pfxzmtforum.dll” “C:\WINDOWS\system32\pfxzmtgtal.dll” “C:\WINDOWS\system32\pfxzmticq.dll” “C:\WINDOWS\system32\pfxzmtsmt.dll” “C:\WINDOWS\system32\pfxzmtsmtspm.dll” “C:\WINDOWS\system32\pfxzmtwbmail.dll” “C:\WINDOWS\system32\pfxzmtymsg.dll” “C:\WINDOWS\system32\rsvp32_2.dll” “C:\DOCUME~1\EMAZUR~1\DANEAP~1\Install.dat” “C:\WINDOWS\system32\msvcrl.dll” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 )))))))))))))))))))))))))))))))))) 2007-05-25 01:30 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-23 20:22 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-24 23:26:20 -------- d—a-w C:\DOCUME~1\EMAZUR~1\DANEAP~1\Skype 2007-05-24 23:23:55 -------- d-----w C:\Program Files\Symantec AntiVirus 2007-05-24 23:05:26 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-24 09:13:09 -------- d—a-w C:\DOCUME~1\EMAZUR~1\DANEAP~1\Lavasoft 2007-05-23 18:43:40 -------- d-----w C:\Program Files\IBM 2007-05-23 17:26:08 -------- d-----w C:\Program Files\ewido anti-spyware 4.0 2007-05-23 17:15:11 -------- d-----w C:\Program Files\a-squared 2007-04-24 07:21:10 -------- d-----w C:\Program Files\OrangeBs 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-13 08:29:05 -------- d-----w C:\Program Files\Gadu-Gadu 2007-03-25 12:04:48 68,752 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 12:04:48 439,776 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-21 12:57:42 -------- d—a-w C:\DOCUME~1\EMAZUR~1\DANEAP~1\AdobeUM 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-12 22:21:07 -------- d-----w C:\Program Files\Elfin 2007-03-11 21:04:51 -------- d-----w C:\Program Files\JoWood 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-05 20:19:48 185,856 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47] {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2003-10-22 10:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “S3TRAY2”=“S3Tray2.exe” [2001-10-12 08:32 C:\WINDOWS\system32\S3Tray2.exe] “TrackPointSrv”=“tp4serv.exe” [2003-11-13 12:12 C:\WINDOWS\system32\tp4serv.exe] “IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2003-12-16 02:20] “HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2003-12-16 02:07] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 09:44 C:\WINDOWS\system32\bthprops.cpl] “TPKMAPHELPER”=“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe” [2003-10-24 08:39] “TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe” [2004-03-10 19:10] “BMMLREF”=“C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE” [2003-12-25 10:36] “BMMMONWND”=“C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll” [2003-12-25 10:36] “EZEJMNAP”=“C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe” [2003-12-25 11:04] “UC_Start”=“C:\Program Files\IBM\Updater\ucstartup.exe” [2003-10-01 00:39] “ibmmessages”=“C:\Program Files\IBM\Messages By IBM\ibmmessages.exe” [2004-01-20 23:28] “UpdateManager”=“c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 10:01] “dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2003-10-22 10:04] “IBMPRC”=“C:\IBMTOOLS\UTILS\ibmprc.exe” [2004-03-19 21:12] “QCWLICON”=“C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE” [2004-03-12 12:10] “Synchronization Manager”="%SystemRoot%\system32\mobsync.exe" [] “ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2005-05-16 15:52] “vptray”=“C:\PROGRA~1\SYMANT~1\VPTray.exe” [2005-05-20 18:18] “Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:44] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2005-10-24 20:37] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2005-08-05 14:27] “googletalk”=“C:\Program Files\Google\Google Talk\googletalk.exe” [2007-01-01 23:22] “ibmmessages”=“C:\Program Files\IBM\Messages By IBM\ibmmessages.exe” [2004-01-20 23:28] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2007-02-07 14:26] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 16:58] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoWelcomeScreen”=1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages scecli pwdmon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^BTTray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk backup=C:\WINDOWS\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnuTest] C:\Program Files\AplusC\uplook\AnuTest.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GCXX-Manager-Class] “C:\Program Files\Sony Ericsson\Wireless Manager\GCXXManager.exe” -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OBSWATCH] C:\PROGRA~1\OrangeBs\Watch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX] tp4ex.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070524-232644-252 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) ???4 backup-20070524-232650-525 O23 - Service: uplook agent tracer - A plus C Sp. z o.o. - C:\WINDOWS\system32\svuhost.exe backup-20070524-232644-472 O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime backup-20070524-232216-424 O4 - HKCU…\Run: [brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe Contents of the ‘Scheduled Tasks’ folder 2004-09-17 20:29:18 C:\WINDOWS\tasks\BMMTask.job 2004-10-15 22:54:57 C:\WINDOWS\tasks\Przypomnienie o rejestracji 3.job ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-25 01:30:38 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ******************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001115-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001115-0000-1000-8000-00805f9b34fb}] Completion time: 2007-05-25 1:31:37 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-25 01:31 — E O F —
Gutek
(Gutek)
25 Maj 2007 15:45
#4
Dokończyć skanerami online - Skanery do wyboru