Prosze o Sprawdzenie Loga z Hijackthis

grguzo · 11 Lipiec 2009 17:41

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:18:54, on 2009-07-11

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Ad Muncher\AdMunch.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\RALINK\Common\RaUI.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\totalcmd\TOTALCMD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll

O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll

O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [Ad Muncher] “C:\Program Files\Ad Muncher\AdMunch.exe” /bt

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O4 - Startup: rncsys32.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: block frame with ad muncher - http://www.admuncher.com/request_will_b … u_ie_frame

O8 - Extra context menu item: block image with ad muncher - http://www.admuncher.com/request_will_b … u_ie_image

O8 - Extra context menu item: block link with ad muncher - http://www.admuncher.com/request_will_b … nu_ie_link

O8 - Extra context menu item: don’t filter page with ad muncher - http://www.admuncher.com/request_will_b … ie_exclude

O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\BearShare MP3\RazaWebHook.dll/3000

O8 - Extra context menu item: report page to the ad muncher developers - http://www.admuncher.com/request_will_b … _ie_report

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ … leId=19588

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll

O23 - Service: Usługa inteligentnego transferu w tle (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Google Update Service (gupdate1c98c4cf784ba66) (gupdate1c98c4cf784ba66) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

–

End of file - 6056 bytes

anon53382939 · 11 Lipiec 2009 17:51

Sfiksuj w HijackThis

Pobierz Combofix http://forum.dobreprogramy.pl/hijackthis-rsit-otl-dds-inne-instrukcja-t36654.html ale nie uruchamiaj!

Podczas pobierania i skanowania Combofix’em wyłącz antywirusy i zapory!

Wklej do notatnika:

Zapisz plik jako CFScript.txt najlepiej aby ikonka tego pliku znajdowała się obok ikonki ComboFix.exe

Przeciągnij i upuść plik CFScript.txt na ikonkę ComboFix.exe powinno rozpocząć się usuwanie po tym daj log na forum.

grguzo · 11 Lipiec 2009 20:00

Witam!

Dzięki bardzo oto log po ComboFixie

ComboFix 09-07-09.08 - NIKOLA 2009-07-11 21:23.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.511.225 [GMT 2:00]

Uruchomiony z: c:\program files\pdfforge Toolbar\ComboFix.exe

AV: System antywirusowy NOD32 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Rezydentny antywirus jest aktywny

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NIKOLA\Dane aplikacji\inst.exe

c:\documents and settings\NIKOLA\Dane aplikacji\wiaserva.log

c:\program files\pdfforge Toolbar\SearchSettings.dll

c:\windows\Installer\165f4b.msi

c:\windows\Installer\e261eb.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\drivers\dfc3165b.sys

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_dfc3165b

((((((((((((((((((((((((( Pliki utworzone od 2009-06-11 do 2009-07-11 )))))))))))))))))))))))))))))))

.

2009-07-11 18:42 . 2004-08-03 21:08 26624 -c–a-w- c:\windows\system32\dllcache\usbehci.sys

2009-07-11 18:42 . 2004-08-03 21:08 26624 ----a-w- c:\windows\system32\drivers\usbehci.sys

2009-07-11 18:42 . 2004-08-03 22:44 7168 -c–a-w- c:\windows\system32\dllcache\hccoin.dll

2009-07-11 18:42 . 2004-08-03 22:44 7168 ----a-w- c:\windows\system32\hccoin.dll

2009-07-11 18:33 . 2009-07-11 18:33 -------- d-----w- c:\documents and settings\NIKOLA\Dane aplikacji\Apple Computer

2009-07-11 17:18 . 2009-07-11 17:18 -------- d-----w- c:\program files\Trend Micro

2009-07-11 17:01 . 2009-07-11 17:01 -------- d-----w- c:\documents and settings\NIKOLA\Dane aplikacji\skypePM

2009-07-11 15:48 . 2009-07-11 15:48 -------- d-----w- c:\documents and settings\NIKOLA\Ustawienia lokalne\Dane aplikacji\GHISLER

2009-07-11 14:31 . 2009-07-11 14:31 -------- d-----w- c:\windows\system32\windows media

2009-07-11 14:30 . 2009-07-11 14:31 -------- d–h--w- c:\windows\msdownld.tmp

2009-07-11 13:30 . 2009-07-11 15:55 -------- d—a-w- c:\documents and settings\All Users\Dane aplikacji\TEMP

2009-06-29 07:20 . 2009-06-29 07:20 -------- d-----w- c:\windows\system32\wbem\Repository

2009-06-25 16:24 . 2009-06-25 16:24 0 ----a-w- c:\windows\nsreg.dat

2009-06-20 15:57 . 2009-06-20 15:57 -------- dc----w- c:\windows\system32\DRVSTORE

2009-06-20 15:57 . 2009-06-20 15:57 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-06-20 15:57 . 2006-09-07 10:34 347776 ----a-w- c:\windows\system32\drivers\rt73.sys

2009-06-20 15:57 . 2006-06-20 20:53 319488 ----a-w- c:\windows\system32\AegisI5.exe

2009-06-20 15:57 . 2006-06-17 10:29 295018 ----a-w- c:\windows\system32\Install7x.dll

2009-06-20 15:57 . 2005-11-30 09:33 2048 ----a-w- c:\windows\system32\drivers\rt73.bin

2009-06-20 15:56 . 2009-06-20 15:56 -------- d-----w- c:\program files\RALINK

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-11 19:30 . 2009-03-12 17:44 -------- d-----w- c:\program files\pdfforge Toolbar

2009-07-11 18:44 . 2001-10-26 15:15 74230 ----a-w- c:\windows\system32\perfc015.dat

2009-07-11 18:44 . 2001-10-26 15:15 448004 ----a-w- c:\windows\system32\perfh015.dat

2009-07-11 17:02 . 2008-10-29 08:14 -------- d-----w- c:\documents and settings\NIKOLA\Dane aplikacji\Skype

2009-07-11 17:00 . 2008-04-02 21:10 70400 ----a-w- c:\documents and settings\NIKOLA\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT

2009-07-11 17:00 . 2008-04-02 21:10 8354 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-07-11 16:53 . 2009-04-28 09:32 -------- d-----w- c:\documents and settings\NIKOLA\Dane aplikacji\Ulead Systems

2009-07-11 16:53 . 2008-04-03 05:07 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Ulead Systems

2009-07-11 16:53 . 2008-04-03 05:08 -------- d-----w- c:\program files\Common Files\Ulead Systems

2009-07-11 16:09 . 2008-04-02 19:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-07-11 14:20 . 2008-04-03 04:57 -------- d–h--w- c:\program files\InstallShield Installation Information

2009-07-11 08:02 . 2009-03-27 08:09 -------- d-----w- c:\program files\Spyware Doctor

2009-07-10 18:53 . 2008-04-02 19:46 -------- d-----w- c:\program files\ESET

2009-07-02 16:22 . 2009-03-27 08:10 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-01 18:02 . 2008-05-20 15:34 -------- d-----w- c:\program files\Ad Muncher

2009-05-20 14:24 . 2008-05-03 09:51 -------- d-----w- c:\program files\Google

2009-05-16 14:43 . 2008-04-21 10:59 -------- d-----w- c:\documents and settings\NIKOLA\Dane aplikacji\Vso

2009-05-13 08:22 . 2009-04-30 13:42 -------- d-----w- c:\program files\BearShare

2008-04-02 21:10 . 2008-04-02 21:10 88 --sh–r- c:\windows\system32\AA6996DE32.sys

2008-10-24 14:36 . 2008-10-19 20:20 88 --sh–r- c:\windows\system32\DF7DD9A129.sys

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nod32kui”=“c:\program files\Eset\nod32kui.exe” [2008-04-02 949376]

“Ad Muncher”=“c:\program files\Ad Muncher\AdMunch.exe” [2007-11-03 779776]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-03 15360]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-6-20 663552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

“SynchronousUserGroupPolicy”= 0 (0x0)

“SynchronousMachineGroupPolicy”= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=

“c:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”=

“c:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=

“c:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-27 130936]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-02 15424]

R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2008-04-03 75925]

R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2008-04-03 36423]

R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2008-04-03 10005]

S2 gupdate1c98c4cf784ba66;Google Update Service (gupdate1c98c4cf784ba66);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]

S3 PAC7311;VGA SoC PC-Camer@;c:\windows\system32\drivers\PA707UCM.SYS [2005-09-16 150272]

S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-09-29 81832]

S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-09-29 13864]

S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-09-29 107304]

S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-09-29 99112]

S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-09-29 21928]

S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-09-29 97320]

S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-09-29 97704]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-27 348752]

S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2008-04-03 9446]

.

Zawartość folderu ‘Zaplanowane zadania’

2009-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job

c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 13:30]

2009-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 13:30]

.

- - - USUNIĘTO PUSTE WPISY - - - -

Notify-dimsntfy - (no file)

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://www.onet.pl/

uInternet Connection Wizard,ShellNext = iexplore

IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_b … u_ie_frame

IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_b … u_ie_image

IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_b … nu_ie_link

IE: Don’t filter page with Ad Muncher - http://www.admuncher.com/request_will_b … ie_exclude

IE: Download with &Shareaza - c:\program files\BearShare MP3\RazaWebHook.dll/3000

IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_b … _ie_report

LSP: c:\windows\system32\imon.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-11 21:34

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - > ‘lsass.exe’(580)

c:\windows\system32\imon.dll

c:\program files\Eset\pr_imon.dll

- - - - > ‘explorer.exe’(3248)

c:\program files\Ad Muncher\AM28140.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe

c:\program files\ESET\nod32krn.exe

c:\windows\system32\PSIService.exe

c:\windows\system32\PAStiSvc.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

.

**************************************************************************

.

Czas ukończenia: 2009-07-11 21:38 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-07-11 19:38

Przed: 11 353 997 312 bajtów wolnych

Po: 11 216 384 000 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

186