# Logfile of HijackThis v1.99.1
# Scan saved at 18:56:48, on 2008-02-12
# Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
# MSIE: Internet Explorer v7.00 (7.00.6000.16574)
#
# Running processes:
# C:\WINDOWS\System32\smss.exe
# C:\WINDOWS\SYSTEM32\winlogon.exe
# C:\WINDOWS\system32\services.exe
# C:\WINDOWS\system32\lsass.exe
# C:\WINDOWS\system32\svchost.exe
# C:\WINDOWS\System32\svchost.exe
# C:\WINDOWS\system32\svchost.exe
# C:\WINDOWS\system32\spoolsv.exe
# C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
# C:\WINDOWS\system32\nvsvc32.exe
# D:\ochrona\PC Tools\PC Tools AntiVirus\PCTAVSvc.exe
# C:\WINDOWS\Explorer.EXE
# C:\WINDOWS\system32\PnkBstrA.exe
# C:\WINDOWS\system32\svchost.exe
# C:\WINDOWS\SOUNDMAN.EXE
# C:\Program Files\Common Files\Real\Update_OB\realsched.exe
# C:\WINDOWS\vsnpstd2.exe
# C:\WINDOWS\system32\rundll32.exe
# C:\WINDOWS\system32\BtUsrBdg.exe
# C:\WINDOWS\system32\BTSetBootKey.exe
# C:\WINDOWS\mrofinu1188.exe
# C:\WINDOWS\System32\Rundll32.exe
# C:\WINDOWS\system32\ctfmon.exe
# C:\Program Files\Drmupgds\Drmupgds.exe
# C:\Program Files\Internet Explorer\IEXPLORE.EXE
# D:\Programy\keyboard\MagicKey.exe
# C:\WINDOWS\system32\wscntfy.exe
# D:\Programy\keyboard\OSD.EXE
# C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
# C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
# C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
# C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
# C:\WINDOWS\system32\WgaTray.exe
# C:\Program Files\Mozilla Firefox\firefox.exe
# D:\Programy\hijck this\HijackThis.exe
#
# R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/
# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
# R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
# R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
# R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
# R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
# O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Programy\bitcomet\tools\BitCometBHO.dll
# O2 - BHO: (no name) - {6FB04CBD-26B4-4043-8775-26134567F6C9} - C:\WINDOWS\system32\jkklm.dll
# O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
# O2 - BHO: rightonads optimizer - {7D9362F8-77D8-4b29-97B5-621D550890C0} - C:\WINDOWS\system32\gzmrt.dll
# O2 - BHO: {29712736-d230-d90a-ab34-4dc5b1a5a478} - {874a5a1b-5cd4-43ba-a09d-032d63721792} - C:\WINDOWS\system32\ecgdpkqc.dll (file missing)
# O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\yayayyw.dll (file missing)
# O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\xphzzubz.dll (file missing)
# O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
# O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
# O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
# O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
# O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
# O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
# O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
# O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
# O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
# O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Programy\nokia 6300\Nokia PC Suite 6\LaunchApplication.exe -startup
# O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
# O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
# O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
# O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
# O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
# O4 - HKLM\..\Run: [5847c88d] rundll32.exe "C:\WINDOWS\system32\uyfskjfu.dll",b
# O4 - HKLM\..\Run: [PCTAVApp] "D:\ochrona\PC Tools\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
# O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
# O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
# O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
# O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
# O4 - Global Startup: Media Key.lnk = D:\Programy\keyboard\MagicKey.exe
# O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
# O4 - Global Startup: Startup.exe
# O8 - Extra context menu item: Add to AMV Convert Tool... - D:\MP 4\AMVConverter\grab.html
# O8 - Extra context menu item: Add to AMV Converter... - D:\MP 4\AMVConverter\grab.html
# O8 - Extra context menu item: Download all links using BitComet - res://D:\Programy\bitcomet\BitComet.exe/AddAllLink.htm
# O8 - Extra context menu item: Download all videos using BitComet - res://D:\Programy\bitcomet\BitComet.exe/AddVideo.htm
# O8 - Extra context menu item: Download link using &BitComet - res://D:\Programy\bitcomet\BitComet.exe/AddLink.htm
# O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
# O8 - Extra context menu item: MediaManager tool grab multimedia file - D:\MP 4\MediaManager\grab.html
# O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
# O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
# O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
# O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
# O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
# O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
# O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
# O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
# O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
# O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
# O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
# O11 - Options group: [INTERNATIONAL] International*
# O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
# O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
# O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
# O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
# O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
# O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_34.cab
# O17 - HKLM\System\CCS\Services\Tcpip\..\{B95BDDEA-8FAF-4692-899E-1B9BFF60D069}: NameServer = 213.158.194.1 213.158.193.38
# O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
# O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
# O20 - Winlogon Notify: xphzzubz - xphzzubz.dll (file missing)
# O20 - Winlogon Notify: yayayyw - yayayyw.dll (file missing)
# O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
# O23 - Service: DirectX Service (DirectJicw) - Unknown owner - c:\windows\system32\directx.exe (file missing)
# O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
# O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
# O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
# O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - D:\ochrona\PC Tools\PC Tools AntiVirus\PCTAVSvc.exe
# O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
# O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
Proszę zastosować się do tego Tematu i edytować własnego posta
w celu zmiany jego tytułu na konkretny oraz opisania problemu.
W przeciwnym razie topic wyląduje w Śmietniku.
Proszę o dostosowanie się do tematu
sorki ze namieszalem. gdzie nie wejde to zaraz opier…l niestety jestem laikiem
prosilem sprawdzenie mojego loga z powodu dosc widocznego spowolnienia mojego kompa, a do tego po właczeniu przegladarki ie czy modzilla po minucie ładuja mi sie same jakies niepozadane okienka\
z gory dziekuje z pomoc.
SDFix: Version 1.142
Run by adam on 2008-02-14 at 17:06
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
DirectJicw
Path:
c:\windows\system32\directx.exe
DirectJicw - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting…
Normal Mode:
Checking Files:
Trojan Files Found:
C:\Documents and Settings\adam\Ustawienia lokalne\Temp\tmp56.tmp.exe - Deleted
C:\Documents and Settings\adam\Ustawienia lokalne\Temp\tmp5A.tmp.exe - Deleted
C:\Program Files\drmupgds\Drmupgds.exe - Deleted
C:\Program Files\Router\■■■■ jpg - Deleted
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b151.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted
Folder C:\Program Files\drmupgds - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Router - Removed
Folder C:\Program Files\Temporary - Removed
Removing Temp Files…
ADS Check:
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 17:26:41
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes …
scanning hidden services …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
“D:\Programy\bitcomet\BitComet.exe”=“D:\Programy\bitcomet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client”
“D:\Programy\emule\eMule\eMule.exe”=“D:\Programy\emule\eMule\eMule.exe:*:Enabled:eMule Plus”
“D:\Programy\GG\Gadu-Gadu\gg.exe”=“D:\Programy\GG\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny”
“C:\Program Files\Messenger\MSMSGS.EXE”=“C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger”
“C:\WINDOWS\Installer\IEXPLORE.EXE”=“C:\WINDOWS\Installer\IEXPLORE.EXE:*:Enabled:Internet Explorer”
“C:\WINDOWS\System32\MSconfig.exe”=“C:\WINDOWS\System32\MSconfig.exe:*:Disabled:MSconfig”
“C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe”=“C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe:*:Disabled:Nero ShowTime”
“D:\Programy\Skype\Phone\Skype.exe”=“D:\Programy\Skype\Phone\Skype.exe:*:Enabled:Skype”
“D:\Programy\ferguson\Nowa lisra\Work World Premiere Key ok 26.07.07\Editor.Keys digital 6.02.exe”=“D:\Programy\ferguson\Nowa lisra\Work World Premiere Key ok 26.07.07\Editor.Keys digital 6.02.exe:*:Enabled:wininit”
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype”
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
“C:\WINDOWS\Installer\IEXPLORE.EXE”=“C:\WINDOWS\Installer\IEXPLORE.EXE:*:Enabled:Internet Explorer”
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Tue 22 Aug 2006 220 …SH. — “C:\WINDOWS\dwin.sys”
Sun 3 Feb 2008 210 …SH. — “C:\WINDOWS\system32\xphzzubz.dllbox”
Sat 6 Oct 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\216837dddbb5e0f13d9d75f5b622ba9f\BIT22.tmp”
Sat 19 May 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Finished!
To wygląda na infekcję VUNDO, więc daj log z ComboFix
Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów)
jessi