Trojan

Falibor · 24 Czerwiec 2007 11:26

Logfile of HijackThis v1.99.0 Scan saved at 12:59:47, on 2007-06-24 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ULiRaid\ULiRaid.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\OpenOffice.org 2.0.3\program\soffice.exe C:\Program Files\OpenOffice.org 2.0.3\program\soffice.BIN C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\przydatne\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [uLiRaid] C:\Program Files\ULiRaid\ULiRaid.exe O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [spyCrush 3.3] “C:\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe” /h O4 - HKLM…\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\RunOnce: [FFTI] C:\Documents and Settings\TOMA\Dane aplikacji\Mozilla\Firefox\Profiles\qpbpam1h.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=“C:\Documents and Settings\TOMA\Dane aplikacji\Mozilla\Firefox\Profiles/qpbpam1h.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}” O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: OpenOffice.org 2.0.3.lnk = C:\Program Files\OpenOffice.org 2.0.3\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{B593964A-D118-4604-AF48-50519744D449}: NameServer = 83.238.255.76 213.241.79.37 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SecuROM User Access Service (V7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Złączono Posta : 24.06.2007 (Nie) 13:30

((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 ))))))))))))))))))))))))))))))) 2007-06-24 13:07 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-24 13:07 2007-06-24 13:07 2007-06-24 13:07 2007-06-24 13:07 2007-06-24 13:07 2007-06-24 13:07 2007-06-24 13:07 2007-06-24 12:30 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-24 11:26 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-06-24 11:26 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-06-24 11:26 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-06-24 11:26 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-06-24 11:26 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-06-24 11:26 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-06-24 11:26 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-06-24 11:26 2007-06-23 19:08 2007-06-22 20:17 2007-06-22 16:47 2007-06-22 11:24 89,088 --a------ C:\WINDOWS\system32\atl71.dll 2007-06-22 10:24 2007-06-22 09:25 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-06-22 09:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-06-22 09:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-06-22 09:25 1,360 --a------ C:\WINDOWS\system32\tmp.reg 2007-06-22 09:05 2007-06-22 08:58 2007-06-22 08:35 2007-06-21 17:46 2007-06-21 17:46 2007-06-19 08:06 2007-06-18 16:05 2007-06-16 20:28 2007-06-16 20:28 2007-06-16 20:28 2007-06-15 14:26 2007-06-15 14:25 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll 2007-06-15 14:25 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll 2007-06-15 14:25 780,288 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll 2007-06-15 14:25 778,240 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll 2007-06-15 14:25 764,416 --a------ C:\WINDOWS\system32\NCTRMFile.dll 2007-06-15 14:25 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll 2007-06-15 14:25 495,104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll 2007-06-15 14:25 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2007-06-15 14:25 382,464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll 2007-06-15 14:25 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-06-15 14:25 312,320 --a------ C:\WINDOWS\system32\NCTVideoView.dll 2007-06-15 14:25 249,856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll 2007-06-15 14:25 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll 2007-06-15 14:25 215,552 --a------ C:\WINDOWS\system32\NCTWMVFile.dll 2007-06-15 14:25 2,846,720 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll 2007-06-15 14:25 188,416 --a------ C:\WINDOWS\system32\NCTVideoFile.dll 2007-06-15 14:25 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll 2007-06-15 14:25 139,264 --a------ C:\WINDOWS\system32\viscomqtde.dll 2007-06-15 14:25 2007-06-15 14:25 2007-06-15 14:11 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll 2007-06-15 14:04 23 --ahs---- C:\WINDOWS\system32\defedbbb2_r.dll 2007-06-14 22:47 2007-06-14 22:47 2007-06-14 22:46 2007-06-13 16:51 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-24 11:15:14 -------- d-----w C:\DOCUME~1\TOMA\DANEAP~1\Skype 2007-06-24 11:13:16 -------- d-----w C:\DOCUME~1\TOMA\DANEAP~1\OpenOffice.org2 2007-06-24 09:20:24 -------- d-----w C:\DOCUME~1\TOMA\DANEAP~1\n-Track Studio5 2007-06-23 17:08:24 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-06-23 10:41:41 -------- d-----w C:\Program Files\Gadu-Gadu 2007-06-22 14:02:26 1,447 ----a-w C:\WINDOWS\mozver.dat 2007-06-22 08:54:35 -------- d-----w C:\Program Files\Image-Line 2007-06-22 08:49:16 -------- d-----w C:\Program Files\eMule 2007-06-15 12:21:53 -------- d-----w C:\Program Files\MOV to AVI MPEG WMV Converter 2007-06-13 17:04:48 -------- d-----w C:\Program Files\Silkroad 2007-05-19 07:09:37 -------- d-----w C:\Program Files\Winamp 2007-05-16 16:04:05 -------- d-----w C:\Program Files\Onet 2007-05-09 11:20:09 -------- d-----w C:\Program Files\Acoustica Shared Effects 2007-05-09 11:20:07 -------- d-----w C:\Program Files\Acoustica Beatcraft 2007-05-03 07:06:58 -------- d-----w C:\Program Files\MarBit 2007-05-02 21:28:45 -------- d-----w C:\Program Files\PhotoBrush 2007-05-01 13:31:27 35,135 ----a-w C:\WINDOWS\system32\unins000.dat 2007-05-01 13:30:41 673,782 ----a-w C:\WINDOWS\system32\unins000.exe 2007-04-29 14:15:58 -------- d-----w C:\Program Files\MSN Apps 2007-04-28 20:36:53 -------- d-----w C:\Program Files\Skype 2007-04-28 20:36:53 -------- d-----w C:\Program Files\Common Files\Skype 2007-04-28 13:28:08 53,248 ----a-w C:\WINDOWS\system32\hklspl.dll 2007-04-28 13:28:08 319,488 ----a-w C:\WINDOWS\Pimbolis Dachboden.scr 2007-04-27 15:03:14 -------- d-----w C:\Program Files\San Andreas Mod Installer 2007-04-25 16:57:03 -------- d-----w C:\Program Files\Movie Converter V2 2007-04-24 13:41:02 -------- d-----w C:\Program Files\CDex_150 2007-04-24 12:59:03 74,450 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-04-24 12:59:03 448,348 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-04-20 12:57:24 0 ----a-w C:\WINDOWS\nsreg.dat 2007-04-03 16:59:59 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-03 16:59:59 221,184 ----a-w C:\WINDOWS\system32\UAService7.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 16:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SoundMan”=“SOUNDMAN.EXE” [2004-07-27 17:01 C:\WINDOWS\soundman.exe] “ULiRaid”=“C:\Program Files\ULiRaid\ULiRaid.exe” [2006-05-12 13:57] “nwiz”=“nwiz.exe” [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-08-06 09:45] “Error Nuker”=“C:\Program Files\Error Nuker\bin\ErrorNuker.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] “SpyCrush 3.3”=“C:\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe” [2007-06-19 13:55] “pas_check”=“C:\Program Files\SystemDoctor 2006 Free\pasmon.exe” [] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24] “MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-03-30 13:47] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] “FFTI”=C:\Documents and Settings\TOMA\Dane aplikacji\Mozilla\Firefox\Profiles\qpbpam1h.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=“C:\Documents and Settings\TOMA\Dane aplikacji\Mozilla\Firefox\Profiles/qpbpam1h.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] “{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}”=“C:\WINDOWS\system32\igpfced.dll” [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0b15b93e-f263-11db-9b44-00138fb3693c}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{21a66622-b2bf-11db-9b8f-b9ca65be7af4}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a76e1c55-d31e-11db-9bf3-801257f71cf5}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c93b2d58-0201-11dc-9b6a-000e50b78ddc}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-24 13:28:39 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-24 13:29:11 C:\ComboFix-quarantined-files.txt … 2007-06-24 13:29 C:\ComboFix2.txt … 2007-06-24 12:32 — E O F — Złączono Posta: 24.06.2007 (Nie) 13:31

arekmalek · 24 Czerwiec 2007 11:34

http://cybertrash.pl/images/tata/SpyCrush/SpyCrush.html poczytaj - powinno pomóc

Falibor · 24 Czerwiec 2007 11:38

dzieki, zaraz lookne

Złączono Posta : 24.06.2007 (Nie) 13:39

taa… to jest to wlasnie sie zastanawialem co to jest , bo u mnie sie tak wyswietlal ze nawet nie bylo widac co pisze, i sie zastanwaialem co to moze byc…

JNJN · 24 Czerwiec 2007 12:44

Proszę zmienić temat postu na konkretny i używać polskich znaków,opcja zmień i popraw.JNJN

Gutek · 24 Czerwiec 2007 13:24

Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix