Zamulony internet+log z hijack

D.E.J.M · 3 Wrzesień 2008 22:27

Internet z telefoni komurkowej,modem huawei e220.Net smigal b.dobrze ale od 4 dni padaczka straszna.Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:08:46, on 03/09/2008

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\WINDOWS\V0250Mon.exe

C:\Program Files\UberIcon\UberIcon Manager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\YzShadow\YzShadow.exe

C:\Program Files\RK Launcher\RKLauncher.exe

C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe

C:\Documents and Settings\Maciej i Iwonka\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe

D:\PROGRAMY\SAFARI\Safari.exe

D:\PROGRAMY\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM…\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM…\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe

O4 - HKCU…\Run: [uberIcon] “C:\Program Files\UberIcon\UberIcon Manager.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe

O4 - HKCU…\Run: [RK Launcher] C:\Program Files\RK Launcher\RKLauncher.exe

O4 - HKCU…\Run: [HUAWEI 3G Data Card MTS] C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe

O4 - HKCU…\Run: [Google Update] “C:\Documents and Settings\Maciej i Iwonka\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe” /c

O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)

O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)

O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 2762399625

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso … 2763352421

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab

O17 - HKLM\System\CCS\Services\Tcpip…{A4660A01-F020-4FA1-98FD-7466A4F66096}: NameServer = 172.31.140.69 172.30.140.69

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

–

End of file - 5511 bytes

spandaupol · 4 Wrzesień 2008 06:49

Kosmetycznie usuń te wpisy w HJT

Uruchom HijackThis - Do a system scan only - w oknie programu pokaże się log - zaznacz kratki przy podanych wpisach - klikasz Fix checked

Pobierz Combofix przeskanuj system i daj log na forum

D.E.J.M · 4 Wrzesień 2008 08:26

ComboFix 08-09-03.03 - Maciej i Iwonka 2008-09-04 9:12:51.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1603 [GMT 1:00]

Running from: D:\INSTALKI\COMBOFIX.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Maciej i Iwonka\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows Media\10.0\WMSDKNSD.XML

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))

.

2008-08-26 16:11 . 2008-08-26 16:11

2008-08-26 15:08 . 2008-09-02 02:51

2008-08-25 16:41 . 2008-08-25 16:46

2008-08-15 07:07 . 2008-04-14 18:20 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-08-14 07:14 . 2008-05-01 15:37 331,776 -----c— C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-14 07:11 . 2008-04-11 20:06 691,712 -----c— C:\WINDOWS\system32\dllcache\inetcomm.dll

2008-08-06 20:15 . 2008-08-06 20:15

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-02 20:28 --------- d-----w C:\Program Files\CONEXANT

2008-08-27 18:52 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\Skype

2008-08-27 17:34 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\skypePM

2008-08-26 15:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-08-26 15:21 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec

2008-08-26 13:59 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-07-31 08:27 --------- d-----w C:\Program Files\Sun

2008-07-31 08:26 --------- d-----w C:\Program Files\Java

2008-07-31 08:25 --------- d-----w C:\Program Files\Common Files\Java

2008-07-29 22:30 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\Apple Computer

2008-07-29 19:47 --------- d-----w C:\Program Files\Common Files\Adobe

2008-07-18 17:11 --------- d-----w C:\Program Files\Creative

2008-07-18 15:49 --------- d-----w C:\Program Files\Skype

2008-07-18 15:49 --------- d-----w C:\Program Files\Common Files\Skype

2008-07-18 15:49 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-07-18 14:35 --------- d-----w C:\Program Files\YzShadow

2008-07-18 14:35 --------- d-----w C:\Program Files\WinRoll

2008-07-18 14:35 --------- d-----w C:\Program Files\UberIcon

2008-07-18 14:35 --------- d-----w C:\Program Files\Tiger System Preferences v2

2008-07-18 14:35 --------- d-----w C:\Program Files\RK Launcher

2008-07-18 14:35 --------- d-----w C:\Program Files\ObjectDock

2008-07-18 14:35 --------- d-----w C:\Program Files\iColorFolder

2008-07-18 14:25 --------- d-----w C:\Program Files\Huawei technologies

2008-07-14 10:19 --------- d-----w C:\Program Files\Apple Software Update

2008-07-14 10:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-07-10 10:58 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\Thinstall

2008-07-07 18:11 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Symantec

2008-07-02 15:31 2,560 ----a-w C:\WINDOWS_MSRSTRT.EXE

2008-04-14 17:21 60,928 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\msimn.exe

2008-04-14 17:21 1,695,232 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\msmsgs.exe

.

------- Sigcheck -------

2004-08-03 23:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0 C:\WINDOWS$NtServicePackUninstall$\user32.dll

2008-04-14 18:20 580096 a435c5c069afd901751ac323ad238793 C:\WINDOWS\FlyakiteOSX\Backup\user32.dll

2008-04-14 18:20 579584 3cbbc521c4782481f8f4ffcbac034e11 C:\WINDOWS\ServicePackFiles\i386\user32.dll

2008-04-14 18:20 579584 3cbbc521c4782481f8f4ffcbac034e11 C:\WINDOWS\system32\user32.dll

2004-08-03 23:54 2058112 44d1bc1b05e0c7c82e81687b79c653c7 C:\WINDOWS$NtServicePackUninstall$\ntkrnlpa.exe

2008-04-14 17:29 2067200 4bba965664faa56b187c27f4cad7e7c5 C:\WINDOWS\FlyakiteOSX\Backup\ntkrnlpa.exe

2008-04-14 17:29 2024960 fc933cbfdd9830214e01ddba1601b455 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe

2008-07-18 15:34 2024960 f2187d91bef9664eca1f690b65b9e3b4 C:\WINDOWS\system32\ntkrnlpa.exe

2004-08-03 23:39 2182272 dcf53422b7edded3b7431fbae4a7ee3f C:\WINDOWS$NtServicePackUninstall$\ntoskrnl.exe

2008-04-14 17:30 2190336 8ca14ecf04594eabbe93c9ff2e3cbfb1 C:\WINDOWS\FlyakiteOSX\Backup\ntoskrnl.exe

2008-04-14 17:30 2148096 869735ee0b6761cc2a84e42f5ebb96bb C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe

2008-07-18 15:34 2148096 4b43cf7a231e8bb4958158f554852630 C:\WINDOWS\system32\ntoskrnl.exe

2008-04-14 18:21 2825216 ba2661fa29ca108363f4907b95bd1c6f C:\WINDOWS\explorer.exe

2004-08-03 23:44 1033728 379098a96e6c165b659de7e4328010ea C:\WINDOWS$NtServicePackUninstall$\explorer.exe

2008-04-14 18:21 1035264 c791ed9eac5e76d9525e157b1d7a599a C:\WINDOWS\FlyakiteOSX\Backup\explorer.exe

2008-04-14 18:21 2825216 ba2661fa29ca108363f4907b95bd1c6f C:\WINDOWS\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“UberIcon”=“C:\Program Files\UberIcon\UberIcon Manager.exe” [2006-02-24 188416]

“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]

“Yz Shadow”=“C:\Program Files\YzShadow\YzShadow.exe” [2006-02-24 172032]

“RK Launcher”=“C:\Program Files\RK Launcher\RKLauncher.exe” [2005-10-19 393216]

“HUAWEI 3G Data Card MTS”=“C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe” [2007-03-22 335872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-01-12 827392]

“eabconfg.cpl”=“C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe” [2006-04-18 405504]

“V0250Mon.exe”=“C:\WINDOWS\V0250Mon.exe” [2006-06-08 32768]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

–a------ 2008-01-11 22:16 39792 D:\PROGRAMY\ADOBE READER 9\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alt+Q Hotkey Tool]

–a------ 2005-12-18 20:14 27648 C:\WINDOWS\Alt+Q Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

–a------ 2005-12-01 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine]

--------- 2006-06-09 01:11 24576 C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

–a------ 2007-08-03 12:51 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

–a------ 2008-04-14 18:21 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

–a------ 2005-12-13 16:45 507904 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

–a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

–a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

–a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Files Updater]

–a------ 2006-02-26 00:41 118485 C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0250Mon.exe]

–a------ 2006-06-08 01:00 32768 C:\WINDOWS\V0250Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRoll]

–a------ 2006-01-01 23:27 15872 C:\Program Files\WinRoll\winroll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

“%windir%\Network Diagnostic\xpnetdiag.exe”=

“D:\PROGRAMY\UTORRENT\uTorrent.exe”=

“C:\Program Files\Skype\Phone\Skype.exe”=

“C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

“AllowInboundEchoRequest”= 0 (0x0)

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]

S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 185504]

S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 6272]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]