Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:49:17, on 2007-10-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\ibmpmsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\GFI\LANguard Network Security Scanner 6.0\lnssatt.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\tp4mon.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\svzip.exe
D:\WINDOWS\sv.exe
D:\WINDOWS\runsql.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - D:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [netzip] D:\WINDOWS\svzip.exe
O4 - HKLM\..\Run: [netsv32] D:\WINDOWS\sv.exe
O4 - HKLM\..\Run: [runsql] D:\WINDOWS\runsql.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-21-1708537768-2111687655-1957994488-1005\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LNSS_MONITOR_USR')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LNSS Status Monitor.lnk = D:\Program Files\GFI\LANguard Network Security Scanner 6.0\statusmonitor.exe
O8 - Extra context menu item: Add to &Teleport - D:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D1CC19D-557E-4852-8CB8-47023195F086}: NameServer = 85.255.116.52,85.255.112.106
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFE6A31-BAB0-404E-903F-3844635B86E8}: NameServer = 85.255.116.52,85.255.112.106
O17 - HKLM\System\CCS\Services\Tcpip\..\{B27108D6-F5D7-4518-98FD-4FE546C9BE68}: NameServer = 85.255.116.52,85.255.112.106
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BB7A36-A86C-458E-B0D4-4C3B449A1A64}: NameServer = 85.255.116.52,85.255.112.106
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.106
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.106
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.106
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Unknown owner - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GFI LANguard N.S.S. 6.0 attendant service - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 6.0\lnssatt.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - D:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\system32\dmkms.exe
Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę Windows Management Service
Pliki zaznaczone na czerwono usuń ręcznie z dysku w trybie awaryjnym natomiast wpisy HijackThis.
Zobacz - Zainfekowane DNS i użyj przedstawionego tam narzędzia FixWareOut.
Po wykonaniu wykonaj i wklej log z ComboFix oraz zawartość pliku c:\fixwareout\report.txt
Username "andy" - 2007-10-19 18:37:24 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Service: "Windows Management Service" = D:\WINDOWS\System32\dmkms.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.52 85.255.112.106"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2D1CC19D-557E-4852-8CB8-47023195F086}
"nameserver"="85.255.116.52,85.255.112.106"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4AFE6A31-BAB0-404E-903F-3844635B86E8}
"nameserver"="85.255.116.52,85.255.112.106"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B27108D6-F5D7-4518-98FD-4FE546C9BE68}
"nameserver"="85.255.116.52,85.255.112.106"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B5BB7A36-A86C-458E-B0D4-4C3B449A1A64}
"nameserver"="85.255.116.52,85.255.112.106"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2D1CC19D-557E-4852-8CB8-47023195F086}
"DhcpNameServer"="85.255.116.52,85.255.112.106"
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B27108D6-F5D7-4518-98FD-4FE546C9BE68}
"DhcpNameServer"="85.255.116.52,85.255.112.106"
Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FE09A165C0E7-9F49-4974-EA6A-F1DFC5D8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0A0F71985D2E-38CA-C5F4-B22A-730DCEA1{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "jahmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}66CAE101BAC8-CD3A-C3C4-7EC5-9413A651{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}71294AE54A6F-534A-A1A4-DB73-7FAE764A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4F49C6971A03-408B-C594-3A19-38DDB98D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "smkmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BB0734C29F1B-0EAA-DBB4-DDB3-37D00B0E{" Deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmhaj.exe" Value deleted
D:\WINDOWS\System32\qwonz.exe Deleted
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
D:\WINDOWS\system32\csrss.exe 6144 2004-08-04
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="D:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\\WINDOWS\\system32\\ctfmon.exe"
"DAEMON Tools"="\"D:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"MSMSGS"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Gadu-Gadu"="\"D:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"
....
Hosts file was reset, If you use a custom hosts file please replace it...
%SystemRoot%\repair\autoexec.nt missing
%SystemRoot%\repair\Config.nt missing
~~~~~End report~~~~~
Złączono Posta : 19.10.2007 (Pią) 18:54
ComboFix 07-10-17.8@ - andy 2007-10-19 18:48:29.1 - NTFSx86
Już jest Ok. Czy masz jeszcze jakieś problemy?
Sprawdzam,chyba jest ok.
Pozdrawiam i dzięki.