mdr Opublikowano 10 Sierpnia 2008 Zgłoś Opublikowano 10 Sierpnia 2008 HiJack: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:56:11, on 2008-08-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 3693 bytes ComboFix: ComboFix 08-08-09.06 - Strzelec 2008-08-10 19:29:28.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.44 [GMT 2:00] Running from: C:\Documents and Settings\Strzelec\Pulpit\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Strzelec\Dane aplikacji\install.dat C:\Documents and Settings\Strzelec\Dane aplikacji\rhcp7sj0epea C:\Program Files\rhcp7sj0epea C:\WINDOWS\htunistock.dll C:\WINDOWS\nmcuninstall.exe C:\WINDOWS\system32\1.tmp C:\WINDOWS\system32\1.txt C:\WINDOWS\system32\2.tmp C:\WINDOWS\system32\2.txt C:\WINDOWS\system32\4.tmp C:\WINDOWS\system32\9.tmp C:\WINDOWS\system32\C.tmp C:\WINDOWS\system32\E.tmp C:\WINDOWS\system32\F.tmp C:\WINDOWS\system32\info.txt C:\WINDOWS\system32\msdrives C:\WINDOWS\system32\pphct7sj0epea.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3550U -------\Legacy_DRIVERPP -------\Service_driverpp ((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 ))))))))))))))))))))))))))))))) . 2008-08-10 19:22 . 2008-08-10 19:22 <DIR> d----c--- C:\Program Files\Trend Micro 2008-08-01 22:21 . 2008-08-10 19:37 109,150 --a--c--- C:\WINDOWS\system32\drivers\9cd5e1c0.sys 2008-07-27 08:27 . 2008-07-27 08:29 94,208 --a--c--- C:\WINDOWS\system32\98.tmp 2008-07-27 08:27 . 2008-07-27 08:28 94,208 --a--c--- C:\WINDOWS\system32\97.tmp 2008-07-27 08:27 . 2008-07-27 08:28 94,208 --a--c--- C:\WINDOWS\system32\96.tmp 2008-07-27 08:27 . 2008-07-27 08:27 94,208 --a--c--- C:\WINDOWS\system32\95.tmp 2008-07-27 08:27 . 2008-07-27 08:27 94,208 --a--c--- C:\WINDOWS\system32\94.tmp 2008-07-27 08:10 . 2008-07-27 08:10 94,208 --a--c--- C:\WINDOWS\system32\34.tmp 2008-07-27 08:02 . 2008-07-27 08:02 94,208 --a--c--- C:\WINDOWS\system32\20.tmp 2008-07-27 07:59 . 2008-07-27 08:00 94,208 --a--c--- C:\WINDOWS\system32\1D.tmp 2008-07-27 07:59 . 2008-07-27 08:00 94,208 --a--c--- C:\WINDOWS\system32\1C.tmp 2008-07-27 07:59 . 2008-07-27 07:59 94,208 --a--c--- C:\WINDOWS\system32\1B.tmp 2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\17.tmp 2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\16.tmp 2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\15.tmp 2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\14.tmp 2008-07-24 01:45 . 2008-07-25 10:16 94,208 --a--c--- C:\WINDOWS\system32\12.tmp 2008-07-24 01:45 . 2008-07-26 04:01 94,208 --a--c--- C:\WINDOWS\system32\11.tmp 2008-07-24 01:45 . 2008-07-24 21:04 94,208 --a--c--- C:\WINDOWS\system32\10.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-10 17:16 --------- dc----w C:\Documents and Settings\Strzelec\Dane aplikacji\Skype 2008-08-10 17:15 --------- dc----w C:\Documents and Settings\Strzelec\Dane aplikacji\skypePM 2008-08-10 17:14 --------- dc--a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-08-08 11:31 --------- dc----w C:\Program Files\Spyware Doctor 2008-07-24 18:59 --------- dc----w C:\Program Files\Winamp Toolbar 2008-07-12 20:35 --------- dc----w C:\Documents and Settings\Strzelec\Dane aplikacji\XnView 2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:01 273,024 -c----w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-10 19:22 81,288 -c--a-w C:\WINDOWS\system32\drivers\iksyssec.sys 2008-03-28 18:00 32 -c--a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-12-23 16:16 165 -c-ha-w C:\Documents and Settings\Strzelec\hpothb07.dat 2006-04-23 20:42 485 -c--a-w C:\Program Files\iPod.pcast 2006-04-22 21:55 5,316,176 -c--a-w C:\Program Files\msjavx86.exe 2006-04-21 23:06 243,512 -c--a-w C:\Program Files\jre-1_5_0_06-windows-i586-p-iftw.exe 2006-04-21 22:12 243,512 -c--a-w C:\Program Files\kerio-pf-4.0.14-en-win.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-10 21:33 155648] "SoundMan"="SOUNDMAN.EXE" [2002-09-27 08:44 47104 C:\WINDOWS\SOUNDMAN.EXE] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] ??????????????????????? [?] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] ??????????????????????? [?] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\istray] --a--c--- 2008-07-16 09:16 1166216 C:\Program Files\Spyware Doctor\pctsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate] --a--c--- 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PublishPDF] --a--c--- 2003-08-06 18:33 28672 C:\WINDOWS\PublishPDF\ppdfload.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-04-10 21:33 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] S3 PD1030VID;Creative WebCam Pro;C:\WINDOWS\system32\DRIVERS\P1030Vid.sys [2002-05-21 03:00] . Contents of the 'Scheduled Tasks' folder 2007-07-28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167680034.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-Registry Cleaner - C:\Program Files\Registry Cleaner Trial\Regclean.exe MSConfigStartUp-SsAAD - C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe MSConfigStartUp-SunServer - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Strzelec\Dane aplikacji\Mozilla\Firefox\Profiles\x2nhgvj0.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-10 19:35:49 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9cd5e1c0] "ImagePath"="\SystemRoot\System32\drivers\9cd5e1c0.sys" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\taskmgr.exe . ************************************************************************** . Completion time: 2008-08-10 19:44:03 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-10 17:43:52 Pre-Run: 1,807,753,216 bajtów wolnych Post-Run: 1,964,896,256 bajt˘w wolnych 157 --- E O F --- 2008-07-08 22:20:49 Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 11 Sierpnia 2008 Zgłoś Opublikowano 11 Sierpnia 2008 W hjt usun: R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll Utworz na pulpicie plik CFScript.txt i wklej do niego: Driver:: 9cd5e1c0 File:: C:\WINDOWS\system32\drivers\9cd5e1c0.sys C:\WINDOWS\system32\98.tmp C:\WINDOWS\system32\97.tmp C:\WINDOWS\system32\96.tmp C:\WINDOWS\system32\95.tmp C:\WINDOWS\system32\94.tmp C:\WINDOWS\system32\34.tmp C:\WINDOWS\system32\20.tmp C:\WINDOWS\system32\1D.tmp C:\WINDOWS\system32\1C.tmp C:\WINDOWS\system32\1B.tmp C:\WINDOWS\system32\17.tmp C:\WINDOWS\system32\16.tmp C:\WINDOWS\system32\15.tmp C:\WINDOWS\system32\14.tmp C:\WINDOWS\system32\12.tmp C:\WINDOWS\system32\11.tmp C:\WINDOWS\system32\10.tmp Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9cd5e1c0] Zapisz i przeciagnij go na ikone combofix. Po uzyciu daj log z combofix oraz log z sdfix zrobiony w trybie awaryjnym. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
