- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:46, on 2009-01-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] ; "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [ALLUpdate] "C:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep"
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] "C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE" -Update -1100429 -Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
--
End of file - 3479 bytes
SDFix:
- Kod: Zaznacz wszystko
[b]SDFix: Version 1.240 [/b]
Run by jacek on 2009-01-14 at 15:06
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\h@tkeysh@@k.dll - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 15:19:48
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\D-Tools\"
"h0"=dword:00000000
"khjeh"=hex:a7,08,6c,33,56,30,b3,be,7e,b4,92,05,dc,db,a4,f8,7b,6b,7d,2f,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,96,ec,88,a4,be,93,df,79,ca,46,22,5e,86,75,2f,ee,58,..
"khjeh"=hex:f4,a6,d1,1a,32,b8,12,9f,be,f8,2c,c6,05,0c,ed,b1,fb,83,17,47,68,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:33,f9,f6,27,23,fc,31,07,5c,53,3a,21,08,09,5e,cb,fe,d8,d2,f5,5d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:32,96,20,9a,9f,53,39,3c,22,85,2c,3b,a3,ce,14,27,3e,6e,25,5b,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:0b,19,c8,cc,14,23,2b,45,46,f3,7e,ba,85,8a,11,60,b2,f7,1f,8f,09,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,5e,fe,5d,28,96,f1,86,8e,c2,eb,29,25,1e,c0,55,52,90,..
"khjeh"=hex:ee,10,26,87,f8,eb,28,c0,96,0c,c2,a2,d3,d2,74,fa,b7,09,79,73,90,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ae,27,5f,e7,1f,9e,55,68,b4,03,38,ba,2f,57,cf,4c,0d,8c,9e,73,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:32,96,20,9a,9f,53,39,3c,22,85,2c,3b,a3,ce,14,27,3e,6e,25,5b,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:0b,19,c8,cc,14,23,2b,45,46,f3,7e,ba,85,8a,11,60,b2,f7,1f,8f,09,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,5e,fe,5d,28,96,f1,86,8e,c2,eb,29,25,1e,c0,55,52,90,..
"khjeh"=hex:ee,10,26,87,f8,eb,28,c0,96,0c,c2,a2,d3,d2,74,fa,b7,09,79,73,90,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ae,27,5f,e7,1f,9e,55,68,b4,03,38,ba,2f,57,cf,4c,0d,8c,9e,73,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:32,96,20,9a,9f,53,39,3c,22,85,2c,3b,a3,ce,14,27,3e,6e,25,5b,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:b6,c4,53,3e,9c,0d,61,ea,3b,26,6a,ab,14,d9,fa,0b,e2,dc,31,f1,c7,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,5e,fe,5d,28,96,f1,86,8e,c2,eb,29,25,1e,c0,55,52,90,..
"khjeh"=hex:76,85,20,85,3a,ea,c5,ee,7c,60,2c,fa,c2,86,4b,7a,96,f5,43,08,13,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:75,25,d2,b8,33,02,17,8f,8f,d1,77,40,8b,6c,57,a0,d5,50,c7,1e,c6,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:13,42,7f,8c,ab,af,a7,5e,c0,7c,c5,f3,60,7b,0f,18,c9,b0,3d,5d,a9,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:32,96,20,9a,9f,53,39,3c,22,85,2c,3b,a3,ce,14,27,3e,6e,25,5b,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:b6,c4,53,3e,9c,0d,61,ea,3b,26,6a,ab,14,d9,fa,0b,e2,dc,31,f1,c7,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,5e,fe,5d,28,96,f1,86,8e,c2,eb,29,25,1e,c0,55,52,90,..
"khjeh"=hex:76,85,20,85,3a,ea,c5,ee,7c,60,2c,fa,c2,86,4b,7a,96,f5,43,08,13,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:75,25,d2,b8,33,02,17,8f,8f,d1,77,40,8b,6c,57,a0,d5,50,c7,1e,c6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:13,42,7f,8c,ab,af,a7,5e,c0,7c,c5,f3,60,7b,0f,18,c9,b0,3d,5d,a9,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Gadu-Gadu\\gg.exe"="D:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"
"C:\\totalcmd\\TOTALCMD.EXE"="C:\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Curse\\CurseClient.exe"="C:\\Program Files\\Curse\\CurseClient.exe:*:Enabled:Curse Client"
"C:\\Program Files\\Tlen.pl\\tlen.exe"="C:\\Program Files\\Tlen.pl\\tlen.exe:*:Enabled:Komunikator Tlen.pl"
"E:\\Program Files\\Warcraft III\\Demon Craft\\Warcraft III.exe"="E:\\Program Files\\Warcraft III\\Demon Craft\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\City Interactive\\GSR\\GSR.exe"="C:\\Program Files\\City Interactive\\GSR\\GSR.exe:*:Disabled:GSR"
"C:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"="C:\\Program Files\\Nowe Gadu-Gadu\\gg.exe:*:Disabled:Nowe Gadu-Gadu beta"
"E:\\ManGOS\\6816 Rev. Stable\\diskw\\usr\\local\\Apache2\\bin\\Apache.exe"="E:\\ManGOS\\6816 Rev. Stable\\diskw\\usr\\local\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"E:\\ManGOS\\6816 Rev. Stable\\diskw\\usr\\local\\mysql\\bin\\mysqld-nt.exe"="E:\\ManGOS\\6816 Rev. Stable\\diskw\\usr\\local\\mysql\\bin\\mysqld-nt.exe:*:Enabled:mysqld-nt"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Wed 10 Dec 2008 24 ..SH. --- "C:\WINDOWS\S8ECEA357.tmp"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 3 Aug 2004 60,928 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 22 Sep 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 19 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
[b]Finished![/b]
