Ataki na pocztę, błędy w otwieraniu się plików, zawiechy

samidare · 15 Maj 2009 18:10

Mam od jakiegoś czasu problem z pocztą, otóż COŚ mi zmieniło hasło (na 2 różne konta) i nie mogę się dostać. Zauważyłem też zmiany w systemie, co niektóre programy się nie uruchamiają i ogólnie wszystko chodzi słabo, jeśli takie wyjaśnienie wystarczy.

Proszę bardzo o pomoc i z góry dziękuję!

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:32:37, on 2009-05-15 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\verclsid.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM…\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START O4 - HKLM…\Run: [startCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe” O4 - HKCU…\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU…\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKUS\S-1-5-19…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’) O4 - HKUS\S-1-5-19…\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’) O4 - HKUS\S-1-5-20…\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’) O4 - Global Startup: Bluetooth Manager.lnk = ? O13 - Gopher Prefix: O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe – End of file - 3519 bytes

anon53382939 · 15 Maj 2009 18:15

Możesz przeskanować tym programem http://dobreprogramy.pl/index.php?dz=2&id=1998&Dr.WEB+CureIt!+5.00.3.04220/ pełny skan i usuń co znajdzie.

jasio96 · 16 Maj 2009 07:10

Log jest czysty . Daj log z ComboFix

samidare · 16 Maj 2009 07:56

Program nic nie znalazł

Logi z COmbofix :

ComboFix 09-05-15.03 - Martin 2009-05-16 9:50.1 - NTFSx86 Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.48.1033.18.3453.2164 [GMT 2:00] Uruchomiony z: c:\users\Martin\Desktop\ComboFix.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((( Pliki utworzone od 2009-04-16 do 2009-05-16 ))))))))))))))))))))))))))))))) . 2009-05-16 07:22 . 2009-05-15 22:18 4152184 ----a-w c:\windows\system32\wgaer_m.exe 2009-05-16 01:02 . 2009-05-16 00:16 -------- d-----w c:\windows\Panther 2009-05-16 00:29 . 2009-05-15 15:33 -------- d-----w c:\windows\Debug 2009-05-15 22:24 . 2008-10-22 01:22 2048 ----a-w c:\windows\system32\tzres.dll 2009-05-15 22:06 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll 2009-05-15 22:06 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-05-15 22:06 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe 2009-05-15 22:06 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll 2009-05-15 22:06 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll 2009-05-15 22:06 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll 2009-05-15 22:06 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe 2009-05-15 22:01 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll 2009-05-15 22:01 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll 2009-05-15 22:01 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll 2009-05-15 22:01 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll 2009-05-15 22:00 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll 2009-05-15 18:25 . 2009-05-15 18:25 -------- d-----w c:\users\Martin\DoctorWeb 2009-05-15 17:51 . 2008-06-26 01:45 12240896 ----a-w c:\windows\system32\NlsLexicons0007.dll 2009-05-15 17:51 . 2008-06-26 01:45 2644480 ----a-w c:\windows\system32\NlsLexicons0009.dll 2009-05-15 17:51 . 2008-06-26 03:29 801280 ----a-w c:\windows\system32\NaturalLanguage6.dll 2009-05-15 17:44 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll 2009-05-15 17:38 . 2008-09-10 03:40 1334272 ----a-w c:\windows\system32\msxml6.dll 2009-05-15 17:32 . 2009-05-15 17:32 -------- d-----w c:\program files\Trend Micro 2009-05-15 17:31 . 2008-10-16 21:09 43544 ----a-w c:\windows\system32\wups2.dll 2009-05-15 17:31 . 2008-10-16 21:09 51224 ----a-w c:\windows\system32\wuauclt.exe 2009-05-15 17:31 . 2008-10-16 20:56 1524736 ----a-w c:\windows\system32\wucltux.dll 2009-05-15 17:31 . 2008-10-16 21:13 1809944 ----a-w c:\windows\system32\wuaueng.dll 2009-05-15 17:31 . 2008-10-16 21:08 34328 ----a-w c:\windows\system32\wups.dll 2009-05-15 17:31 . 2008-10-16 20:55 83456 ----a-w c:\windows\system32\wudriver.dll 2009-05-15 17:31 . 2008-10-16 21:12 561688 ----a-w c:\windows\system32\wuapi.dll 2009-05-15 17:31 . 2008-10-16 12:08 162064 ----a-w c:\windows\system32\wuwebv.dll 2009-05-15 17:31 . 2008-10-16 11:56 31232 ----a-w c:\windows\system32\wuapp.exe 2009-05-15 17:30 . 2009-05-15 17:30 -------- d-----w c:\users\Martin\AppData\Local\Mozilla 2009-05-15 16:38 . 2005-06-17 08:26 114688 ----a-w c:\windows\system32\WLANUTL.dll 2009-05-15 16:38 . 2005-06-17 08:26 61440 ----a-w c:\windows\system32\W32N50.dll 2009-05-15 16:07 . 2009-05-15 16:07 -------- d-----w c:\users\Martin\AppData\Local\Toshiba 2009-05-15 16:07 . 2009-05-15 16:07 -------- d-----w c:\programdata\ATI 2009-05-15 16:07 . 2009-05-15 16:07 -------- d-----w c:\users\All Users\ATI 2009-05-15 16:07 . 2009-05-15 16:07 -------- d-----w c:\users\Martin\AppData\Roaming\ATI 2009-05-15 16:07 . 2009-05-15 16:07 -------- d-----w c:\users\Martin\AppData\Local\ATI 2009-05-15 16:04 . 2009-05-15 16:04 0 ----a-w c:\windows\ativpsrm.bin 2009-05-15 15:56 . 2009-05-15 15:58 -------- d-----w c:\program files\ATI Technologies 2009-05-15 15:56 . 2009-05-15 16:10 -------- d-----w c:\program files\ATI 2009-05-15 15:49 . 2009-05-15 15:49 -------- d-----w c:\program files\Common Files\PX Storage Engine 2009-05-15 15:49 . 2009-05-15 18:29 -------- d-----w c:\users\Martin\AppData\Roaming\Winamp 2009-05-15 15:49 . 2009-05-15 15:50 -------- d-----w c:\program files\Winamp 2009-05-15 15:46 . 2009-05-15 22:15 -------- d-----w c:\program files\CONEXANT 2009-05-15 15:40 . 2009-05-15 15:40 -------- d-----w c:\users\Martin\AppData\Roaming\InstallShield 2009-05-15 15:35 . 2009-05-15 15:35 48600 ----a-w c:\users\Martin\AppData\Local\GDIPFONTCACHEV1.DAT 2009-05-15 15:35 . 2009-05-15 15:35 -------- d-----r c:\users\Martin\Searches 2009-05-15 15:29 . 2009-05-15 15:29 -------- d-----r c:\windows\system32\config\systemprofile\Contacts 2009-05-15 13:40 . 2006-12-22 18:05 449536 ----a-w c:\windows\system32\drivers\athrusb.sys 2009-05-13 10:39 . 2008-01-25 09:55 229376 ----a-w c:\windows\system32\UCI32A27.dll 2009-05-13 10:39 . 2008-02-01 11:00 2125312 ----a-w c:\windows\system32\CnxtAp32.dll 2009-05-13 10:39 . 2008-02-01 10:46 187904 ----a-w c:\windows\system32\drivers\CHDART.sys 2009-04-24 00:31 . 2009-04-24 00:31 347648 ----a-w c:\windows\system32\drivers\RTL8187B.sys . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-16 07:22 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail 2009-05-15 16:39 . 2009-05-15 15:41 -------- d–h--w c:\program files\InstallShield Installation Information 2009-05-15 16:37 . 2009-05-15 15:41 -------- d-----w c:\program files\Common Files\InstallShield 2009-05-15 15:48 . 2009-05-15 15:41 -------- d-----w c:\program files\TOSHIBA 2009-05-15 15:41 . 2009-05-15 15:34 680 ----a-w c:\users\Martin\AppData\Local\d3d9caps.dat 2009-03-27 06:08 . 2009-03-27 06:08 311808 ----a-w c:\windows\system32\drivers\yk60x86.sys 2009-03-27 06:08 . 2009-03-27 06:08 282624 ----a-w c:\windows\system32\yk60x86.dll 2009-03-17 03:38 . 2009-05-15 17:45 13824 ----a-w c:\windows\system32\apilogen.dll 2009-03-17 03:38 . 2009-05-15 17:45 24064 ----a-w c:\windows\system32\amxread.dll 2009-03-03 04:46 . 2009-05-15 17:45 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-03-03 04:46 . 2009-05-15 17:45 3547632 ----a-w c:\windows\system32\ntoskrnl.exe 2009-03-03 04:40 . 2009-05-15 17:46 827392 ----a-w c:\windows\system32\wininet.dll 2009-03-03 04:39 . 2009-05-15 17:45 183296 ----a-w c:\windows\system32\sdohlp.dll 2009-03-03 04:39 . 2009-05-15 17:45 551424 ----a-w c:\windows\system32\rpcss.dll 2009-03-03 04:39 . 2009-05-15 17:45 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-03-03 04:37 . 2009-05-15 17:45 78336 ----a-w c:\windows\system32\ieencode.dll 2009-03-03 04:37 . 2009-05-15 17:45 98304 ----a-w c:\windows\system32\iasrecst.dll 2009-03-03 04:37 . 2009-05-15 17:45 54784 ----a-w c:\windows\system32\iasads.dll 2009-03-03 04:37 . 2009-05-15 17:45 44032 ----a-w c:\windows\system32\iasdatastore.dll 2009-03-03 03:04 . 2009-05-15 17:45 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-03-03 02:38 . 2009-05-15 17:45 17408 ----a-w c:\windows\system32\iashost.exe 2009-03-03 02:28 . 2009-05-15 17:45 26624 ----a-w c:\windows\system32\ieUnatt.exe 2008-01-21 02:41 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini 2008-07-02 21:01 . 2009-05-15 16:38 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-07-02 21:01 . 2009-05-15 16:38 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-07-02 21:01 . 2009-05-15 16:38 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-07-02 21:01 . 2009-05-15 16:38 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-07-02 21:01 . 2009-05-15 16:38 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-04-09 23:35 . 2008-04-09 23:35 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe” [2008-01-21 1233920] “TOSCDSPD”=“c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2007-12-29 430080] “WindowsWelcomeCenter”=“oobefldr.dll” - c:\windows\System32\oobefldr.dll [2008-01-21 2153472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ITSecMng”=“c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe” [2007-09-28 75136] “StartCCC”=“c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2008-07-16 61440] “WinampAgent”=“c:\program files\Winamp\winampa.exe” [2009-03-09 37888] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-14 2979144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “EnableUIADesktopToggle”= 0 (0x0) R0 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [2005-11-14 34176] R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [2009-05-15 449536] R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\System32\drivers\CHDART.sys [2009-05-13 187904] R3 QIOMem;Generic IO & Memory Access;c:\windows\System32\drivers\QIOMem.sys [2007-04-09 8192] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [2009-04-24 347648] — Inne Usługi/Sterowniki w Pamięci — *Deregistered* - DwShield00006337 . . ------- Skan uzupełniający ------- . FF - ProfilePath - c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\3l58mdzm.default\ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll ---- FIREFOX - SPOSÓB POSTĘPOWANIA ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref(“ui.allow_platform_file_picker”, true); c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.cookie.p3plevel”, 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.enablePad”, false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(“security.remember_cert_checkbox_default_setting”, true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.urlbar.hideGoButton”, false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.search.param.Google.1.default”, “chrome://branding/content/searchconfig.properties”); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.search.param.Google.1.custom”, “chrome://branding/content/searchconfig.properties”); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“signon.prefillForms”, true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.safebrowsing.remoteLookups”, false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.safebrowsing.provider.0.updateURL”, “http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&”); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.safebrowsing.provider.0.lookupURL”, “http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&”); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“browser.safebrowsing.provider.0.reportURL”, "http://sb.google.com/safebrowsing/report?"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-16 09:54 Windows 6.0.6001 Service Pack 1 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) “BlindDial”=dword:00000000 . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘Explorer.exe’(3596) c:\windows\system32\TosBtShell.dll . Czas ukończenia: 2009-05-16 9:55 ComboFix-quarantined-files.txt 2009-05-16 07:55 Przed: 59 434 061 824 bytes free Po: 59 479 482 368 bytes free 166 — E O F — 2009-05-15 22:36

ciemnowidz · 16 Maj 2009 08:12

W logu też nic nie widać.

Usuń ręcznie C:\Qoobox i instalkę ComboFix z dysku. Wyłącz na chwilę przywracanie systemu. Przeskanuj rejestr CCleaner’em.

Przeskanuj się jeszcze Spybot’em

http://dobreprogramy.pl/index.php?dz=2& … y+1.6.2.46

Sam Windows Defender to chyba za słaba ochrona.

samidare · 16 Maj 2009 08:19

Dziękuję bardzo za waszą nieocenioną pomoc