Chodzi tlyko kilka stron, spowolnione działanie

Black_rat · 10 Sierpień 2008 18:55

Witam, nie będę się rozpisywał.

Od kilku godzin nie moge dać sobie rady z moim PC.

Ładuje się tylko kilka stron np. dobreprogramy.

Nie ładuje sie np. onet, interia, allegro.

Nie mogę np. wrzucić logów na jakieś stronki więc wklejam je tutaj w tym temacie.

Nie mam żadnego antywirusa bo wszystkie padły.

Kaspersky, Nod, Bitdefender i Mks.

Spybot znalazł kilkanaście plików, usunął, a teraz ich już nie ma.

oto logi:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:37:16, on 2008-08-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\Ati2evxx.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\Ati2evxx.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\wscntfy.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\WINDOWS\system32\wuauclt.exe E:\Program Files\Volleyball Manager 2008\Volleyball Manager.exe E:\Program Files\Windows Media Player\wmplayer.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 66.98.148.65 auto.search.msn.com O1 - Hosts: 66.98.148.65 auto.search.msn.es O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O4 - HKCU…\Run: [Gadu-Gadu] “E:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - E:\WINDOWS\bdoscandel.exe O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - E:\WINDOWS\bdoscandel.exe O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://www.eurovisionsports.tv O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} - http://www.mks.com.pl/skaner/SkanerOnline.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe – End of file - 3565 bytes

te na pomarańczowo to wydaje mi się, że nie było ich wcześniej.

“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““E:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “E:\Program Files\Java\jre1.6.0_04\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “E:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “E:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “E:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- <> HKLM\SOFTWARE\Classes.com(Default) = “ComFile” Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoLowDiskSpaceChecks” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoCDBurning” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “DisableTaskMgr” = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “DisableRegistryTools” = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableRegistryTools” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “E:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “E:\Documents and Settings\pav\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ HPAutoplayExpress\ “Provider” = “Oprogramowanie HP Photosmart Express” “InvokeProgID” = “HpqUnApl.Autoplay” “InvokeVerb” = “Express” HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Express\DropTarget\CLSID = “{57FA3F08-E36E-4820-9CC4-122D46114993}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = “E:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe” [“Hewlett-Packard”] HPUnloadAutoplay\ “Provider” = “Oprogramowanie HP Photosmart – przenoszenie” “InvokeProgID” = “HpqUnApl.Autoplay” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = “{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = “E:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe” [“Hewlett-Packard”] MSWPDShellNamespaceHandler\ “Provider” = “@%SystemRoot%\System32\WPDShextRes.dll,-501” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = " " -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “E:\WINDOWS\system32\WPDShextAutoplay.exe” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_04” \InProcServer32(Default) = “E:\Program Files\Java\jre1.6.0_04\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_04” \InProcServer32(Default) = “E:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll” [“Sun Microsystems, Inc.”] {85D1F590-48F4-11D9-9669-0800200C9A66}\ “MenuText” = “Uninstall BitDefender Online Scanner v8” “Exec” = “%windir%\bdoscandel.exe” [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <> “Tabs” = “res://ieframe.dll/tabswelcome.htm” [file not found] HOSTS file ---------- E:\WINDOWS\System32\drivers\etc\HOSTS maps: 3 domain names to IP addresses, 2 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “E:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzll4pi\Driver = “hpzll4pi.dll” [“Hewlett-Packard Company”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- (launch time: 2008-08-10 18:37:29) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 20 seconds, including 2 seconds for message boxes)

ComboFix 08-08-09.06 - pav 2008-08-10 20:20:15.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.690 [GMT 2:00] Running from: E:\Documents and Settings\pav\Pulpit\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . E:\WINDOWS\system32\actskn43.ocx . ((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 ))))))))))))))))))))))))))))))) . 2008-08-10 18:37 . 2008-08-10 18:37 2008-08-09 17:48 . 2008-08-10 11:59 121 --a------ E:\WINDOWS\bdagent.INI 2008-08-09 17:38 . 2008-08-10 11:59 81,984 --a------ E:\WINDOWS\system32\bdod.bin 2008-08-09 17:31 . 2008-08-09 17:31 2008-08-09 17:31 . 2008-08-09 17:31 2008-08-09 12:26 . 2008-08-09 13:47 2008-08-09 12:25 . 2008-08-09 12:30 2008-08-09 12:25 . 2008-08-09 12:25 2008-07-29 08:48 . 2008-07-29 08:48 7,168 --ahs---- E:\WINDOWS\Thumbs.db 2008-07-26 11:28 . 2008-08-10 19:27 2008-07-20 10:15 . 2000-05-22 22:58 608,448 --a------ E:\WINDOWS\system32\comctl32.ocx . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-10 10:16 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\uTorrent 2008-08-08 06:55 --------- d-----w E:\Program Files\Spybot - Search Destroy 2008-07-30 07:02 --------- d–h--w E:\Program Files\InstallShield Installation Information 2008-07-29 06:48 --------- d-----w E:\Program Files\XviD 2008-07-29 06:48 --------- d-----w E:\Program Files\Real Alternative 2008-07-14 08:55 107,888 ----a-w E:\WINDOWS\system32\CmdLineExt.dll 2008-07-11 14:56 --------- d-----w E:\Program Files\Gadu-Gadu 2008-07-09 20:37 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\Nowe Gadu-Gadu 2008-07-01 10:41 43,520 ----a-w E:\WINDOWS\system32\CmdLineExt03.dll 2008-06-29 06:24 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\Media Player Classic 2008-06-28 03:25 --------- d-----w E:\Program Files\EA GAMES 2008-06-24 17:13 --------- d-----w E:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-06-22 07:45 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\SmartFTP 2008-06-21 05:49 110,304 ----a-w E:\WINDOWS\system32\drivers\ACEDRV09.sys 2008-06-20 17:42 246,784 ----a-w E:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w E:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w E:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:01 273,024 ------w E:\WINDOWS\system32\drivers\bthport.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“E:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“E:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “msacm.l3codecp”= l3codecp.acm [HKLM~\startupfolder\E:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=E:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] --a------ 2008-03-20 12:04 2127296 E:\Program Files\Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2005-10-26 17:17 159744 E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] -ra------ 2006-05-16 12:04 2879488 E:\WINDOWS\SkyTel.exe [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “E:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.321\Polish\setup.exe”= “E:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.325\Polish\setup.exe”= “E:\Program Files\Gadu-Gadu\gg.exe”= “E:\Program Files\uTorrent\uTorrent.exe”= “E:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files\Kaspersky Internet Security 2009\Polish\setup.exe”= “E:\WINDOWS\system32\dpnsvr.exe”= “C:\Program Files\Railroad Tycoon 3\rt3.exe”= R2 ACEDRV09;ACEDRV09;E:\WINDOWS\system32\drivers\ACEDRV09.sys [2008-06-21 07:49] S2 .EsetTrialReset;Eset Trial Reset;E:\WINDOWS\system32\regedt32.exe [2001-10-26 19:30] *Newly Created Service* - CATCHME . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-WinampAgent - E:\Program Files\Winamp\winampa.exe . ------- Supplementary Scan ------- . FireFox -: Profile - E:\Documents and Settings\pav\Dane aplikacji\Mozilla\Firefox\Profiles\tigot42n.default\ FF -: plugin - E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\browser\nppdf32.dll FF -: plugin - E:\Program Files\Mozilla Firefox\plugins\npOggX.dll FF -: plugin - E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-10 20:20:59 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-10 20:21:35 ComboFix-quarantined-files.txt 2008-08-10 18:21:29 Pre-Run: 82,602,278,912 bajtów wolnych Post-Run: 82,590,384,128 bajtów wolnych 103 — E O F — 2008-07-10 09:44:12 Jeszcze raz powtarzam nie mam możliwości wrzucić logów na jakieś strony. Żadna z nich nie ładuje mi się.

Leon1 · 10 Sierpień 2008 19:19

Wpisy

usuń HijackThisem >> Fix checked

pozostałe dwa które wskazałeś jeżeli nie używasz IE możesz również usunąć

po za tym logi wyglądają na czyste

zrób optymalizacje uruchamiania

http://cybertrash.netarteria.pl/cyber/i … 378.0.html

usuń ręcznie folder C: \Qoobox usuń instalkę Combofix z dysku.

Wyłącz I włącz przywracanie systemu na wszystkich dyskach.http://support.microsoft.com/kb/310405/pl

przeskanuj obszar Mój komputer http://www.kaspersky.pl/virusscanner.html pokaż raport stronę uruchomić przez IE

lub

Dr.WEB CureIt! http://dobreprogramy.pl/index.php?dz=2& … It!+4.44.5

Black_rat · 11 Sierpień 2008 06:40

Które dwa pozostałe, ja zaznaczyłem trzy?

huber2t · 11 Sierpień 2008 07:02

o te:

Przeskanuj antywirusem i daj z niego raport na forum

Black_rat · 11 Sierpień 2008 10:30

ComboFix 08-08-10.02 - pav 2008-08-11 12:18:41.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.657 [GMT 2:00] Running from: E:\Documents and Settings\pav\Pulpit\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 ))))))))))))))))))))))))))))))) . 2008-08-11 08:15 . 2008-08-11 08:15 2008-08-10 18:37 . 2008-08-10 18:37 2008-08-09 17:48 . 2008-08-10 11:59 121 --a------ E:\WINDOWS\bdagent.INI 2008-08-09 17:38 . 2008-08-10 11:59 81,984 --a------ E:\WINDOWS\system32\bdod.bin 2008-08-09 12:26 . 2008-08-09 13:47 2008-08-09 12:25 . 2008-08-09 12:30 2008-08-09 12:25 . 2008-08-09 12:25 2008-07-29 08:48 . 2008-07-29 08:48 7,168 --ahs---- E:\WINDOWS\Thumbs.db 2008-07-26 11:28 . 2008-08-10 23:23 2008-07-20 10:15 . 2000-05-22 22:58 608,448 --a------ E:\WINDOWS\system32\comctl32.ocx . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-11 07:04 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\uTorrent 2008-08-08 06:55 --------- d-----w E:\Program Files\Spybot - Search Destroy 2008-07-30 07:02 --------- d–h--w E:\Program Files\InstallShield Installation Information 2008-07-29 06:48 --------- d-----w E:\Program Files\XviD 2008-07-29 06:48 --------- d-----w E:\Program Files\Real Alternative 2008-07-14 08:55 107,888 ----a-w E:\WINDOWS\system32\CmdLineExt.dll 2008-07-11 14:56 --------- d-----w E:\Program Files\Gadu-Gadu 2008-07-01 10:41 43,520 ----a-w E:\WINDOWS\system32\CmdLineExt03.dll 2008-06-29 06:24 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\Media Player Classic 2008-06-28 03:25 --------- d-----w E:\Program Files\EA GAMES 2008-06-22 07:45 --------- d-----w E:\Documents and Settings\pav\Dane aplikacji\SmartFTP 2008-06-21 05:49 110,304 ----a-w E:\WINDOWS\system32\drivers\ACEDRV09.sys 2008-06-20 17:42 246,784 ----a-w E:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w E:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w E:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:01 273,024 ------w E:\WINDOWS\system32\drivers\bthport.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“E:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 16:38 78008] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“E:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 01:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “msacm.l3codecp”= l3codecp.acm [HKLM~\startupfolder\E:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=E:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] --a------ 2008-03-20 12:04 2127296 E:\Program Files\Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] -ra------ 2005-10-26 17:17 159744 E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] -ra------ 2006-05-16 12:04 2879488 E:\WINDOWS\SkyTel.exe [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “E:\Program Files\Gadu-Gadu\gg.exe”= “E:\Program Files\uTorrent\uTorrent.exe”= “E:\WINDOWS\system32\dpnsvr.exe”= “C:\Program Files\Railroad Tycoon 3\rt3.exe”= R1 aswSP;avast! Self Protection;E:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 ACEDRV09;ACEDRV09;E:\WINDOWS\system32\drivers\ACEDRV09.sys [2008-06-21 07:49] R2 aswFsBlk;aswFsBlk;E:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] S2 .EsetTrialReset;Eset Trial Reset;E:\WINDOWS\system32\regedt32.exe [2001-10-26 19:30] *Newly Created Service* - AAVMKER4 *Newly Created Service* - ASWFSBLK *Newly Created Service* - ASWMON2 *Newly Created Service* - ASWRDR *Newly Created Service* - ASWSP *Newly Created Service* - ASWTDI *Newly Created Service* - ASWUPDSV *Newly Created Service* - AVAST!_ANTIVIRUS *Newly Created Service* - AVAST!_MAIL_SCANNER *Newly Created Service* - AVAST!_WEB_SCANNER . . ------- Supplementary Scan ------- . FireFox -: Profile - E:\Documents and Settings\pav\Dane aplikacji\Mozilla\Firefox\Profiles\tigot42n.default\ FF -: plugin - E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\browser\nppdf32.dll FF -: plugin - E:\Program Files\Mozilla Firefox\plugins\npOggX.dll FF -: plugin - E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-11 12:19:32 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-11 12:20:11 ComboFix-quarantined-files.txt 2008-08-11 10:20:04 Pre-Run: 90,275,663,872 bajtów wolnych Post-Run: 90,263,126,016 bajtów wolnych 104 — E O F — 2008-07-10 09:44:12 2008-08-09 17:38 . 2008-08-10 11:59 81,984 --a------ E:\WINDOWS\system32\bdod.bin mam pytanie czy jest to wirus? Bo to znalazł mi ComboFix, a tutaj kazali to usunąć http://forum.dobreprogramy.pl/viewtopic.php?f=16t=179888start=0st=0sk=tsd=a

Black_rat · 11 Sierpień 2008 12:55

SDFix: Version 1.215 Run by Administrator on 2008-08-11 at 13:57 Microsoft Windows XP [Wersja 5.1.2600] Running From: E:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-11 14:02:36 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000000 “ujdew”=hex:ac,f3,12,98,81,dc,d9,d8,f7,86,59,5e,bf,4a,10,41,76,1f,1a,09,00,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000001 “khjeh”=hex:99,23,53,3d,f7,7c,82,64,06,36,68,fd,f9,c1,f9,6a,3a,9c,78,aa,92,… “p0”=“E:\Program Files\DAEMON Tools Lite” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,27,62,3d,da,fd,9a,28,59,73,bb,2c,6d,79,d5,35,68,39,… “khjeh”=hex:74,90,d6,9f,23,1d,3d,ed,28,f5,e9,d7,07,36,49,26,8e,e2,3e,49,6c,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:89,ad,0f,f1,93,5c,d4,77,37,36,2b,73,ab,13,cc,da,35,7b,ec,71,4c,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:b7,fd,ac,9d,d2,e5,99,d6,f6,6b,91,ec,0f,f1,b2,15,84,9e,f5,df,6f,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000000 “ujdew”=hex:ac,f3,12,98,81,dc,d9,d8,f7,86,59,5e,bf,4a,10,41,76,1f,1a,09,00,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000001 “khjeh”=hex:99,23,53,3d,f7,7c,82,64,06,36,68,fd,f9,c1,f9,6a,3a,9c,78,aa,92,… “p0”=“E:\Program Files\DAEMON Tools Lite” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,27,62,3d,da,fd,9a,28,59,73,bb,2c,6d,79,d5,35,68,39,… “khjeh”=hex:74,90,d6,9f,23,1d,3d,ed,28,f5,e9,d7,07,36,49,26,8e,e2,3e,49,6c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:89,ad,0f,f1,93,5c,d4,77,37,36,2b,73,ab,13,cc,da,35,7b,ec,71,4c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:b7,fd,ac,9d,d2,e5,99,d6,f6,6b,91,ec,0f,f1,b2,15,84,9e,f5,df,6f,… scanning hidden registry entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “E:\Program Files\Gadu-Gadu\gg.exe”=“E:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program główny” “E:\Program Files\uTorrent\uTorrent.exe”=“E:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent” “E:\WINDOWS\system32\dpnsvr.exe”=“E:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server” “C:\Program Files\Railroad Tycoon 3\rt3.exe”=“C:\Program Files\Railroad Tycoon 3\rt3.exe:*:Enabled:Railroad Tycoon 3” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Wed 30 Jul 2008 1,429,840 A.SHR — “E:\Program Files\Spybot - Search & Destroy\SDUpdate.exe” Wed 30 Jul 2008 4,891,984 A.SHR — “E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” Wed 30 Jul 2008 1,829,712 A.SHR — “E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” Mon 25 Feb 2008 4,348 …SH. — “E:\Documents and Settings\All Users\DRM\DRMv1.bak” Sat 9 Aug 2008 0 A.SH. — “E:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp” Mon 25 Feb 2008 4,348 …H. — “E:\Documents and Settings\pav\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak” Tue 11 Mar 2008 20 A…H. — “E:\Documents and Settings\pav\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak” Mon 25 Feb 2008 9,656 A.SH. — “E:\Documents and Settings\pav\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak” Mon 25 Feb 2008 4,348 A…H. — “E:\Documents and Settings\pav\Moje dokumenty\Moje obrazy\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak” Tue 11 Mar 2008 20 A…H. — “E:\Documents and Settings\pav\Moje dokumenty\Moje obrazy\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak” Mon 25 Feb 2008 9,656 A.SH. — “E:\Documents and Settings\pav\Moje dokumenty\Moje obrazy\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak” Finished!

a tutaj widac cos?

Leon1 · 11 Sierpień 2008 13:05

kiedy wreszcie to zrobisz ?

ile logów i z jakich programów nam jeszcze pokażesz?

[-X

Black_rat · 11 Sierpień 2008 13:23

sorki, Kaspersky nic nie wykazał

Leon1 · 11 Sierpień 2008 13:27

Więc powinno być OK

Black_rat · 11 Sierpień 2008 15:04

Ale nie jest

mam pytanie czy jest to wirus?

Bo to znalazł mi ComboFix, a tutaj kazali to usunąć http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=179888&start=0&st=0&sk=t&sd=a

Jak już wcześniej pytałem, czy jest to wirus?

Leon1 · 11 Sierpień 2008 15:34

sam sobie odpowiedziałeś

przeskanuj ten plik na http://virusscan.jotti.org/