niesuszek
(niesuszek)
18 Styczeń 2009 18:54
#1
Witam. Jak w temacie, mój problem polega na tym, że nie wiem czy mogę usunąć dane pliki? A jak nie wszystkie, to przynajmniej które?
Proszę o pomoc. Pozdrawiam.
Kamil321
(Kamil321)
18 Styczeń 2009 18:59
#2
Spróbuj wszystkie (oprócz ntuserów, bo te są ważne) przenieść do jakiegoś folderu i jeśli nie będzie problemów, to go usuń… Trochę tego masz, i ciekawie to nie wygląda, najlepiej podaj logi z HT i CF.
i jak usuwasz to w trybie awaryjnym , bo nie zawsze się da usunąć tak odrazu
Cyba91
(Cyba91)
18 Styczeń 2009 19:37
#4
zostawić NTUSER DAT i systemowe,reszte na moje oko można usunąć
niesuszek
(niesuszek)
18 Styczeń 2009 19:49
#5
Log z CF:
ComboFix 09-01-17.04 - Niesuch 2009-01-18 20:32:10.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.1023.653 [GMT 1:00] Uruchomiony z: c:\documents and settings\Niesuch\Pulpit\ComboFix.exe AV: avast! antivirus 4.8.1296 [VPS 090117-0] *On-access scanning disabled* (Outdated) * Utworzono nowy punkt przywracania . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Niesuch\Dane aplikacji\BITS c:\documents and settings\Niesuch\Dane aplikacji\BITS\BITS.ini c:\documents and settings\Niesuch\Dane aplikacji\BITS\DHTTable.dat c:\documents and settings\Niesuch\Dane aplikacji\BITS\ProxyList.ini c:\documents and settings\Niesuch\Dane aplikacji\BITS\Torrent\20081126132744.torrent.hybridlist c:\program files\FlashGet Network c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini . ((((((((((((((((((((((((( Pliki utworzone od 2008-12-18 do 2009-01-18 ))))))))))))))))))))))))))))))) . 2009-01-16 15:48 . 2009-01-16 15:48 2009-01-10 01:19 . 2009-01-10 01:19 2009-01-07 17:29 . 2009-01-18 20:34 2009-01-07 17:29 . 2008-09-17 17:13 2009-01-07 17:29 . 2008-09-17 15:20 2009-01-07 17:29 . 2008-09-17 17:13 2009-01-07 17:29 . 2008-09-17 17:13 2009-01-07 17:29 . 2008-09-17 17:13 2009-01-07 17:29 . 2008-09-17 17:13 2009-01-07 17:29 . 2009-01-07 17:29 2008-12-30 20:39 . 2008-12-30 20:39 2008-12-26 18:17 . 2008-12-26 18:24 2008-12-24 10:58 . 2008-12-24 10:58 . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-18 19:26 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\foobar2000 2009-01-17 13:50 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\Tlen.pl 2009-01-17 12:26 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\Skype 2009-01-15 22:23 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\Hamachi 2009-01-08 13:23 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\uTorrent 2008-12-23 15:41 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\OpenOffice.org2 2008-12-10 17:31 --------- d-----w c:\documents and settings\Niesuch\Dane aplikacji\Thunderbird 2008-12-08 22:23 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations 2008-12-08 16:02 --------- d-----w c:\program files\Common Files\DirectX 2008-12-08 14:27 611,064 ----a-w c:\windows\system32\drivers\sptd.sys 2008-12-07 13:23 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys 2008-11-25 21:45 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Last.fm 2008-11-23 10:44 --------- d–h--w c:\program files\InstallShield Installation Information 2008-11-22 16:35 92,064 ----a-w c:\documents and settings\Niesuch\mqdmmdm.sys 2008-11-22 16:35 9,232 ----a-w c:\documents and settings\Niesuch\mqdmmdfl.sys 2008-11-22 16:35 79,328 ----a-w c:\documents and settings\Niesuch\mqdmserd.sys 2008-11-22 16:35 66,656 ----a-w c:\documents and settings\Niesuch\mqdmbus.sys 2008-11-22 16:35 6,208 ----a-w c:\documents and settings\Niesuch\mqdmcmnt.sys 2008-11-22 16:35 5,936 ----a-w c:\documents and settings\Niesuch\mqdmwhnt.sys 2008-11-22 16:35 4,048 ----a-w c:\documents and settings\Niesuch\mqdmcr.sys 2008-11-22 16:35 25,600 ----a-w c:\documents and settings\Niesuch\usbsermptxp.sys 2008-11-22 16:35 22,768 ----a-w c:\documents and settings\Niesuch\usbsermpt.sys 2008-11-19 16:25 --------- d-----w c:\program files\Reference Assemblies 2008-11-19 16:25 --------- d-----w c:\program files\MSBuild 2008-10-27 09:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll 2008-10-27 09:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll 2008-10-27 09:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll 2008-10-27 09:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll 2008-10-24 15:36 410,976 ----a-w c:\windows\system32\deploytk.dll 2008-07-25 08:31 28,672 ----a-w c:\program files\mozilla firefox\components\flashgetXpi.dll . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-15 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “avast!”=“d:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-26 81000] “snpstd”=“c:\windows\vsnpstd.exe” [2004-06-10 286720] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2008-04-15 15360] c:\documents and settings\Niesuch\Menu Start\Programy\Autostart\ Kalendarz.lnk - d:\program files\Kalendarz XP\Kalendarz.exe [2008-06-05 882176] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-09-17 805392] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoFavoritesMenu”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “msacm.l3fhg”= mp3fhg.acm “msacm.divxa32”= divxa32.acm “VIDC.X264”= x264vfw.dll “VIDC.HFYU”= huffyuv.dll “vidc.i263”= i263_32.drv “VIDC.VP40”= vp4vfw.dll “VIDC.MSUD”= msulvc05.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM] --------- 2005-07-03 08:20 372736 c:\windows\Samsung\ComSMMgr\SSMMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd] --a------ 2004-06-10 12:48 286720 c:\windows\vsnpstd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] --a------ 2008-01-21 11:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “d:\Program Files\Valve\hl.exe”= “d:\Program Files\uTorrent\uTorrent.exe”= “d:\Program Files\bearshare\BearShare.exe”= “d:\Program Files\Skype\Phone\Skype.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “4434:TCP”= 4434:TCP:nVision Agent Data Server [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] “AllowInboundEchoRequest”= 1 (0x1) R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-09-17 111184] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-09-17 20560] S3 CSIRQTQL;CSIRQTQL;c:\docume~1\Niesuch\USTAWI~1\Temp\CSIRQTQL.exe --> c:\docume~1\Niesuch\USTAWI~1\Temp\CSIRQTQL.exe [?] S3 MEMSWEEP2;MEMSWEEP2;??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3a520c39-cf8a-11dd-a2c5-0019666e6d65}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SanDisk-Games.exe . - - - - USUNIĘTO PUSTE WPISY - - - - MSConfigStartUp-Cmaudio - cmicnfg.cpl . ------- Skan uzupełniający ------- . IE: &Download All by FlashGet - d:\program files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm IE: &Download by FlashGet - d:\program files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm IE: &Pobierz wszystko przez FlashGet - d:\program files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm IE: &Pobrane przez FlashGet - d:\program files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm TCP: {BDE7743A-2A1B-4AC2-A482-F6BB67A9BAFB} = 194.204.152.34,194.204.159.1 FF - ProfilePath - c:\documents and settings\Niesuch\Dane aplikacji\Mozilla\Firefox\Profiles\ihyt2vp7.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.pl/ FF - component: c:\program files\Mozilla Firefox\components\flashgetXpi.dll FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-18 20:34:28 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet011\Services\MEMSWEEP2] “ImagePath”="??\c:\windows\system32\9.tmp" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_LOCAL_MACHINE\software\Xanthic{001706C5-92AF-BAD2-5C4C-4F4DC4DEC48D}*_] “fr”=“078E724F435A46” “lr”=“078E724F435A46” DUMPHIVE0.003 (REGF) . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘winlogon.exe’(764) c:\windows\system32\Ati2evxx.dll c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . Czas ukończenia: 2009-01-18 20:36:32 ComboFix-quarantined-files.txt 2009-01-18 19:36:28 Przed: 4 649 848 832 bajtów wolnych Po: 4,641,996,800 bajtów wolnych WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect /numproc=1 181
Log z HT:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:07:34, on 2009-01-18 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe d:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\vsnpstd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe D:\Program Files\Kalendarz XP\Kalendarz.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe d:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe D:\Program Files\foobar2000\foobar2000.exe D:\Program Files\Tlen.pl\tlen.exe D:\Program Files\Last.fm\LastFM.exe C:\Program Files\Mozilla Firefox\firefox.exe d:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - d:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM…\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Kalendarz.lnk = D:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &Download All by FlashGet - D:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm O8 - Extra context menu item: &Download by FlashGet - D:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm O8 - Extra context menu item: &Pobierz wszystko przez FlashGet - D:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm O8 - Extra context menu item: &Pobrane przez FlashGet - D:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab O17 - HKLM\System\CCS\Services\Tcpip…{BDE7743A-2A1B-4AC2-A482-F6BB67A9BAFB}: NameServer = 194.204.152.34,194.204.159.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: CSIRQTQL - Unknown owner - C:\DOCUME~1\Niesuch\USTAWI~1\Temp\CSIRQTQL.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (file missing) – End of file - 6430 bytes
– Dodane 18.01.2009 (N) 23:18 –
Usunąłem wszystko za wyjątkiem plików ukrytych i jest okej.
Dzięki za pomoc.