Heja.
Zwiecha komputera zupełna, jednak antywiry nic nie wykrywają…
Btw - nie mam żadnego firewalla, a gdy odłączam Internet - wszystko wraca do normy.
Czy firewall pomoże? Jaki polecacie?
Proszę o sprawdzenie logów. Dzięki!
Logfile of HijackThis v1.99.1 Scan saved at 02:15:08, on 2007-05-14 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe E:\Programy\Lavasoft\AD-AWA~1\Ad-Watch.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WISPTIS.EXE C:\WINDOWS\system32\taskmgr.exe E:\Programy\Winamp\winamp.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\CScript.exe C:\Documents and Settings\Octahedron\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programy\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM…\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe O4 - HKLM…\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AWMON] “E:\Programy\Lavasoft\AD-AWA~1\Ad-Watch.exe” O4 - HKCU…\Run: [Gadu-Gadu] “E:\Programy\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: NaturalColorLoad.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “AWMON” = ““E:\Programy\Lavasoft\AD-AWA~1\Ad-Watch.exe”” [“Lavasoft Sweden”] “Gadu-Gadu” = ““E:\Programy\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “D-Link AirPlus XtremeG” = “C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe” [“D-Link”] “WINDVDPatch” = “CTHELPER.EXE” [“Creative Technology Ltd”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}(Default) = “IE7 Uninstall Stub” \StubPath = “C:\WINDOWS\system32\ieudinit.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AE7CD045-E861-484f-8273-0445EE161910}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEToolbarHelper Class” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension” -> {HKLM…CLSID} = “Display Panning CPL Extension” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “Skladnik rozszerzenia powloki CorelDRAW” -> {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “E:\Programy\Corel\DRAW\CDRVIEWER\CrlShell110.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Programy\Microsoft Office\OFFICE11\msohev.dll” [MS] “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” = “Adobe.Acrobat.ContextMenu” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu(Default) = “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] ProtectorPlus2000(Default) = “{e33318a0-7321-11d6-9c95-0040056df1d1}” -> {HKLM…CLSID} = “ProtectorPlus2000” \InProcServer32(Default) = “C:\WINDOWS\system32_PPCXM_.DLL” [“Proland Software”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] ProtectorPlus2000(Default) = “{e33318a0-7321-11d6-9c95-0040056df1d1}” -> {HKLM…CLSID} = “ProtectorPlus2000” \InProcServer32(Default) = “C:\WINDOWS\system32_PPCXM_.DLL” [“Proland Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “E:\Programy\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoToolbarCustomize” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbar buttons} “NoBandCustomize” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbars} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Desktop\desktopik.jpg” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Octahedron\Local Settings\Application Data\Microsoft\Wallpaper1.bmp” Startup items in “Octahedron” & “All Users” startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup “NaturalColorLoad” -> shortcut to: “C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe” [empty string] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 24 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{47833539-D0C5-4125-9FA8-0819E2EAAC93}” -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{47833539-D0C5-4125-9FA8-0819E2EAAC93}” = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll” [null data] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “E:\Programy\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_10” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_10” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll ,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] TuneUp Theme Extension, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = “C:\WINDOWS\system32\AdobePDF.dll” [“Adobe Systems Incorporated.”] GCC USB Port\Driver = “gccumnt.dll” [“PandP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 536 seconds)
adam9870
(adam9870)
14 Maj 2007 05:24
#2
Oba logi czyste.
Dla wykluczenia syfu pokaż jeszcze log z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.
eeeh… zużycie procesora to jednak 100% constant przy włączonym necie
Log z ComboFix:
“Octahedron” - 2007-05-14 11:02:46 Service Pack 2 ComboFix 07-05.13.V - Running from: “C:\Program Files\Mozilla Firefox” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\vbzip11.dll ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 )))))))))))))))))))))))))))))))))) 2007-05-14 10:37 2007-05-14 10:37 2007-05-14 10:29 2007-05-12 13:28 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll 2007-05-12 13:28 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll 2007-05-12 13:15 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-12 13:15 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-12 13:15 2007-05-12 10:24 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-05-12 10:24 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-05-12 10:24 2007-05-12 10:10 2007-05-12 00:55 2007-05-11 23:17 40,960 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL 2007-05-11 23:17 10,752 --a------ C:\WINDOWS\system32\aamd532.dll 2007-05-09 22:21 2007-05-09 19:24 194 --a------ C:\WINDOWS\system32\RBDELDRV.BAT 2007-05-07 15:16 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll 2007-05-07 15:12 2007-05-07 15:12 2007-05-07 15:11 2007-05-07 15:11 2007-05-06 14:31 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-05-06 14:31 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-05-06 14:31 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-05-04 09:56 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2007-05-04 09:55 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys 2007-04-20 21:07 2007-04-20 20:26 2007-04-18 19:59 98,304 --a------ C:\WINDOWS\system32\qttask.exe 2007-04-18 19:22 2007-04-18 19:22 2007-04-18 19:22 2007-04-18 19:21 2007-04-18 19:20 2007-04-18 19:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-04-18 18:19 2007-04-18 18:11 2007-04-16 21:36 512 --a------ C:\ScanSectorLog.dat 2007-04-16 20:31 4,212 —h----- C:\WINDOWS\system32\zllictbl.dat 2007-04-16 20:31 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2007-04-16 20:23 2007-04-16 18:52 2007-04-15 01:11 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-14 09:36:48 24 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat 2007-05-14 09:36:48 24 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat 2007-05-13 14:22:53 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-13 11:51:35 -------- d-----w C:\DOCUME~1\OCTAHE~1\APPLIC~1\Azureus 2007-05-11 16:10:33 -------- d-----w C:\Program Files\Common Files\scansoft shared 2007-05-07 14:23:37 -------- d-----w C:\DOCUME~1\OCTAHE~1\APPLIC~1\Skype 2007-04-14 21:09:27 8 ----a-w C:\WINDOWS\system32\nvModes.dat 2007-04-11 17:57:33 -------- d-----w C:\Program Files\Common Files\PC Tools 2007-04-10 11:41:25 2 ----a-w C:\autoexec.bat 2007-04-10 11:26:17 -------- d-----w C:\Program Files\SkanerOnline 2007-04-10 02:22:05 -------- d-----w C:\DOCUME~1\OCTAHE~1\APPLIC~1\iolo 2007-04-10 02:01:25 45,056 ----a-w C:\WINDOWS\system32_PPCXM_.DLL 2007-04-10 02:01:14 29,608 ----a-w C:\WINDOWS_SETUPD_.EXE 2007-04-09 14:09:52 -------- d-----w C:\Program Files\Microsoft Works 2007-04-09 13:52:22 -------- d-----w C:\Program Files\iolo 2007-04-05 08:40:52 -------- d-----w C:\DOCUME~1\OCTAHE~1\APPLIC~1\ABBYY 2007-03-27 11:32:40 -------- d-----w C:\Program Files\Xerox One Touch 2007-03-27 11:14:36 -------- d-----w C:\Program Files\Apple Software Update 2007-03-27 11:06:13 270,336 ----a-w C:\WINDOWS\IHelper.exe 2007-03-26 21:34:40 1,338 ----a-w C:\WINDOWS\mozver.dat 2007-03-26 21:34:23 -------- d-----w C:\DOCUME~1\OCTAHE~1\APPLIC~1\Real 2007-03-26 21:22:01 -------- d-----w C:\Program Files\Common Files\xing shared 2007-03-26 21:21:38 -------- d-----w C:\Program Files\Common Files\Real 2007-03-26 21:19:52 -------- d-----w C:\Program Files\Real 2007-03-22 13:21:12 -------- d-----w C:\Program Files\SEC 2007-03-20 22:16:44 -------- d-----w C:\DOCUME~1\OCTAHE~1\APPLIC~1\Babylon 2007-03-16 22:01:59 -------- d-----w C:\Program Files\Trust 2007-03-15 21:37:21 247 ----a-w C:\file.bat 2007-03-14 08:40:24 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat 2007-02-12 02:34:26 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=E:\Programy\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 01:47] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21] {AE7CD045-E861-484f-8273-0445EE161910}=E:\Programy\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 02:03] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “D-Link AirPlus XtremeG”=“C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe” “WINDVDPatch”=“CTHELPER.EXE” “Cmaudio”=“RunDll32 cmicnfg.cpl,CMICtrlWnd” “BluetoothAuthenticationAgent”=“rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “nwiz”=“nwiz.exe /install” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “COMODO Firewall Pro”="“C:\Program Files\Comodo\Firewall\CPF.exe” /background" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “D-Link AirPlus XtremeG”=“C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe” [2005-03-28 15:25] “WINDVDPatch”=“CTHELPER.EXE” [2002-07-02 18:56 C:\WINDOWS\system32\CTHELPER.EXE]) “Cmaudio”=“cmicnfg.cpl” []) “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl]) “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-05-06 14:29] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-11 21:43] “nwiz”=“nwiz.exe” [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]) “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-11 21:43] “COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [2007-05-14 10:29] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “AWMON”=“E:\Programy\Lavasoft\AD-AWA~1\Ad-Watch.exe” [2005-05-25 13:12] “Gadu-Gadu”=“E:\Programy\Gadu-Gadu\gg.exe” [2007-01-27 15:41] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” “AWMON”="“E:\Programy\Lavasoft\AD-AWA~1\Ad-Watch.exe”" “Gadu-Gadu”="“E:\Programy\Gadu-Gadu\gg.exe” /tray" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoToolbarCustomize”=dword:00000000 “NoBandCustomize”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “QuickTime Task”="“C:\WINDOWS\system32\qttask.exe” -atboottime" “RegisterDropHandler”=“e:\programy\TEXTBR~1.0\Bin\REGIST~1.EXE” “OneTouch Monitor”="“C:\Program Files\Xerox One Touch\OneTouchMon.exe”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] “RegisterDropHandler”=“e:\programy\TEXTBR~1.0\Bin\REGIST~1.EXE” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 bthsvcs BthServ\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost UxTuneUp *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CMDAGENT *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CMDMON *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_INSPECT Contents of the ‘Scheduled Tasks’ folder C:\WINDOWS\tasks\1-Click Maintenance.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-14 11:05:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-14 11:05:36 C:\ComboFix-quarantined-files.txt … 2007-05-14 11:05
Gutek
(Gutek)
14 Maj 2007 13:37
#4
Użyj Pocket Killbox . Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki
C:\WINDOWS\system32\RBDELDRV.BAT
C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80651102}.dat
C:\WINDOWS\tasks\1-Click Maintenance.job i naciskasz X czerwony . Program poprosi o reset kompa … czyli resetujesz.
Wykasowałem Pocket Killerboxem wszystko, co zasugerowałeś, niestety rezultatem jest BRAK ZMIAN.
Komputer dalej muli a procesor jest wykorzystywany w 100 procentach
Mam już i firewalla - Comodo, ale problem nie zniknął…
Gdy odpinam Internet obciążenie procka spada do ok. 18% i wszystko hula błyskawicznie. Do sieci jestem podłączony wirelessem. Czy to może mieć znaczenie?
Proszę o pomoc i dalsze porady! Dzięki!
Gutek
(Gutek)
14 Maj 2007 17:31
#6
Start >>> Uruchom >>> msconfig >>> w zakładce Uruchamianie wyłącz te wpisy.
Panel sterowania >>> Ustawienia regionalne >>> Języki >>> Detale >>> Zaawansowane >>> odznaczyć usługi tekstowe, zrób tak jeżeli nie używasz innych języków przy pisaniu.
Optymalizacja XP: http://forum.dobreprogramy.pl/viewtopic.php?t=76580
Z przykrością stwierdzam, że i po ostatnich operacjach zaleconych przez Gutek2222 jest nadal źle, by nie rzec gorzej…
To jakaś paranoja, moi drodzy…
Czy naprawdę nie da się zrobić nic innego jak reinstalacja systemu, której tak bardzo chciałbym uniknąć?
Zresztą skoro nie znam przyczyny problemu, to nie wiem jak się zabezpieczyć przed powtórnym jego wystąpieniem!
To jak? Jest jeszcze jakaś nadzieja? Wszak, gdy nie jestem podłączony do netu, to kondycja jest bardziej niż zadowalająca…
Proszę o pomoc!
Gutek
(Gutek)
14 Maj 2007 22:34
#8
Rozumiem, że nie ma już innej rady, tak?? :-o Damn, na pewno?
Czy mimo wszystko możecie określić co jest przyczyną takiego zachowania komputera i JAK się ustrzec przed ponownym kłopotem tego typu??
No i czy zachowam WSZYSTKIE ustawienia i programy działające sprawnie po tego typu reinstalacji?
Jakie kroki przedsięwziąć, aby zabezpieczyć kompa tuż po instalacji systemu?
M_i_r
(Mirfi2)
15 Maj 2007 12:23
#10
dzięki M_i_r !
zafixowałem, ale jest wciąż tak samo
rzecz w tym, że to właśnie żaden konkretny proces nie obciąża mi procesora, a zużycie rozkłada się na różne w danej chwili aktywne. wyłącze jakiś proces to wskakuje inny i łącznie znowu mam 100% obciążenia procka…
korzystam z karty sieciowej
D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B)
czy siła sygnału, jaki dociera do komputera z mojego Liveboxa może mieć związek z problemem?
nic już nie rozumiem… czy jest jeszcze szansa na trafną diagnozę?
wciąż na Was liczę!
M_i_r
(Mirfi2)
18 Maj 2007 09:03
#12
Sprawdż poprawność pliku ANIWZCSdS.exe tu - powinien mieć 49152 bajtów
http://www.liutilities.com/products/win … aniwzcsds/
Proponuję zamienić Acrobat 6.0 - ma błędy w kodzie usunięte w wersji 8.0 , na
http://dobreprogramy.com/index.php?dz=2&id=1332&t=33