Komp się tnie POMOCY!


(Tomek 19 91) #1

Komputer się zacina, necik wolno chodzi :? I co jakiś czas wyskakuje dziwne okienko :cry: Prosze sprawdzcie mój log :oops:

Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]

"WMI Standard Event Consumer - Scripting" = "C:\WINDOWS\System32\wbem\scrcons32.exe" [null data]

"MyWebSearch Email Plugin" = "C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [file not found]

"Sdur" = ""C:\DOCUME~1\Leszczyk\DANEAP~1\RACLE~1\arpa.exe" -vt yazb" [null data]

"Lnbq" = ""C:\Documents and Settings\Leszczyk\Moje dokumenty\W*nSxS\r*ndll.exe"" (unwritable string) [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTHelper" = "CTHELPER.EXE" [file not found]

"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]

"Jet Detection" = ""C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Nero AG"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"AdslTaskBar" = "rundll32.exe stmctrl.dll,TaskBar" [MS]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe" ["France Télécom R&D"]

"WMI Standard Event Consumer - Scripting" = "C:\WINDOWS\System32\wbem\scrcons32.exe" [null data]

"TkBellExe" = ""realsched.exe" -osboot" [file not found]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"My Web Search Bar" = "rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S" [MS]

"Windows Config System" = "config.exe" [file not found]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{00A6FAF1-072E-44cf-8957-5838F569A31D}\(Default) = "MyWebSearch Search Assistant BHO"

  -> {HKLM...CLSID} = "MyWebSearch Search Assistant BHO"

                   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL" ["MyWebSearch.com"]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

{07B18EA1-A523-4961-B6BB-170DE4475CCA}\(Default) = "mwsBar BHO"

  -> {HKLM...CLSID} = "mwsBar BHO"

                   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" ["MyWebSearch.com"]

{9A27766E-B5DD-B356-89AD-E7ABAE7750EE}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\kwu.dll" [file not found]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]

{C66AF7F0-2CF6-48cb-9F94-04EC2504B4FC}\(Default) = "XBTP01621"

  -> {HKLM...CLSID} = "XBTP01621 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll" ["IE Toolbar"]

{F6104497-54FD-4688-9162-5115CC8AB0FB}\(Default) = "XBTP01621"

  -> {HKLM...CLSID} = "XBTP01621 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll" ["IE Toolbar"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\NVCPL.DLL" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> wintvf32\DLLName = "wintvf32.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Leszczyk\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Leszczyk\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\f3PSSavr.scr" ["FunWebProducts.com"]



Startup items in "Leszczyk" & "All Users" startup folders:

----------------------------------------------------------


C:\Documents and Settings\Leszczyk\Menu Start\Programy\Autostart

"neostrada tp" -> shortcut to: "C:\Program Files\neostrada tp\GestMAJ.exe neostradatp.exe" ["France Télécom R&D"]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"BlueSoleil" -> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 25

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{B7D3E479-CC68-42B5-A338-938ECE35F419}"

  -> {HKLM...CLSID} = "iMesh MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\iMesh applications\iMesh MediaBar\MediaBar.dll" ["IE Toolbar"]

"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}"

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]

"{07B18EA9-A523-4961-B6BB-170DE4475CCA}"

  -> {HKLM...CLSID} = "My Web Search"

                   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" ["MyWebSearch.com"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{B7D3E479-CC68-42B5-A338-938ECE35F419}" = (no title provided)

  -> {HKLM...CLSID} = "iMesh MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\iMesh applications\iMesh MediaBar\MediaBar.dll" ["IE Toolbar"]

"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]

"{07B18EA9-A523-4961-B6BB-170DE4475CCA}" = (no title provided)

  -> {HKLM...CLSID} = "My Web Search"

                   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" ["MyWebSearch.com"]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = "My Web Search Quick View"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]

<> "{00A6FAF6-072E-44cf-8957-5838F569A31D}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL" ["MyWebSearch.com"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

LightScribeService Direct Disc Labeling Service, LightScribeService, "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" ["Hewlett-Packard Company"]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



---------- (launch time: 2007-08-21 19:15:29)

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 102 seconds, including 18 seconds for message boxes)

(jessica) #2

Czegoś tu nie rozumiem - dziś założyłeś dwa tematy:

1) http://forum.dobreprogramy.pl/viewtopic.php?p=1214799

2) http://forum.dobreprogramy.pl/viewtopic.php?t=180270

Czy to chodzi o dwa różne komputery?

jessi


(Tomek 19 91) #3

Wiem ale teraz chodzi o komputer Mojej Dziewczyny bardzo prosze pomocy to sa 2 rozne komputery, licze na POMOC, bo juz jest bardzo uciazliwe to tniecie sie kompa.


(jessica) #4

Aha, o to mi właśnie chodziło, bo widzę różnice w logach. :slight_smile:

Ściągnij ComboFix (na dole tej strony z linku).

Wklej do Notatnika :

File::

C:\WINDOWS\System32\wbem\scrcons32.exe

C:\DOCUME~1\Leszczyk\DANEAP~1\RACLE~1\arpa.exe

C:\Documents and Settings\Leszczyk\Moje dokumenty\W*nSxS\r*ndll.exe

C:\WINDOWS\System32\wintvf32.dll


Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMI Standard Event Consumer - Scripting"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sdur"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Lnbq"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMI Standard Event Consumer - Scripting"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Config System"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices] 

"WMI Standard Event Consumer - Scripting"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices] 

"WMI Standard Event Consumer - Scripting"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run] 

"WMI Standard Event Consumer - Scripting"=-

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\WMI Standard Event Consumer - Scripting]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wintvf32]

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

(czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie.

Po restarcie usuń ręcznie folder C: **** Qoobox.

Potem daj log z ComboFixa.

Log wklej na http://wklej.org/, a w poście daj tylko link.

jessi


(Monczkin) #5

http://forum.dobreprogramy.pl/viewtopic.php?p=980957

Nazwij temat konkretnie.