Komputer zamulony i częste zrzuty pamięci

ynca · 30 Maj 2007 09:10

Witam serdecznie,

oto objawy:

komputer może pracować tylko w trybie awaryjnym; w trybie normalnym – jest baaaardzo wolny i często zdarzają się zrzuty pamięci;
w trybie normalnym Internet Explorer wariuje – wpisuję adres jakiejś strony, a wyskakuje inna;
przy podłączeniu do sieci w ciągu kilku minut otrzymuję komunikat o zapełnieniu dysku systemowego – sprawdziłam: w Windows\Temp pojawia się 70 tys. plików .tmp, które zajmują ok. 1GB;
skanowałam komputer różnymi programami i i każdy z nich coś znajdował – nie uzdrawiało to jednak „masziny”;
no i ten paskudny f-secure, który, pomimo odinstalowania i usunięciu z rejestru RegCleanerem, w trybie normalnym ładuje swoje komponenty przez parę minut, uniemożliwiając wykonanie jakiejkolwiek operacji.

To chyba tyle. Z góry dziękuję za pomoc

Logfile of HijackThis v1.99.1 Scan saved at 10:54:29, on 2007-05-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE D:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1E09FC1E-5AA1-4D91-A6F5-6469DA3D0091} - C:\WINDOWS\system32\pjaj.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM…\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” O4 - HKLM…\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe O4 - HKLM…\Run: [COMODO Firewall Pro] “E:\Comodo\Firewall\CPF.exe” /background O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [AVKTray] “C:\Program Files\G DATA\AntiVirus 2007\AVKTray\AVKTray.exe” O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKCU…\Run: [service Pack 1] C:\WINDOWS\system32\vexg6ame4.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download with Rapget - E:\rapget132\rapget.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz za pomocą Mega Manager… - C:\Program Files\Megaupload\Mega Manager\mm_file.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://arcaonline.arcabit.com O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.113.236.251/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697517} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_aac.cab O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Spik\url_wpmsg.dll O18 - Filter: text/html - {8C553B18-4B14-44C8-858F-6B039FA0D409} - C:\WINDOWS\system32\pjaj.dll O18 - Filter: text/plain - {8C553B18-4B14-44C8-858F-6B039FA0D409} - C:\WINDOWS\system32\pjaj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA\AntiVirus 2007\AVK\AVKService.exe O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\G DATA\AntiVirus 2007\AVK\AVKWCtl.exe O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - E:\fsecure\backweb\4476822\Program\SERVIC~1.EXE O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - E:\Comodo\Firewall\cmdagent.exe O23 - Service: fsbwsys - F-Secure Corp. - E:\fsecure\backweb\4476822\program\fsbwsys.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Gutek · 30 Maj 2007 18:13

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Daj log z Combofix

OT-y KOSZ

ynca · 1 Czerwiec 2007 04:31

Witam ponownie,

po wielu problemach z Combofixem wreszcie się udało.

Wskazane przez Ciebie programy znalazły miłego Vundo. Dysk systemowy już się nie zapycha, nadal jednak wariuje IE.

Za dotychczasową pomoc wdzięcznam jest niesłychanie.

A oto i log:

“ynca” - 2007-06-01 6:12:36 Dodatek Service Pack 2 ComboFix 07-05.27.BV - Running from: “C:\Documents and Settings\ynca\Pulpit” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) “C:\DOCUME~1\ynca\DANEAP~1\Install.dat” “C:\DOCUME~1\ynca\Pulpit\internet.lnk” ((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 )))))))))))))))))))))))))))))))))) 2007-05-30 20:29 2007-05-30 15:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-05-21 11:06 2007-05-18 11:46 2007-05-18 11:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2007-05-18 11:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2007-05-16 18:51 34,143 --a------ C:\WINDOWS\system32\drivers\MiniIcpt.sys 2007-05-16 18:51 29,730 --a------ C:\WINDOWS\system32\drivers\HookCentre.sys 2007-05-16 18:51 28,307 --a------ C:\WINDOWS\system32\drivers\GDTdiIcpt.sys 2007-05-16 18:51 2007-05-16 18:49 2007-05-16 18:48 2007-05-16 18:48 2007-05-16 11:09 2007-05-16 11:09 2007-05-15 00:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-05-14 22:37 2007-05-14 22:37 2007-05-14 16:12 2007-05-13 17:07 2007-05-13 15:42 2007-05-13 11:52 2007-05-13 00:34 2007-05-12 02:06 2007-05-09 20:01 2007-05-09 02:50 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-18 10:00:22 382,894 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-18 10:00:21 64,638 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-18 09:38:32 23,072 -c–a-w C:\WINDOWS\system32\emptyregdb.dat 2007-05-16 18:07:34 -------- d-sh–r C:\Program Files\PSCS 2007-05-16 16:50:03 -------- d-----w C:\Program Files\Common Files\InstallShield 2007-05-16 16:48:10 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-14 14:24:26 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-13 13:42:59 -------- d-----w C:\Program Files\Usługi online 2007-05-12 22:48:14 -------- d-----w C:\Program Files\Flower Shop Big City Break 2007-05-12 22:46:59 -------- d-----w C:\Program Files\MarBit 2007-05-07 18:17:30 -------- d-----w C:\Program Files\Spik 2007-05-07 00:50:24 -------- d-----w C:\Program Files\Spyware Doctor 2007-04-30 01:22:41 -------- d-----w C:\Program Files\FlashGet 2007-04-29 23:26:49 -------- d-----w C:\DOCUME~1\ynca\DANEAP~1\Megaupload 2007-04-29 22:43:30 -------- d-----w C:\DOCUME~1\ynca\DANEAP~1\FlashGet 2007-04-14 19:23:47 -------- d-----w C:\Program Files\MediaInfo 2007-04-14 19:20:43 -------- d-----w C:\Program Files\CyberLink DVD Solution 2007-04-02 22:52:24 -------- d-----w C:\Program Files\Fairy Godmother Tycoon 2007-04-01 15:36:54 -------- d-----w C:\DOCUME~1\ynca\DANEAP~1\Chicken Chase 2007-04-01 15:35:50 -------- d-----w C:\Program Files\Chicken Chase 2007-04-01 15:35:18 -------- d-----w C:\Program Files\BFG 2007-03-05 16:13:45 21,112 ----a-w C:\DOCUME~1\ynca\DANEAP~1\GDIPFONTCACHEV1.DAT (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02] {1E09FC1E-5AA1-4D91-A6F5-6469DA3D0091}=C:\WINDOWS\system32\pjaj.dll [] {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “HPHUPD05”=“C:\Program Files\Hewlett-Packard{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe” [2003-05-23 05:03] “HP Component Manager”=“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” [2003-04-08 12:45] “HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [2005-02-16 23:11] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 13:03] “YeppStudioAgent”=“C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe” [2005-09-12 14:21] “COMODO Firewall Pro”=“E:\Comodo\Firewall\CPF.exe” [2007-05-16 10:59] “AVKTray”=“C:\Program Files\G DATA\AntiVirus 2007\AVKTray\AVKTray.exe” [2006-11-02 14:59] “SoundMan”=“SOUNDMAN.EXE” [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Service Pack 1”=“C:\WINDOWS\system32\vexg6ame4.exe” [] [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Spyware Doctor”= [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] “Drivers_XP”=C:\Program Files\Gadu-Gadu\ll.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MkS_Scan\Service] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the ‘Scheduled Tasks’ folder 2007-04-23 22:30:00 C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7600#MY37G212S2D4.job 2007-06-01 02:30:00 C:\WINDOWS\tasks\HP Usg Daily.job 2007-05-31 22:12:53 C:\WINDOWS\tasks\Scheduled scanning task.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-01 06:15:51 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-06-01 6:17:48 C:\ComboFix-quarantined-files.txt … 2007-06-01 06:17

Gutek · 1 Czerwiec 2007 04:58

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509