Komputer zamulony


(Banan663) #1

Bardzo wolno się ładuje system w ogóle nie można korzystać z internetu

Logfile of HijackThis v1.99.1

Scan saved at 11:25:28, on 2007-02-09

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\TEMP\svchost.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\kernels88.exe

C:\WINDOWS\system32\lnwin.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskdir.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Documents and Settings\Michał\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe

O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe

O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\DOCUME~1\MICHA~1\USTAWI~1\Temp\52.tmp

O4 - HKLM\..\Run: [upp] c:\windows\system32\upnp.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm102YYPL

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{AF33E9C1-4C4C-4CBB-9277-15BC70373B24}: NameServer = 62.148.87.180,213.17.145.2

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: ksapgh - C:\WINDOWS\SYSTEM32\ksapgh.dll

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O21 - SSODL: CDRecorder030 - {A3BC5E20-0235-1ABF-9CE1-00AA00512030} - C:\WINDOWS\system32\xngl32.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

(adam9870) #2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\TEMP\svchost.exe

C:\WINDOWS\system32\kernels88.exe

C:\WINDOWS\system32\lnwin.exe

C:\WINDOWS\system32\taskdir.exe

C:\WINDOWS\system32\spoolsvv.exe

C:\DOCUME~1\MICHA~1\USTAWI~1\Temp\52.tmp

c:\windows\system32\upnp.exe

C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll

C:\WINDOWS\system32\xngl32.dll

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Przeskanuj plik:

Na stronie http://www.virustotal.com/ lub http://virusscan.jotti.org/, a jeśli okaże się szkodliwy - ścieżkę do niego również wklej do killboxa.

Będąc w trybie awaryjnym usuń z dysku ręcznie folder C:\Program Files**** MyWebSearch

Użyj narzędzia WinsockFix + SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Usuń wpisy HJT.

Użyj progrmu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt


(Banan663) #3

dienki :lol: :slight_smile: :smiley: :mrgreen:


(adam9870) #4

Ponawiam prośbę.