Witam, mam problem z wolnym działaniem komputera Windows XP profesional, próbowałem wiele sposobów i programów a nie są szczególnie efektywne. Chcę uniknąć przeinstalowywania systemu, a mam go już ponad 5 lat :-D. Mam antywirusa avasta i spybota. Proszę o przeanalizowanie moich logów z Hijackthis i Combofix.
Z góry dzięki za odpowiedź.
ComboFix 09-10-30.01 - Administrator 2009-10-31 8:50.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.767.504 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Administrator\Moje dokumenty\Pobieranie\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 091030-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *disabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Moje dokumenty\cc_20080224_2027.reg
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00460804.
c:\recycler\NPROTECT\00575199.
c:\recycler\S-1-5-21-484763869-746137067-1343024091-1003
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\smdat32m.sys
c:\windows\system32\open.ico
c:\windows\System32\SYSTem~1.dll
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Legacy_WKSPATCH
-------\Service_WksPatch
((((((((((((((((((((((((( Pliki utworzone od 2009-09-28 do 2009-10-31 )))))))))))))))))))))))))))))))
.
2009-10-27 21:16 . 2009-10-27 21:16 -------- d-----w- c:\windows\system32\wbem\Repository
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 20:23 . 2007-12-15 15:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 19:58 . 2007-12-15 15:38 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2009-10-30 16:13 . 2004-08-08 14:24 -------- d-----w- c:\program files\NiemPol
2009-10-30 04:50 . 2006-04-13 20:50 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Tlen.pl
2009-10-25 06:33 . 2003-04-16 12:00 68554 ----a-w- c:\windows\system32\perfc015.dat
2009-10-25 06:33 . 2003-04-16 12:00 439538 ----a-w- c:\windows\system32\perfh015.dat
2009-10-21 16:58 . 2004-04-24 12:06 -------- d-----w- c:\program files\Gadu-Gadu
2009-10-15 21:11 . 2004-05-28 18:25 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype
2009-09-14 22:32 . 2004-07-27 20:49 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Kamerzysta
2009-08-09 00:00 . 2003-04-16 12:00 24064 ----a-w- c:\windows\system32\ctfmon.exe
2009-08-02 21:49 . 2009-08-02 21:49 0 ----a-w- c:\program files\Faktura VAT II AW.xls
2009-05-21 17:14 . 2009-05-21 17:14 6255736 ----a-w- c:\program files\tleninst60377.exe
2009-05-15 09:26 . 2009-05-15 09:26 34238 ----a-w- c:\program files\mapi32.zip
2008-11-28 15:45 . 2008-11-28 15:45 6308752 ----a-w- c:\program files\tleninst60372.exe
2008-11-13 16:16 . 2008-11-13 16:16 209537 ----a-w- c:\program files\00007.doc
2008-11-13 16:14 . 2008-11-13 16:14 642 ----a-w- c:\program files\Be00006.doc
2008-11-13 16:11 . 2008-11-13 16:11 533696 ----a-w- c:\program files\k4.rtf
2008-11-13 16:11 . 2008-11-13 16:11 248794 ----a-w- c:\program files\BearPa00005.doc
2008-11-13 16:09 . 2008-11-13 16:09 8164 ----a-w- c:\program files\BearPaw 00004.doc
2008-11-13 16:08 . 2008-11-13 16:08 9589 ----a-w- c:\program files\BearPaw 1200003.doc
2008-11-13 16:05 . 2008-11-13 16:05 736368 ----a-w- c:\program files\BearPaw 1200CU00002.doc
2008-11-13 16:03 . 2008-11-13 16:03 48592 ----a-w- c:\program files\BearPaw 1200CU P00001.doc
2007-12-25 01:08 . 2004-09-03 17:50 133 ----a-w- c:\program files\bk.rar
2007-11-17 18:27 . 2007-11-17 18:27 162 —ha-w- c:\program files~$X PC Read Me.doc
2006-12-25 14:36 . 2006-12-25 14:35 36808256 ----a-w- c:\program files\iTunesSetup.exe
2006-04-12 16:19 . 2006-04-12 16:19 960 ----a-w- c:\program files\energysmoothjazz128k.asx
2006-03-17 20:54 . 2006-03-17 20:53 12619653 ----a-w- c:\program files\faktura_s.exe
2006-02-05 11:05 . 2006-02-05 11:05 389 -c–a-w- c:\program files\program3.asx
2005-12-12 12:16 . 2005-12-12 12:10 12754672 ----a-w- c:\program files\MP10Setup.exe
2005-08-13 11:04 . 2005-08-13 11:04 968521 ----a-w- c:\program files\CRW_PS.rar
2004-12-04 11:05 . 2004-12-04 11:04 314 -c–a-w- c:\program files\Data.ini
2004-12-04 11:04 . 2004-12-04 11:04 18 -c–a-w- c:\program files\App.ini
2004-11-26 20:08 . 2004-11-26 20:07 1548182 ----a-w- c:\program files\tleninst52321.exe
2004-08-18 09:52 . 2004-08-18 09:52 1145270 ----a-w- c:\program files\ngwp70.zip
2004-08-09 08:56 . 2004-08-09 08:56 1082701 ----a-w- c:\program files\mtranse.exe
2004-08-08 14:23 . 2004-08-08 14:23 923117 ----a-w- c:\program files\slownik.zip
2004-08-07 08:03 . 2004-08-07 07:58 4562528 ----a-w- c:\program files\winamp504_full.exe
2004-08-02 21:42 . 2004-08-02 21:24 9172856 ----a-w- c:\program files\SkypeSetup.exe
2004-06-21 06:56 . 2004-06-21 06:56 1535488 ----a-w- c:\program files\eskimosr2.exe
2004-06-19 06:42 . 2004-06-19 06:37 4806997 ----a-w- c:\program files\Shockwave_Installer_Full.exe
2004-05-28 18:20 . 2004-05-28 18:20 8005960 ----a-w- c:\program files\SkypeSetup-Beta.exe
2004-05-22 20:21 . 2004-05-22 20:21 11978792 ----a-w- c:\program files\AdbeRdr60_pol.exe
2004-05-09 14:52 . 2004-05-09 14:52 14247 ----a-w- c:\program files\snestool.zip
2004-05-02 12:43 . 2004-05-02 12:43 1135664 ----a-w- c:\program files\EMusicDownloadManager.exe
2004-04-20 18:27 . 2004-04-20 18:26 267472 ----a-w- c:\program files\NSSetup.exe
2004-04-15 14:18 . 2004-04-15 14:18 10196336 ----a-w- c:\program files\RealPlayer10GOLD.exe
2004-04-15 12:49 . 2004-04-15 12:49 1058466 ----a-w- c:\program files\gg60.exe
2004-03-16 22:56 . 2004-03-16 22:56 17840376 ----a-w- c:\program files\sk32e47.exe
2004-01-25 19:39 . 2004-05-09 14:39 16777216 -c–a-w- c:\program files\SAPPHIRE.GBA
2000-11-28 08:15 . 2000-11-28 08:15 1572934 ----a-w- c:\program files\NgBMXDemo.exe
2000-10-10 07:14 . 2000-10-10 07:14 20031 -c–a-w- c:\program files\Scene.Txt
.
------- Sigcheck -------
[-] 2009-08-09 00:00 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2009-08-09 00:00 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[-] 2008-04-14 . 1BD41EDA5B869AFC99895C39A8DE36E1 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ctfmon.exe
[-] 2003-04-16 . 0C4C012B0A8960F48A666C240A7BAA3D . 13312 . . [5.1.2600.1106] . . c:\windows$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“c:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe”=
“c:\WINDOWS\system32\sessmgr.exe”=
“c:\Program Files\Real\RealPlayer\realplay.exe”=
“c:\Program Files\Tlen.pl\tlen.exe”=
“c:\Program Files\Gadu-Gadu\gg.exe”=
“c:\Program Files\Gadu-Gadu\ggphone\ggphone.exe”=
“c:\WINDOWS\system32\mmc.exe”=
“c:\Program Files\eMule\emule.exe”=
“c:\Program Files\ICQ6\ICQ.exe”=
“c:\WINDOWS\Network Diagnostic\xpnetdiag.exe”=
“f:\utorrent.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-02-26 9344]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-09 114768]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-09 20560]
S2 SPF4;Sunbelt Personal Firewall 4;“c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe” --> c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [?]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-02-26 434944]
— Inne Usługi/Sterowniki w Pamięci —
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Zawartość folderu ‘Zaplanowane zadania’
2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
2009-10-30 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-02-18 11:24]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://onet.pl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\tcbaiads.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: f:\picasa3\npPicasa3.dll
.
-
-
-
- USUNIĘTO PUSTE WPISY - - - -
-
-
AddRemove-Convert Doc_is1 - c:\program files\Softinterface
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 09:11
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0xF7528000 0x17480 bytes
\Driver\atapi [IRP_MJ_INTERNAL_DEVICE_CONTROL] 0xF752E7B4 != 0xF76078B4 sfsync02.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
[HKEY_USERS\S-1-5-21-484763869-746137067-1343024091-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
-
-
-
-
-
-
- > ‘winlogon.exe’(840)
-
-
-
-
-
c:\windows\system32\Ati2evxx.dll
-
-
-
-
-
-
- > ‘lsass.exe’(896)
-
-
-
-
-
c:\windows\system32\relog_ap.dll
-
-
-
-
-
-
- > ‘explorer.exe’(440)
-
-
-
-
-
c:\program files\7-Zip\7-zip.dll
c:\windows\system32\browselc.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL
c:\windows\system32\shdoclc.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Czas ukończenia: 2009-10-31 9:25 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-10-31 08:25
Przed: 3 166 810 112 bajtów wolnych
Po: 3 150 884 864 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn
-
- End Of File - - 1F47E60D9BADBAA20BBD082CCAFEE076
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:35:20, on 2009-11-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\RunOnce: [OutlookFixMAPI] C:\WINDOWS\system32\fixmapi.exe
O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Unknown owner - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe (file missing)
–
End of file - 3648 bytes