Powolne działanie komputera

Dla specjalistów Bezpieczeństwo
#1

Witam, mam problem z wolnym działaniem komputera Windows XP profesional, próbowałem wiele sposobów i programów a nie są szczególnie efektywne. Chcę uniknąć przeinstalowywania systemu, a mam go już ponad 5 lat :-D. Mam antywirusa avasta i spybota. Proszę o przeanalizowanie moich logów z Hijackthis i Combofix.

Z góry dzięki za odpowiedź.

ComboFix 09-10-30.01 - Administrator 2009-10-31 8:50.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.767.504 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Administrator\Moje dokumenty\Pobieranie\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 091030-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Sunbelt Personal Firewall *disabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Moje dokumenty\cc_20080224_2027.reg

c:\program files\Need2Find

c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR

c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR

c:\program files\Need2Find\bar\1.bin\PARTNER.DAT

c:\recycler\NPROTECT

c:\recycler\NPROTECT\00460804.

c:\recycler\NPROTECT\00575199.

c:\recycler\S-1-5-21-484763869-746137067-1343024091-1003

c:\windows\Fonts\acrsec.fon

c:\windows\Fonts\acrsecB.fon

c:\windows\Fonts\acrsecI.fon

c:\windows\smdat32m.sys

c:\windows\system32\open.ico

c:\windows\System32\SYSTem~1.dll

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_WKSPATCH

-------\Service_WksPatch

((((((((((((((((((((((((( Pliki utworzone od 2009-09-28 do 2009-10-31 )))))))))))))))))))))))))))))))

.

2009-10-27 21:16 . 2009-10-27 21:16 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-30 20:23 . 2007-12-15 15:38 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-30 19:58 . 2007-12-15 15:38 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2009-10-30 16:13 . 2004-08-08 14:24 -------- d-----w- c:\program files\NiemPol

2009-10-30 04:50 . 2006-04-13 20:50 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Tlen.pl

2009-10-25 06:33 . 2003-04-16 12:00 68554 ----a-w- c:\windows\system32\perfc015.dat

2009-10-25 06:33 . 2003-04-16 12:00 439538 ----a-w- c:\windows\system32\perfh015.dat

2009-10-21 16:58 . 2004-04-24 12:06 -------- d-----w- c:\program files\Gadu-Gadu

2009-10-15 21:11 . 2004-05-28 18:25 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype

2009-09-14 22:32 . 2004-07-27 20:49 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Kamerzysta

2009-08-09 00:00 . 2003-04-16 12:00 24064 ----a-w- c:\windows\system32\ctfmon.exe

2009-08-02 21:49 . 2009-08-02 21:49 0 ----a-w- c:\program files\Faktura VAT II AW.xls

2009-05-21 17:14 . 2009-05-21 17:14 6255736 ----a-w- c:\program files\tleninst60377.exe

2009-05-15 09:26 . 2009-05-15 09:26 34238 ----a-w- c:\program files\mapi32.zip

2008-11-28 15:45 . 2008-11-28 15:45 6308752 ----a-w- c:\program files\tleninst60372.exe

2008-11-13 16:16 . 2008-11-13 16:16 209537 ----a-w- c:\program files\00007.doc

2008-11-13 16:14 . 2008-11-13 16:14 642 ----a-w- c:\program files\Be00006.doc

2008-11-13 16:11 . 2008-11-13 16:11 533696 ----a-w- c:\program files\k4.rtf

2008-11-13 16:11 . 2008-11-13 16:11 248794 ----a-w- c:\program files\BearPa00005.doc

2008-11-13 16:09 . 2008-11-13 16:09 8164 ----a-w- c:\program files\BearPaw 00004.doc

2008-11-13 16:08 . 2008-11-13 16:08 9589 ----a-w- c:\program files\BearPaw 1200003.doc

2008-11-13 16:05 . 2008-11-13 16:05 736368 ----a-w- c:\program files\BearPaw 1200CU00002.doc

2008-11-13 16:03 . 2008-11-13 16:03 48592 ----a-w- c:\program files\BearPaw 1200CU P00001.doc

2007-12-25 01:08 . 2004-09-03 17:50 133 ----a-w- c:\program files\bk.rar

2007-11-17 18:27 . 2007-11-17 18:27 162 —ha-w- c:\program files~$X PC Read Me.doc

2006-12-25 14:36 . 2006-12-25 14:35 36808256 ----a-w- c:\program files\iTunesSetup.exe

2006-04-12 16:19 . 2006-04-12 16:19 960 ----a-w- c:\program files\energysmoothjazz128k.asx

2006-03-17 20:54 . 2006-03-17 20:53 12619653 ----a-w- c:\program files\faktura_s.exe

2006-02-05 11:05 . 2006-02-05 11:05 389 -c–a-w- c:\program files\program3.asx

2005-12-12 12:16 . 2005-12-12 12:10 12754672 ----a-w- c:\program files\MP10Setup.exe

2005-08-13 11:04 . 2005-08-13 11:04 968521 ----a-w- c:\program files\CRW_PS.rar

2004-12-04 11:05 . 2004-12-04 11:04 314 -c–a-w- c:\program files\Data.ini

2004-12-04 11:04 . 2004-12-04 11:04 18 -c–a-w- c:\program files\App.ini

2004-11-26 20:08 . 2004-11-26 20:07 1548182 ----a-w- c:\program files\tleninst52321.exe

2004-08-18 09:52 . 2004-08-18 09:52 1145270 ----a-w- c:\program files\ngwp70.zip

2004-08-09 08:56 . 2004-08-09 08:56 1082701 ----a-w- c:\program files\mtranse.exe

2004-08-08 14:23 . 2004-08-08 14:23 923117 ----a-w- c:\program files\slownik.zip

2004-08-07 08:03 . 2004-08-07 07:58 4562528 ----a-w- c:\program files\winamp504_full.exe

2004-08-02 21:42 . 2004-08-02 21:24 9172856 ----a-w- c:\program files\SkypeSetup.exe

2004-06-21 06:56 . 2004-06-21 06:56 1535488 ----a-w- c:\program files\eskimosr2.exe

2004-06-19 06:42 . 2004-06-19 06:37 4806997 ----a-w- c:\program files\Shockwave_Installer_Full.exe

2004-05-28 18:20 . 2004-05-28 18:20 8005960 ----a-w- c:\program files\SkypeSetup-Beta.exe

2004-05-22 20:21 . 2004-05-22 20:21 11978792 ----a-w- c:\program files\AdbeRdr60_pol.exe

2004-05-09 14:52 . 2004-05-09 14:52 14247 ----a-w- c:\program files\snestool.zip

2004-05-02 12:43 . 2004-05-02 12:43 1135664 ----a-w- c:\program files\EMusicDownloadManager.exe

2004-04-20 18:27 . 2004-04-20 18:26 267472 ----a-w- c:\program files\NSSetup.exe

2004-04-15 14:18 . 2004-04-15 14:18 10196336 ----a-w- c:\program files\RealPlayer10GOLD.exe

2004-04-15 12:49 . 2004-04-15 12:49 1058466 ----a-w- c:\program files\gg60.exe

2004-03-16 22:56 . 2004-03-16 22:56 17840376 ----a-w- c:\program files\sk32e47.exe

2004-01-25 19:39 . 2004-05-09 14:39 16777216 -c–a-w- c:\program files\SAPPHIRE.GBA

2000-11-28 08:15 . 2000-11-28 08:15 1572934 ----a-w- c:\program files\NgBMXDemo.exe

2000-10-10 07:14 . 2000-10-10 07:14 20031 -c–a-w- c:\program files\Scene.Txt

.

------- Sigcheck -------

[-] 2009-08-09 00:00 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2009-08-09 00:00 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe

[-] 2008-04-14 . 1BD41EDA5B869AFC99895C39A8DE36E1 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd64aa87403cfac627c6c8f37d245aa4\ctfmon.exe

[-] 2003-04-16 . 0C4C012B0A8960F48A666C240A7BAA3D . 13312 . . [5.1.2600.1106] . . c:\windows$NtServicePackUninstall$\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“c:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe”=

“c:\WINDOWS\system32\sessmgr.exe”=

“c:\Program Files\Real\RealPlayer\realplay.exe”=

“c:\Program Files\Tlen.pl\tlen.exe”=

“c:\Program Files\Gadu-Gadu\gg.exe”=

“c:\Program Files\Gadu-Gadu\ggphone\ggphone.exe”=

“c:\WINDOWS\system32\mmc.exe”=

“c:\Program Files\eMule\emule.exe”=

“c:\Program Files\ICQ6\ICQ.exe”=

“c:\WINDOWS\Network Diagnostic\xpnetdiag.exe”=

“f:\utorrent.exe”=

“c:\Program Files\iTunes\iTunes.exe”=

“c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=

“c:\Program Files\Skype\Phone\Skype.exe”=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-02-26 9344]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-09 114768]

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]

R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-09 20560]

S2 SPF4;Sunbelt Personal Firewall 4;“c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe” --> c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [?]

S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-02-26 434944]

— Inne Usługi/Sterowniki w Pamięci —

*NewlyCreated* - CLASSPNP_2

*NewlyCreated* - MBR

*Deregistered* - CLASSPNP_2

*Deregistered* - mbr

.

Zawartość folderu ‘Zaplanowane zadania’

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job

  • c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2009-10-30 c:\windows\Tasks\Symantec NetDetect.job

  • c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-02-18 11:24]

.

.

------- Skan uzupełniający -------

.

uStart Page = hxxp://onet.pl/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\tcbaiads.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.onet.pl/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: f:\picasa3\npPicasa3.dll

.

        • USUNIĘTO PUSTE WPISY - - - -

AddRemove-Convert Doc_is1 - c:\program files\Softinterface

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-31 09:11

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

skanowanie ukrytych procesów …

skanowanie ukrytych wpisów autostartu …

skanowanie ukrytych plików …

skanowanie pomyślnie ukończone

ukryte pliki: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys

kernel: MBR read successfully

user & kernel MBR OK

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0xF7528000 0x17480 bytes

\Driver\atapi [IRP_MJ_INTERNAL_DEVICE_CONTROL] 0xF752E7B4 != 0xF76078B4 sfsync02.sys

\Driver\atapi IRP hooks detected !

**************************************************************************

.

--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-484763869-746137067-1343024091-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

              • > ‘winlogon.exe’(840)

c:\windows\system32\Ati2evxx.dll

              • > ‘lsass.exe’(896)

c:\windows\system32\relog_ap.dll

              • > ‘explorer.exe’(440)

c:\program files\7-Zip\7-zip.dll

c:\windows\system32\browselc.dll

c:\progra~1\SPYBOT~1\SDHelper.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL

c:\windows\system32\shdoclc.dll

.

------------------------ Pozostałe uruchomione procesy ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Seagate\Schedule2\schedul2.exe

c:\windows\system32\drivers\KodakCCS.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\NOTEPAD.EXE

.

**************************************************************************

.

Czas ukończenia: 2009-10-31 9:25 - komputer został uruchomiony ponownie

ComboFix-quarantined-files.txt 2009-10-31 08:25

Przed: 3 166 810 112 bajtów wolnych

Po: 3 150 884 864 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn

    • End Of File - - 1F47E60D9BADBAA20BBD082CCAFEE076

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:35:20, on 2009-11-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\TUProgSt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM…\RunOnce: [OutlookFixMAPI] C:\WINDOWS\system32\fixmapi.exe

O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Unknown owner - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe (file missing)

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

O23 - Service: Securom User Access for Windows 2000 and Windows XP a technology by Sony DADC (UserAccess) - Unknown owner - C:\PROGRAM FILES\COMMON FILES\YDP\USERACCESSMANAGER\useraccess.exe (file missing)

End of file - 3648 bytes

#2

Nie widać tu żadnej infekcji.

jessi