majkel919
(Majkel 80)
11 Sierpień 2007 22:23
#1
Witam! Mam problem podobny do tego , ktory opisywal JARCKO http://forum.dobreprogramy.pl/viewtopic.php?t=176203
Na poczatku Avast informowal mnie, ze mam wirusa zlokalizowanego na partycji C:\x3a3x4q7p6.exe. Wirus uaktywnial sie zaraz po wlaczeniu przegladarki internetowej(uzywam FF na syst.2K)
Zainstalowalem rozne skanery i inne antywiry i “pomogl” F-secure Anti-Virus 2007 w sensie tym, ze teraz nie mam informacji o tym wirusie .
Od tej pory bardzo mi sie komp muli. Jak otwieram dowolny program to trwa prawie minute nawet zwykle gg. Gdy pracuje troche na kompie i chce go wylaczyc to w ogole nie chce mi sie zamknac. Czekam nawet 10 min i nic, dysk cos caly czas mieli, wylaczam go guzikiem. Mysle, ze moge miec jeszcze jakies syfy. Skanery nic nie wykrywaja.
Oto moje logi jak ktos moze to niech pomoze z gory dzieki
Logfile of HijackThis v1.99.1 Scan saved at 00:03:21, on 2007-08-12 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINNT\system32\svchost.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Common\FSMB32.EXE C:\program files\internet explorer\IEXPLORE.EXE C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\Program Files\F-Secure\Common\FCH32.EXE C:\WINNT\system32\nvsvc32.exe C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsqh.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\WINNT\RTHDCPL.EXE C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\NetLimiter\NetLimiter.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\WINNT\system32\internat.exe C:\Program Files\F-Secure\FSAUA\program\fsaua.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\Program Files\F-Secure\FSGUI\fsguidll.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\Program Files\Outlook Express\msimn.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Gadu-Gadu\gg.exe C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\update.tmp E:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM…\Run: [skyTel] SkyTel.EXE O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - HKLM…\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM…\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe” O4 - HKLM…\Run: [F-Secure Manager] “C:\Program Files\F-Secure\Common\FSM32.EXE” /splash O4 - HKLM…\Run: [F-Secure TNB] “C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW O4 - HKLM…\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - HKCU…\Run: [internat.exe] internat.exe O4 - HKCU…\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\1hy0s8j9.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=“C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles/1hy0s8j9.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}” O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6343300328 O17 - HKLM\System\CCS\Services\Tcpip…{1EABD805-C4B6-4522-99DE-96E4A13C6673}: NameServer = 213.241.79.37 83.238.255.76 O17 - HKLM\System\CS1\Services\Tcpip…{1EABD805-C4B6-4522-99DE-96E4A13C6673}: NameServer = 213.241.79.37 83.238.255.76 O17 - HKLM\System\CS2\Services\Tcpip…{1EABD805-C4B6-4522-99DE-96E4A13C6673}: NameServer = 213.241.79.37 83.238.255.76 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bluetooth Stack COM Server - Unknown owner - C:\WINNT\BTStack.exe (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Microsoft Hardware Detections - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Dosm.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “FFTI” = “C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\1hy0s8j9.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=“C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles/1hy0s8j9.default\extensions{B13721C7-F507-4982-B2E5-502A71474FED}”” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Synchronization Manager” = “mobsync.exe /logon” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Tweak UI” = “RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp” [MS] “SkyTel” = “SkyTel.EXE” [“Realtek Semiconductor Corp.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “NetLimiter” = “C:\Program Files\NetLimiter\NetLimiter.exe /s” [“LockTime”] “Resume copy” = “copyfstq.exe /startup” [null data] “SymTray - Norton SystemWorks” = “C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg” [“Symantec Corporation”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “SDTray” = ““C:\Program Files\Spyware Doctor\SDTrayApp.exe”” [“PC Tools”] “F-Secure Manager” = ““C:\Program Files\F-Secure\Common\FSM32.EXE” /splash” [“F-Secure Corporation”] “F-Secure TNB” = ““C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW” [“F-Secure Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “SymTray - Norton SystemWorks” = “C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\system32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINNT\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINNT\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{A4D78B20-6E05-1069-8758-4E73FD83DEAD}” = “QCopy” -> {HKLM…CLSID} = “QCopy” \InProcServer32(Default) = “dropcpyr.dll” [null data] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoFolderOptions” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINNT\ACD Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINNT\ACD Wallpaper.bmp” Enabled Scheduled Tasks: ------------------------ “Funkcja One Button Checkup pakietu Norton SystemWorks” -> launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] “Symantec Drmc” -> launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [null data] “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL [“F-Secure Corporation”], 01 - 17, 41 C:\Program Files\NetLimiter\nl_lsp.dll [null data], 18 - 22, 28 %SystemRoot%\system32\msafd.dll [MS], 23 - 25, 29 - 40 %SystemRoot%\system32\rsvpsp.dll [MS], 26 - 27 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ““C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe”” [“F-Secure Corporation”] F-Secure Automatic Update Agent, FSAUA, ““C:\Program Files\F-Secure\FSAUA\program\fsaua.exe”” [“F-Secure Corporation”] F-Secure Management Agent, FSMA, ““C:\Program Files\F-Secure\Common\FSMA32.EXE”” [“F-Secure Corporation”] FSGKHS, F-Secure Gatekeeper Handler Starter, ““C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe”” [“F-Secure Corporation”] Norton Unerase Protection, NProtectService, “C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE” [“Symantec Corporation”] NVIDIA Display Driver Service, NVSvc, “C:\WINNT\system32\nvsvc32.exe” [“NVIDIA Corporation”] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] Spyware Doctor Auxiliary Service, sdAuxService, “C:\Program Files\Spyware Doctor\svcntaux.exe” [“PC Tools”] Spyware Doctor Service, sdCoreService, “C:\Program Files\Spyware Doctor\swdsvc.exe” [“PC Tools”] System zdarzeń COM+, EventSystem, “C:\WINNT\system32\svchost.exe -k netsvcs” {“C:\WINNT\system32\es.dll” [null data]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ PrintPort\Driver = “emfxp.dll” [null data] ---------- (launch time: 2007-08-12 00:05:43) + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 43 seconds. ---------- (total run time: 82 seconds)
jessica
(jessica)
12 Sierpień 2007 07:58
#2
Te w/w wpisy sfiksuj w Hijacku:
>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked .
patrz: post niżej
Możesz dać jeszcze log z ComboFixa:
http://forum.dobreprogramy.pl/viewtopic.php?t=36654 (na dole tej strony z linku) -
Log wklej na http://wklej.org/ , a w poście daj tylko link.
.
Kuba11
(Kuba1)
12 Sierpień 2007 09:29
#3
Autoupdater od GG,były z nim różne problemy, duże zużycie procesora itd.
Zablokuj ten plik w firewallu,usunięcie go nic nie da,ponieważ GG tworzy go z każdym uruchomieniem.
jessica
(jessica)
12 Sierpień 2007 20:13
#5
Widzę w logu ComboFixa, że nie sfiksowałeś w Hijacku tych wpisów, które miałeś sfiksować.
Sprawdź go na http://virusscan.jotti.org/
Opis, jak korzystać z JOTTI --> http://otfans.pl/forums/showthread.php?tid=552
albo na http://www.virustotal.com/en/indexf.html
(korzysta się podobnie jak z JOTTI).
Nic tu więcej podejrzanego nie widzę.
.
majkel919
(Majkel 80)
12 Sierpień 2007 21:23
#6
Hej ja robilem loga combo zanim usunalem te wpisy w Hijacku.
Teraz ich nie ma bo juz je wyrzucilem
A wiesz w ogole co to jest za plik: _Dosm.exe. Bo zeby go sprawdzic http://virusscan.jotti.org/ to musze mu podac sciezke docelowa a jak przegladam partycje to go tam nie ma
qrczak13
(qrczak13)
12 Sierpień 2007 21:33
#7
narzędzia > opcje folderów > widok > zaznacz pokaż ukryte pliki i foldery oraz odznacz ukryj chronione pliki systemu operacyjnego
To się pokaże.
jessica
(jessica)
12 Sierpień 2007 21:37
#8
Nie widzisz go w ścieżce, bo z logu ComboFixa wynika, że ma on atrybuty ochronne: **\ *h idden*** (ukryty) oraz **\ *s ys*** (systemowy ukryty).
Tak więc najpierw usuń te atrybuty:
>>Start>>Panel Sterowania>>Opcje Folderów>>Widok>>usuń zaznaczenie przy “Ukryj chronione pliki systemowe”>
>zaznacz przy “Pokaż ukryte plik”>>Zastosuj>>OK.
majkel919
(Majkel 80)
12 Sierpień 2007 21:55
#9
No tak zrobilem tylko zapomnialem o “ukryj chronione pliki systemu operacyjnego”
Jest i przeskanowalem go, wynik nastepujacy: AntiVir
Found TR/Crypt.CFI.Gen i AVG Antivirus
Found SHeur.BTO
majkel919
(Majkel 80)
20 Sierpień 2007 22:02
#11
Witam no a u mnie dalej jest taki oto problem(moze sie powtarzam ale do konca nie zostal problem usuniety wiec przedstawiam go jeszcze raz z nowymi logami)
Gdy wlacze kompa i nie podlaczam netu z netii wszystko jest ok komputer sie nie muli dziala wszystko tak jak powinno. Po pdlaczeniu sie do sieci przez standardowy modem ADSL z netii wszystko zaczyna sie mulic, na otwarcie dowolnego programu czekam ok 1 min a po dluzszym siedzeniu na necie nie moge juz nic otworzyc. Gdy chce zamknac komputer mija dobre 30 min z moja pomoca bo musze rozne jakies dziwne aplikacje zamykac “Zakoncz teraz”
Oto moje logi:
Logfile of HijackThis v1.99.1 Scan saved at 23:48:51, on 2007-08-20 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINNT\system32\svchost.exe C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Common\FSMB32.EXE C:\program files\internet explorer\IEXPLORE.EXE C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\Program Files\F-Secure\Common\FCH32.EXE C:\WINNT\system32\nvsvc32.exe C:\Program Files\F-Secure\Anti-Virus\fsqh.exe C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\WINNT\system32\MSTask.exe C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\F-Secure\FSAUA\program\fsaua.exe C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\WINNT\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\WINNT\RTHDCPL.EXE C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\NetLimiter\NetLimiter.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\WINNT\system32\internat.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\Program Files\F-Secure\FSGUI\fsguidll.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Gadu-Gadu\gg.exe C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\update.tmp E:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM…\Run: [skyTel] SkyTel.EXE O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - HKLM…\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM…\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [F-Secure Manager] “C:\Program Files\F-Secure\Common\FSM32.EXE” /splash O4 - HKLM…\Run: [F-Secure TNB] “C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW O4 - HKLM…\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - HKCU…\Run: [internat.exe] internat.exe O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 6343300328 O17 - HKLM\System\CCS\Services\Tcpip…{1EABD805-C4B6-4522-99DE-96E4A13C6673}: NameServer = 213.241.79.37 83.238.255.76 O17 - HKLM\System\CS1\Services\Tcpip…{1EABD805-C4B6-4522-99DE-96E4A13C6673}: NameServer = 213.241.79.37 83.238.255.76 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bluetooth Stack COM Server - Unknown owner - C:\WINNT\BTStack.exe (file missing) O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Microsoft Hardware Detections - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Dosm.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
a tu jeszcze:
“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Synchronization Manager” = “mobsync.exe /logon” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Tweak UI” = “RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp” [MS] “SkyTel” = “SkyTel.EXE” [“Realtek Semiconductor Corp.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “NetLimiter” = “C:\Program Files\NetLimiter\NetLimiter.exe /s” [“LockTime”] “Resume copy” = “copyfstq.exe /startup” [null data] “SymTray - Norton SystemWorks” = “C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg” [“Symantec Corporation”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “F-Secure Manager” = ““C:\Program Files\F-Secure\Common\FSM32.EXE” /splash” [“F-Secure Corporation”] “F-Secure TNB” = ““C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW” [“F-Secure Corporation”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “SymTray - Norton SystemWorks” = “C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\system32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINNT\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINNT\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{A4D78B20-6E05-1069-8758-4E73FD83DEAD}” = “QCopy” -> {HKLM…CLSID} = “QCopy” \InProcServer32(Default) = “dropcpyr.dll” [null data] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINNT\ACD Wallpaper.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINNT\ACD Wallpaper.bmp” Autostart via AUTORUN.INF on local fixed drives: ------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDriveAutoRun” = ** WARNING – corrupt BINARY value! ** Enabled Scheduled Tasks: ------------------------ “Funkcja One Button Checkup pakietu Norton SystemWorks” -> launches: “C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE” [“Symantec Corporation”] “Symantec Drmc” -> launches: “C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE” [null data] “Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL [“F-Secure Corporation”], 01 - 17, 41 C:\Program Files\NetLimiter\nl_lsp.dll [null data], 18 - 22, 28 %SystemRoot%\system32\msafd.dll [MS], 23 - 25, 29 - 40 %SystemRoot%\system32\rsvpsp.dll [MS], 26 - 27 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ““C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe”” [“F-Secure Corporation”] F-Secure Automatic Update Agent, FSAUA, ““C:\Program Files\F-Secure\FSAUA\program\fsaua.exe”” [“F-Secure Corporation”] F-Secure Management Agent, FSMA, ““C:\Program Files\F-Secure\Common\FSMA32.EXE”” [“F-Secure Corporation”] FSGKHS, F-Secure Gatekeeper Handler Starter, ““C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe”” [“F-Secure Corporation”] Norton Unerase Protection, NProtectService, “C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE” [“Symantec Corporation”] NVIDIA Display Driver Service, NVSvc, “C:\WINNT\system32\nvsvc32.exe” [“NVIDIA Corporation”] Speed Disk service, Speed Disk service, “C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE” [“Symantec Corporation”] System zdarzeń COM+, EventSystem, “C:\WINNT\system32\svchost.exe -k netsvcs” {“C:\WINNT\system32\es.dll” [null data]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ PrintPort\Driver = “emfxp.dll” [null data] ---------- (launch time: 2007-08-20 23:50:12) + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 40 seconds. ---------- (total run time: 82 seconds)
no i combo:
ComboFix 07-08-09.3 - “Administrator” 2007-08-20 23:54:07.2 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1250.1.1045.18.451 [GMT 2:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\system32\f.txt ((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 ))))))))))))))))))))))))))))))) 2007-08-20 23:50 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_47c.dat 2007-08-19 22:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_248.dat 2007-08-15 21:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_484.dat 2007-08-15 21:13 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_250.dat 2007-08-15 20:48 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_490.dat 2007-08-13 22:03 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_57c.dat 2007-08-13 18:10 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_580.dat 2007-08-13 00:06 649,728 —hs---- C:\WINNT\system32_Dosm.exe 2007-08-12 21:50 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_584.dat 2007-08-12 21:12 51,200 --a------ C:\WINNT\nircmd.exe 2007-08-07 18:29 2007-08-07 18:22 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_24c.dat 2007-08-07 18:19 50,080 --a------ C:\WINNT\system32\drivers\fsdfw.sys 2007-08-07 18:19 29,472 --a------ C:\WINNT\system32\drivers\fsndis5.sys 2007-08-07 18:19 2007-08-07 18:18 2007-08-07 18:18 2007-08-07 17:55 2007-08-03 21:55 626,688 --a------ C:\WINNT\system32\msvcr80.dll 2007-08-03 21:55 462,848 --a------ C:\WINNT\system32\msaatext.dll 2007-08-03 21:55 356,352 --a------ C:\WINNT\system32\oleaccrc.dll 2007-07-28 15:38 2007-07-28 15:38 2007-07-28 15:37 2007-07-28 15:37 2007-07-28 15:37 2007-07-28 15:37 2007-07-27 20:39 327,168 --a------ C:\WINNT\IsUn0415.exe 2007-07-23 22:41 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 07-08-15 21:40 --------- d-------- C:\DOCUME~1\ADMINI~1\DANEAP~1\Skype 07-08-15 14:48 --------- d-------- C:\Program Files\English Translator 3 07-08-07 18:22 41232 --a–c— C:\WINNT\system32\dllcache\ftp.exe 07-08-07 18:22 41232 --a------ C:\WINNT\system32\ftp.exe 07-08-07 18:22 17680 --a–c— C:\WINNT\system32\dllcache\tftp.exe 07-08-07 18:22 17680 --a------ C:\WINNT\system32\tftp.exe 07-08-07 18:19 65544 --a------ C:\WINNT\system32\perfc015.dat 07-08-07 18:19 427502 --a------ C:\WINNT\system32\perfh015.dat 07-08-02 21:05 --------- d–h----- C:\Program Files\InstallShield Installation Information 07-07-30 17:25 96048 --a------ C:\WINNT\system32\sfc.dll 07-07-28 00:07 783224 --a------ C:\WINNT\system32\aswBoot.exe 07-07-28 00:02 94416 --a------ C:\WINNT\system32\drivers\aswmon2.sys 07-07-28 00:02 92848 --a------ C:\WINNT\system32\drivers\aswmon.sys 07-07-28 00:00 23152 --a------ C:\WINNT\system32\drivers\aswRdr.sys 07-07-27 23:59 42912 --a------ C:\WINNT\system32\drivers\aswTdi.sys 07-07-27 23:58 26624 --a------ C:\WINNT\system32\drivers\aavmker4.sys 07-07-27 23:57 95608 --a------ C:\WINNT\system32\AvastSS.scr 07-07-23 22:42 --------- d-------- C:\Program Files\Skype 07-07-13 17:30 --------- d-------- C:\Program Files\Norton SystemWorks 07-04-10 16:34 271 —h----- C:\Program Files\desktop.ini 07-04-10 16:34 22039 —h----- C:\Program Files\folder.htt 03-07-08 14:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Synchronization Manager”=“mobsync.exe” [03-07-08 14:00 C:\WINNT\system32\mobsync.exe] “NvCplDaemon”=“C:\WINNT\system32\NvCpl.dll” [06-06-01 11:22] “nwiz”=“nwiz.exe” [06-06-01 11:22 C:\WINNT\system32\nwiz.exe] “NvMediaCenter”=“C:\WINNT\system32\NvMcTray.dll” [06-06-01 11:22] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [03-10-02 02:20] “Tweak UI”=“TWEAKUI.CPL” [00-06-18 14:03 C:\WINNT\system32\tweakui.cpl] “SkyTel”=“SkyTel.EXE” [06-05-16 12:04 C:\WINNT\SkyTel.exe] “RTHDCPL”=“RTHDCPL.EXE” [06-05-27 04:47 C:\WINNT\RTHDCPL.exe] “SpeedTouch USB Diagnostics”=“C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [04-03-23 12:06] “NetLimiter”=“C:\Program Files\NetLimiter\NetLimiter.exe” [03-10-24 02:56] “Resume copy”=“copyfstq.exe” [07-04-11 19:27 C:\WINNT\copyfstq.exe] “SymTray - Norton SystemWorks”=“C:\Program Files\Common Files\Symantec Shared\Symtray.exe” [03-10-23 13:13] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [07-07-28 00:03] “F-Secure Manager”=“C:\Program Files\F-Secure\Common\FSM32.exe” [07-08-07 18:18] “F-Secure TNB”=“C:\Program Files\F-Secure\FSGUI\TNBUtil.exe” [07-08-07 18:18] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “internat.exe”=“internat.exe” [03-07-08 14:00 C:\WINNT\system32\internat.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] “SymTray - Norton SystemWorks”=C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “^SetupICWDesktop”=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “internat.exe”=internat.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @=“Driver” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @=“Driver” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “UPS”=3 (0x3) R0 a347bus;a347bus;C:\WINNT\system32\DRIVERS\a347bus.sys R0 a347scsi;a347scsi;C:\WINNT\system32\Drivers\a347scsi.sys R0 FSFW;F-Secure Firewall Driver;C:\WINNT\system32\drivers\fsdfw.sys R0 pnpshark;pnpshark;C:\WINNT\system32\DRIVERS\pnpshark.sys R0 st3shark;st3shark;C:\WINNT\system32\DRIVERS\st3shark.sys R1 F-Secure HIPS;F-Secure HIPS;??\C:\Program Files\F-Secure\HIPS\fshs.sys R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINNT\system32\DRIVERS\alcan5wn.sys R3 F-Secure Gatekeeper;F-Secure Gatekeeper;??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys R3 NPDriver;Norton Unerase Protection Driver;??\C:\WINNT\system32\Drivers\NPDRIVER.SYS R3 openhci;Sterownik otwartego kontrolera hosta USB Microsoft;C:\WINNT\system32\DRIVERS\openhci.sys R3 usbhub20;Obsługa głównego koncentratora USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys S2 Bluetooth Stack COM Server;Bluetooth Stack COM Server;“C:\WINNT\BTStack.exe” S2 Microsoft Hardware Detections;Microsoft Hardware Detections;C:\Program Files\Common Files\Microsoft Shared\MSINFO\Dosm.exe S3 gdrv;gdrv;??\C:\WINNT\gdrv.sys S3 GVCplDrv;GVCplDrv;C:\WINNT\system32\drivers\GVCplDrv.sys S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINNT\system32\DRIVERS\k510bus.sys S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINNT\system32\DRIVERS\k510mdfl.sys S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINNT\system32\DRIVERS\k510mdm.sys S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINNT\system32\DRIVERS\k510mgmt.sys S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINNT\system32\DRIVERS\k510obex.sys S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys S3 SDdriver;SDdriver;??\C:\WINNT\system32\Drivers\sddriver.sys S3 SNPSTD3;USB PC Camera (SNPSTD3);C:\WINNT\system32\DRIVERS\snpstd3.sys S4 F-Secure Filter;F-Secure File System Filter;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys S4 F-Secure Recognizer;F-Secure File System Recognizer;??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys Contents of the ‘Scheduled Tasks’ folder 2007-08-10 15:30:34 C:\WINNT\Tasks\Funkcja One Button Checkup pakietu Norton SystemWorks.job 2007-08-19 22:00:27 C:\WINNT\Tasks\Symantec Drmc.job 2007-08-20 20:50:14 C:\WINNT\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-20 23:55:19 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes … \Program Files\Alwil Software\Avast4\ashServ.exe [584] 0x85281940 scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{E9F81423-211E-46B6-9AE0-38568BC5CF6F}] “DisplayName”=“Alcohol 120(Trial Version)” [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,38,01,00,00,01,00,00,00,04,00,00,00,76,… scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-20 23:56:15 C:\ComboFix-quarantined-files.txt … 07-08-20 23:55 C:\ComboFix2.txt … 07-08-12 21:29 — E O F —
ComboFix-quarantined-files