xerion7
(Miki Ziomek)
7 Kwiecień 2007 18:01
#1
Od tygodnia mam nastepujący problem…
Gdy gram np. W Call Of Duty 2 na max detalach po 3 minutach komputer zaczyna poprostu piszczeć…? tak samo bylo przy Silkroadzie i Prince Of Persia WW. Gdy zmiejszylem detale komp juz nie piszczał… Mam GeForce 6600 a w te gry juz grałem na takich ustawieniach…?? co jest problemem?? A i tylko takie dodatek że komp sie czasami zacina… Może cos znajdziecie:
jak by pomogły to tutaj Logi HJT i SR:
Logfile of HijackThis v1.99.1 Scan saved at 19:59:37, on 2007-04-07 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe C:\Program Files\Wanadoo\Watch.exe C:\Program Files\Win_amp\winamp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Opera\Opera.exe C:\DOCUME~1\Xerion\USTAWI~1\Temp\Rar$EX00.406\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O17 - HKLM\System\CCS\Services\Tcpip…{87409510-0045-4D3A-8DBE-99DFB2F0CDCB}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Silent Runner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”] “COMODO Firewall Pro” = ““C:\Program Files\Comodo\Firewall\CPF.exe” /background” [“COMODO”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {182B90A3-F372-438A-800C-6814B4DE417B}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\fccawuu.dll” [null data] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “Flashget Catch Url Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {47FC8E2C-4B9E-47B8-AF07-D7CC002CBB9F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\sstts.dll” [null data] {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\qxebvtbb.dll” [file not found] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “gFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{182B90A3-F372-438A-800C-6814B4DE417B}” = “*U” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\fccawuu.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> fccawuu\DLLName = “fccawuu.dll” [null data] <> sstts\DLLName = “C:\WINDOWS\System32\sstts.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Startup items in “Xerion” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet” -> {HKLM…CLSID} = “FlashGet” \InProcServer32(Default) = “C:\Program Files\FlashGet\fgiebar.dll” [“Amaze Soft”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com ”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Comodo Application Agent, CmdAgent, “C:\Program Files\Comodo\Firewall\cmdagent.exe” [“COMODO”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 33 seconds, including 2 seconds for message boxes)
Z góry Thx :mrgreen:
hajduk123
(hajduk123)
7 Kwiecień 2007 18:09
#2
xerion7 A jakie masz temperatury?? Ja też mam GF6600 i wiem że ona lubi się grzać. Mi jak wchodzi temp na karcie powyżej 70 stopni wentylator wchodzi na wyższe obroty tak samo z prockiem.
xerion7
(Miki Ziomek)
7 Kwiecień 2007 18:13
#3
W sumie to nawet nie pamietam jak sie sprawdzało temp… jak możesz to mi napisz…
A po 2 niewiem czy kom b piszczał od takiego czegoś… a na dodatek mam go juz rok i dopiero teraz mi takie cos sie pojawiło??
adam9870
(adam9870)
7 Kwiecień 2007 19:15
#4
Pobierz Gmer’a .
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
Użyj VundoFix + FixVundo + VirtumundoBeGone . Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.
Po wykonaniu wklej nowy log z HJT, Silenta plus z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.
xerion7
(Miki Ziomek)
8 Kwiecień 2007 14:56
#5
Zrobiłem to w GM-erze… ale nie zbyt wiem co mam zrobić w tch trzech programach co na dole podałeś…
mam je oby trzy naraz włączyć czy jak?? Jest może do tego jakaś instrukcja??:PP nie che czegoś namieszać… :mrgreen:
adam9870
(adam9870)
8 Kwiecień 2007 15:28
#6
Proszę, instrukcja do podanych przeze mnie programów:
http://unicorn.ksiezyc.pl/WWW/instrukcje/vundo.html
xerion7
(Miki Ziomek)
8 Kwiecień 2007 15:48
#7
OK, zrobione…
Logi:
HJT
Logfile of HijackThis v1.99.1 Scan saved at 17:42:54, on 2007-04-08 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Wanadoo\ComComp.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Wanadoo\Watch.exe C:\Program Files\Opera\Opera.exe C:\DOCUME~1\Xerion\USTAWI~1\Temp\Rar$EX00.953\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {4F35213E-6896-45F8-9A18-49A3A9382842} - C:\WINDOWS\System32\sstts.dll (file missing) O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O17 - HKLM\System\CCS\Services\Tcpip…{87409510-0045-4D3A-8DBE-99DFB2F0CDCB}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Silent Runner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”] “COMODO Firewall Pro” = ““C:\Program Files\Comodo\Firewall\CPF.exe” /background” [“COMODO”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “Flashget Catch Url Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {4F35213E-6896-45F8-9A18-49A3A9382842}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\sstts.dll” [file not found] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “gFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Startup items in “Xerion” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet” -> {HKLM…CLSID} = “FlashGet” \InProcServer32(Default) = “C:\Program Files\FlashGet\fgiebar.dll” [“Amaze Soft”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com ”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Comodo Application Agent, CmdAgent, “C:\Program Files\Comodo\Firewall\cmdagent.exe” [“COMODO”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 31 seconds, including 3 seconds for message boxes)
i ComboFix:
ComboFix 07-04-05 - Running from: “E:\ComboFix” ((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 )))))))))))))))))))))))))))))))))) 2007-04-08 17:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-07 21:08 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys 2007-04-07 21:08 2007-04-07 20:32 2007-04-07 19:25 2007-04-07 19:23 2007-04-02 20:07 2007-04-01 21:18 2007-03-29 15:45 41,344 --------- C:\WINDOWS\system32\drivers\ser2pl.sys 2007-03-27 18:34 2007-03-25 23:14 2007-03-25 23:14 2007-03-25 22:46 2007-03-25 22:35 2007-03-25 22:30 2,781,184 --a------ C:\DOCUME~1\Xerion\ntuser.dat 2007-03-23 20:49 2007-03-23 20:49 2007-03-21 20:31 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-15 17:36 2007-03-13 15:16 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-08 17:44 -------- d-------- C:\Program Files\flashget 2007-04-08 17:41 -------- d-------- C:\Program Files\wanadoo 2007-04-07 20:23 -------- d-------- C:\Program Files\ultimate systems 2007-04-07 19:30 -------- d–h----- C:\Program Files\installshield installation information 2007-04-02 22:47 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\skype 2007-04-01 18:02 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\openoffice.ux.pl2 2007-03-25 23:13 1743 --a------ C:\WINDOWS\unins000.dat 2007-03-25 22:45 -------- d-------- C:\Program Files\Common Files\installshield 2007-03-25 14:44 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-25 14:44 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-09 20:06 -------- d-------- C:\Program Files\gadu-gadu 2007-03-04 14:26 -------- d-------- C:\Program Files\openoffice.ux.pl 2.0.4 2007-03-01 00:26 2938 --a------ C:\WINDOWS\mozver.dat 2007-03-01 00:25 107132 --a------ C:\WINDOWS\uninstallfirefox.exe 2007-03-01 00:08 -------- d-------- C:\Program Files\win_amp 2007-02-28 23:20 -------- d-------- C:\Program Files\winamp 2007-02-27 23:50 76412 --a------ C:\WINDOWS\system32\pykwokdc.dll 2007-02-27 21:45 51328 --a------ C:\WINDOWS\system32\drivers\inspect.sys 2007-02-27 21:45 -------- d-------- C:\Program Files\comodo 2007-02-27 21:42 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-02-27 21:21 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\tlen.pl 2007-02-27 21:20 -------- d-------- C:\Program Files\tlen.pl 2007-02-27 18:35 5956 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-02-27 14:06 -------- d-------- C:\Program Files\lavasoft 2007-02-27 14:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-02-27 14:06 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\lavasoft 2007-02-27 13:00 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\symantec 2007-02-27 12:30 26637 —hs---- C:\WINDOWS\system32\khffgdc.dll 2007-02-26 22:45 26637 —hs---- C:\WINDOWS\system32\khfgefe.dll 2007-02-26 19:29 26637 —hs---- C:\WINDOWS\system32\vtuvutt.dll 2007-02-26 18:38 26637 —hs---- C:\WINDOWS\system32\pmnomnl.dll 2007-02-26 08:24 76412 --a------ C:\WINDOWS\system32\lcfgywsn.dll 2007-02-26 08:18 26637 —hs---- C:\WINDOWS\system32\fccyabx.dll 2007-02-25 17:53 26637 —hs---- C:\WINDOWS\system32\nnnnnll.dll 2007-02-25 11:34 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\jetico personal firewall 2007-02-24 21:38 57856 --ahs---- C:\WINDOWS\system32\urdvxc.exe 2007-02-24 19:19 -------- d-------- C:\Program Files\regcleaner 2007-02-24 17:06 57344 --ahs---- C:\WINDOWS\system32\irdvxc.exe 2007-02-23 20:01 -------- d-------- C:\Program Files\ashampoo 2007-02-23 16:39 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\help 2007-02-23 15:14 -------- d-------- C:\Program Files\Common Files\nero 2007-02-22 19:30 -------- d-------- C:\Program Files\opera 2007-02-22 19:30 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\opera 2007-02-22 19:29 -------- d-------- C:\Program Files\skype 2007-02-22 19:14 -------- d-------- C:\Program Files\teamspeak2_rc2 2007-02-22 19:14 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\teamspeak2 2007-02-22 19:11 -------- d-------- C:\Program Files\sunbelt software 2007-02-22 19:06 -------- d-------- C:\Program Files\sagem 2007-02-22 19:05 -------- d-------- C:\Program Files\javasoft 2007-02-22 19:03 -------- d-------- C:\Program Files\alwil software 2007-02-22 19:01 -------- d-------- C:\Program Files\realtek sound manager 2007-02-22 19:01 -------- d-------- C:\Program Files\avrack 2007-02-22 19:00 -------- d-------- C:\Program Files\amd 2007-02-22 18:53 -------- d-------- C:\Program Files\messenger 2007-02-22 18:52 -------- d–h----- C:\Program Files\windowsupdate 2007-02-22 18:50 -------- d-------- C:\Program Files\microsoft frontpage 2007-02-22 18:49 0 -rahs---- C:\MSDOS.SYS 2007-02-22 18:49 0 -rahs---- C:\IO.SYS 2007-02-22 18:49 0 --a------ C:\CONFIG.SYS 2007-02-22 18:49 0 --a------ C:\AUTOEXEC.BAT 2007-02-22 18:48 -------- d-------- C:\Program Files\movie maker 2007-02-22 18:47 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-02-22 18:47 -------- d-------- C:\Program Files\usugi online 2007-02-22 18:47 -------- d-------- C:\Program Files\Common Files\mssoap 2007-02-22 18:46 -------- d-------- C:\Program Files\windows nt 2007-02-22 18:46 -------- d-------- C:\Program Files\msn gaming zone 2007-02-22 18:40 -------- d-------- C:\Program Files\Common Files\odbc 2007-02-22 18:39 62 --ahs---- C:\DOCUME~1\Xerion\DANEAP~1\desktop.ini 2007-02-22 18:39 -------- d-------- C:\Program Files\Common Files\speechengines 2007-02-15 10:24 7188 --a------ C:\WINDOWS\system32\drivers\Hmonitor.sys 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” “COMODO Firewall Pro”="“C:\Program Files\Comodo\Firewall\CPF.exe” /background" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-08 17:46:07 C:\ComboFix-quarantined-files.txt … 07-04-08 17:46 C:\ComboFix2.txt … 07-04-08 17:01
ehh chyba coś podziałało nie wyświetla się błąd z Avasta… ale neo sie włącza dość długo… chyba przerobie Neo na samodzielne połączenie (kiedys mi podawałęś str. z takim postem do tego) Thx za wszystko i sprawdz tylko czy napewno wszystko gra :mrgreen:
adam9870
(adam9870)
8 Kwiecień 2007 16:00
#8
Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.
Usuń wpis HJT jeśli będzie.
Po wykonaniu wklej nowe logi.
xerion7
(Miki Ziomek)
8 Kwiecień 2007 16:23
#9
Zadanie Wykonane:)
Logi:
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 18:19:16, on 2007-04-08 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\explorer.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\imapi.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe C:\PROGRA~1\Wanadoo\ComComp.exe C:\PROGRA~1\Wanadoo\Watch.exe C:\Program Files\Opera\Opera.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Xerion\USTAWI~1\Temp\Rar$EX02.297\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O17 - HKLM\System\CCS\Services\Tcpip…{87409510-0045-4D3A-8DBE-99DFB2F0CDCB}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
SilentRunner:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”] “COMODO Firewall Pro” = ““C:\Program Files\Comodo\Firewall\CPF.exe” /background” [“COMODO”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “Flashget Catch Url Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\jccatch.dll” [“www.flashget.com ”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “gFlash Class” \InProcServer32(Default) = “C:\Program Files\FlashGet\getflash.dll” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Startup items in “Xerion” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet” -> {HKLM…CLSID} = “FlashGet” \InProcServer32(Default) = “C:\Program Files\FlashGet\fgiebar.dll” [“Amaze Soft”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com ”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Comodo Application Agent, CmdAgent, “C:\Program Files\Comodo\Firewall\cmdagent.exe” [“COMODO”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 33 seconds, including 2 seconds for message boxes)
ComboFix:
ComboFix 07-04-05 - Running from: “E:\ComboFix” ((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 )))))))))))))))))))))))))))))))))) 2007-04-08 17:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-07 21:08 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys 2007-04-07 21:08 2007-04-07 20:32 2007-04-07 19:25 2007-04-07 19:23 2007-04-02 20:07 2007-04-01 21:18 2007-03-29 15:45 41,344 --------- C:\WINDOWS\system32\drivers\ser2pl.sys 2007-03-27 18:34 2007-03-25 23:14 2007-03-25 23:14 2007-03-25 22:46 2007-03-25 22:35 2007-03-25 22:30 2,781,184 --a------ C:\DOCUME~1\Xerion\ntuser.dat 2007-03-23 20:49 2007-03-23 20:49 2007-03-21 20:31 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-15 17:36 2007-03-13 15:16 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-08 18:17 -------- d-------- C:\Program Files\wanadoo 2007-04-08 18:17 -------- d-------- C:\Program Files\flashget 2007-04-07 20:23 -------- d-------- C:\Program Files\ultimate systems 2007-04-07 19:30 -------- d–h----- C:\Program Files\installshield installation information 2007-04-02 22:47 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\skype 2007-04-01 18:02 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\openoffice.ux.pl2 2007-03-25 23:13 1743 --a------ C:\WINDOWS\unins000.dat 2007-03-25 22:45 -------- d-------- C:\Program Files\Common Files\installshield 2007-03-25 14:44 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-25 14:44 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-09 20:06 -------- d-------- C:\Program Files\gadu-gadu 2007-03-04 14:26 -------- d-------- C:\Program Files\openoffice.ux.pl 2.0.4 2007-03-01 00:26 2938 --a------ C:\WINDOWS\mozver.dat 2007-03-01 00:25 107132 --a------ C:\WINDOWS\uninstallfirefox.exe 2007-03-01 00:08 -------- d-------- C:\Program Files\win_amp 2007-02-28 23:20 -------- d-------- C:\Program Files\winamp 2007-02-27 23:50 76412 --a------ C:\WINDOWS\system32\pykwokdc.dll 2007-02-27 21:45 51328 --a------ C:\WINDOWS\system32\drivers\inspect.sys 2007-02-27 21:45 -------- d-------- C:\Program Files\comodo 2007-02-27 21:42 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-02-27 21:21 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\tlen.pl 2007-02-27 21:20 -------- d-------- C:\Program Files\tlen.pl 2007-02-27 18:35 5956 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-02-27 14:06 -------- d-------- C:\Program Files\lavasoft 2007-02-27 14:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-02-27 14:06 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\lavasoft 2007-02-27 13:00 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\symantec 2007-02-25 11:34 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\jetico personal firewall 2007-02-24 19:19 -------- d-------- C:\Program Files\regcleaner 2007-02-23 20:01 -------- d-------- C:\Program Files\ashampoo 2007-02-23 16:39 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\help 2007-02-23 15:14 -------- d-------- C:\Program Files\Common Files\nero 2007-02-22 19:30 -------- d-------- C:\Program Files\opera 2007-02-22 19:30 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\opera 2007-02-22 19:29 -------- d-------- C:\Program Files\skype 2007-02-22 19:14 -------- d-------- C:\Program Files\teamspeak2_rc2 2007-02-22 19:14 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\teamspeak2 2007-02-22 19:11 -------- d-------- C:\Program Files\sunbelt software 2007-02-22 19:06 -------- d-------- C:\Program Files\sagem 2007-02-22 19:05 -------- d-------- C:\Program Files\javasoft 2007-02-22 19:03 -------- d-------- C:\Program Files\alwil software 2007-02-22 19:01 -------- d-------- C:\Program Files\realtek sound manager 2007-02-22 19:01 -------- d-------- C:\Program Files\avrack 2007-02-22 19:00 -------- d-------- C:\Program Files\amd 2007-02-22 18:53 -------- d-------- C:\Program Files\messenger 2007-02-22 18:52 -------- d–h----- C:\Program Files\windowsupdate 2007-02-22 18:50 -------- d-------- C:\Program Files\microsoft frontpage 2007-02-22 18:49 0 -rahs---- C:\MSDOS.SYS 2007-02-22 18:49 0 -rahs---- C:\IO.SYS 2007-02-22 18:49 0 --a------ C:\CONFIG.SYS 2007-02-22 18:49 0 --a------ C:\AUTOEXEC.BAT 2007-02-22 18:48 -------- d-------- C:\Program Files\movie maker 2007-02-22 18:47 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-02-22 18:47 -------- d-------- C:\Program Files\usugi online 2007-02-22 18:47 -------- d-------- C:\Program Files\Common Files\mssoap 2007-02-22 18:46 -------- d-------- C:\Program Files\windows nt 2007-02-22 18:46 -------- d-------- C:\Program Files\msn gaming zone 2007-02-22 18:40 -------- d-------- C:\Program Files\Common Files\odbc 2007-02-22 18:39 62 --ahs---- C:\DOCUME~1\Xerion\DANEAP~1\desktop.ini 2007-02-22 18:39 -------- d-------- C:\Program Files\Common Files\speechengines 2007-02-15 10:24 7188 --a------ C:\WINDOWS\system32\drivers\Hmonitor.sys 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” “COMODO Firewall Pro”="“C:\Program Files\Comodo\Firewall\CPF.exe” /background" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-08 18:22:25 C:\ComboFix-quarantined-files.txt … 07-04-08 18:22 C:\ComboFix2.txt … 07-04-08 17:46 C:\ComboFix3.txt … 07-04-08 17:01
Gra ale neostrada coś sie nie włącza dobiero przez “opcje połączeń” w Panelu sterowania udało mi sie ja odpalić a atak to pisze ze nie ma składników systemowych? Co proponujesz mistrzu? :mrgreen:
adam9870
(adam9870)
8 Kwiecień 2007 18:35
#10
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\pykwokdc.dll
Klikasz X czerwony i restart kompa.
Po wykonaniu możesz pokazać nowy log z Combo.
Proponuję usunąć aplikację dostępową neostrady, a połączenie skonfigurować ręcznie:
http://forum.dobreprogramy.pl/viewtopic.php?t=91864
xerion7
(Miki Ziomek)
8 Kwiecień 2007 19:23
#11
Zrobione mistrzu…
LOGI COMOBOFIX:
ComboFix 07-04-05 - Running from: “E:\ComboFix” ((((((((((((((((((((((((((((((( Files Created from 2007-03-08 to 2007-04-08 )))))))))))))))))))))))))))))))))) 2007-04-08 21:12 2007-04-08 20:02 2007-04-08 17:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-08 17:22 2007-04-07 21:08 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys 2007-04-07 21:08 2007-04-07 20:32 2007-04-07 19:25 2007-04-07 19:23 2007-04-01 21:18 2007-03-29 15:45 41,344 --------- C:\WINDOWS\system32\drivers\ser2pl.sys 2007-03-27 18:34 2007-03-25 23:14 2007-03-25 23:14 2007-03-25 22:46 2007-03-25 22:35 2007-03-25 22:30 2,781,184 --a------ C:\DOCUME~1\Xerion\ntuser.dat 2007-03-23 20:49 2007-03-23 20:49 2007-03-21 20:31 327,168 --a------ C:\WINDOWS\IsUn0415.exe 2007-03-15 17:36 2007-03-13 15:16 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-08 21:16 -------- d-------- C:\Program Files\flashget 2007-04-08 21:15 -------- d-------- C:\Program Files\wanadoo 2007-04-07 20:23 -------- d-------- C:\Program Files\ultimate systems 2007-04-07 19:30 -------- d–h----- C:\Program Files\installshield installation information 2007-04-02 22:47 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\skype 2007-04-01 18:02 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\openoffice.ux.pl2 2007-03-25 23:13 1743 --a------ C:\WINDOWS\unins000.dat 2007-03-25 22:45 -------- d-------- C:\Program Files\Common Files\installshield 2007-03-25 14:44 49712 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-25 14:44 355830 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-09 20:06 -------- d-------- C:\Program Files\gadu-gadu 2007-03-04 14:26 -------- d-------- C:\Program Files\openoffice.ux.pl 2.0.4 2007-03-01 00:26 2938 --a------ C:\WINDOWS\mozver.dat 2007-03-01 00:25 107132 --a------ C:\WINDOWS\uninstallfirefox.exe 2007-03-01 00:08 -------- d-------- C:\Program Files\win_amp 2007-02-28 23:20 -------- d-------- C:\Program Files\winamp 2007-02-27 21:45 51328 --a------ C:\WINDOWS\system32\drivers\inspect.sys 2007-02-27 21:45 -------- d-------- C:\Program Files\comodo 2007-02-27 21:42 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-02-27 21:21 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\tlen.pl 2007-02-27 21:20 -------- d-------- C:\Program Files\tlen.pl 2007-02-27 18:35 5956 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-02-27 14:06 -------- d-------- C:\Program Files\lavasoft 2007-02-27 14:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-02-27 14:06 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\lavasoft 2007-02-27 13:00 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\symantec 2007-02-25 11:34 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\jetico personal firewall 2007-02-24 19:19 -------- d-------- C:\Program Files\regcleaner 2007-02-23 20:01 -------- d-------- C:\Program Files\ashampoo 2007-02-23 16:39 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\help 2007-02-23 15:14 -------- d-------- C:\Program Files\Common Files\nero 2007-02-22 19:30 -------- d-------- C:\Program Files\opera 2007-02-22 19:30 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\opera 2007-02-22 19:29 -------- d-------- C:\Program Files\skype 2007-02-22 19:14 -------- d-------- C:\Program Files\teamspeak2_rc2 2007-02-22 19:14 -------- d-------- C:\DOCUME~1\Xerion\DANEAP~1\teamspeak2 2007-02-22 19:11 -------- d-------- C:\Program Files\sunbelt software 2007-02-22 19:06 -------- d-------- C:\Program Files\sagem 2007-02-22 19:05 -------- d-------- C:\Program Files\javasoft 2007-02-22 19:03 -------- d-------- C:\Program Files\alwil software 2007-02-22 19:01 -------- d-------- C:\Program Files\realtek sound manager 2007-02-22 19:01 -------- d-------- C:\Program Files\avrack 2007-02-22 19:00 -------- d-------- C:\Program Files\amd 2007-02-22 18:53 -------- d-------- C:\Program Files\messenger 2007-02-22 18:52 -------- d–h----- C:\Program Files\windowsupdate 2007-02-22 18:50 -------- d-------- C:\Program Files\microsoft frontpage 2007-02-22 18:49 0 -rahs---- C:\MSDOS.SYS 2007-02-22 18:49 0 -rahs---- C:\IO.SYS 2007-02-22 18:49 0 --a------ C:\CONFIG.SYS 2007-02-22 18:49 0 --a------ C:\AUTOEXEC.BAT 2007-02-22 18:48 -------- d-------- C:\Program Files\movie maker 2007-02-22 18:47 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-02-22 18:47 -------- d-------- C:\Program Files\usugi online 2007-02-22 18:47 -------- d-------- C:\Program Files\Common Files\mssoap 2007-02-22 18:46 -------- d-------- C:\Program Files\windows nt 2007-02-22 18:46 -------- d-------- C:\Program Files\msn gaming zone 2007-02-22 18:40 -------- d-------- C:\Program Files\Common Files\odbc 2007-02-22 18:39 62 --ahs---- C:\DOCUME~1\Xerion\DANEAP~1\desktop.ini 2007-02-22 18:39 -------- d-------- C:\Program Files\Common Files\speechengines 2007-02-15 10:24 7188 --a------ C:\WINDOWS\system32\drivers\Hmonitor.sys 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “WOOWATCH”=“C:\PROGRA~1\Wanadoo\Watch.exe” “WOOTASKBARICON”=“C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” “COMODO Firewall Pro”="“C:\Program Files\Comodo\Firewall\CPF.exe” /background" “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-08 21:21:28 C:\ComboFix-quarantined-files.txt … 07-04-08 21:21
Mam nadzieje że to koniec:)) :mrgreen:
adam9870
(adam9870)
9 Kwiecień 2007 09:07
#12
Już jest Ok.
Drobna kosmetyka:
Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.
W opcjach komunikatora możesz wyłączyć uruchamianie przy starcie systemu jeśli nie jest Ci potrzebne.
Proponuję usunąć aplikację dostępową neostrady, a połączenie skonfigurować ręcznie:
http://forum.dobreprogramy.pl/viewtopic.php?t=91864
xerion7
(Miki Ziomek)
9 Kwiecień 2007 09:15
#13
Ok dzięki Mistrzu zaraz sie zajme tymi drobnostkami…
A jeszcze pytanie w:
Moj Komputer >>> C
Mam nowe 2 foldery (zrobiły sie same)
KillBox(to wiem od czego)
QooBox (ale to skąd?)
W “QooBox” mam dwa takie pliki:
Folder wewnątrz Quarantine a w nim
Registry Backup
Windos >>> System32>>> “.exe.vir” i “81.exe.vir”
Co to jest???Czy to od jakiegos używanego programu??
adam9870
(adam9870)
9 Kwiecień 2007 09:34
#14
KillBox - folder w którym są przechowywane kopie plików, które zostały skasowane przez killboxa w razie skasowania jakiegoś poprawnego pliku.
QooBox - folder kwarantanny ComboFixa.
Oba foldery możesz spokojnie usunąć.