Problemy z pamiecią RAM

cudaczek61 · 29 Styczeń 2009 17:18

witam,dzisiaj przy próbie uruchomienia photoszopa wyskoczyło mi ze mało pamięci ram,wolno komp startuje i wogóle zamula coś dysk dodam ze jest to laptop.dodaje logi z hijactkhis:

Logfile of HijackThis v1.99.1 Scan saved at 18:07:10, on 2009-01-29 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\Empowering Technology\ePerformance\MemCheck.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\atwtusb.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AhnRpta.exe C:\WINDOWS\system32\atwtusb.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\RTHDCPL.EXE C:\Acer\Empowering Technology\ePresentation\ePresentation.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\WTMKM.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\Mozilla Firefox\firefox.exe d:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Maciek\USTAWI~1\Temp\Rar$EX00.281\HijackThis.exe ?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Program Files\AOL Security Toolbar\tbuC\AOL_security_toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Program Files\AOL Security Toolbar\tbuC\AOL_security_toolbar.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM…\Run: [iMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32 O4 - HKLM…\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM…\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM…\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM…\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe O4 - HKLM…\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM…\Run: [boot] C:\Acer\Empowering Technology\ePower\Boot.exe O4 - HKLM…\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe O4 - HKLM…\Run: [imageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [MacrokeyManager] WTMKM.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU…\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU…\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Wpis w blogu - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra ‘Tools’ menuitem: &Wpis w blogu w Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_29.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe

oraz z silent runners

“Silent Runners.vbs”, revision 59, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “AdobeUpdater” = “C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe” [“Adobe Systems Incorporated”] “LightScribe Control Panel” = “C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden” [“Hewlett-Packard Company”] “cdoosoft” = “C:\WINDOWS\system32\olhrwef.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “AzMixerSel” = “C:\Program Files\Realtek\InstallShield\AzMixerSel.exe” [“Realtek Semiconductor Corp.”] “IMJPMIG8.1” = ““C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32” [MS] “MSPY2002” = “C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC” [null data] “PHIME2002ASync” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC” [MS] “PHIME2002A” = “C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName” [MS] “Acer ePresentation HPD” = “C:\Acer\Empowering Technology\ePresentation\ePresentation.exe” [null data] “ePower_DMC” = “C:\Acer\Empowering Technology\ePower\ePower_DMC.exe” [null data] “Boot” = “C:\Acer\Empowering Technology\ePower\Boot.exe” [null data] “eRecoveryService” = “C:\Acer\Empowering Technology\eRecovery\eRAgent.exe” [“Acer Inc.”] “ImageItEncrypt” = “C:\WINDOWS\system32\ImageItEncrypt.exe” [null data] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “MacrokeyManager” = “WTMKM.exe” [null data] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [“Sun Microsystems, Inc.”] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}(Default) = “IE7 Uninstall Stub” \StubPath = “C:\WINDOWS\system32\ieudinit.exe” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6}(Default) = “XBTP06568” -> {HKLM…CLSID} = “XBTP06568 Class” \InProcServer32(Default) = “C:\Program Files\AOL Security Toolbar\tbuC\AOL_security_toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = “Ask Toolbar BHO” -> {HKLM…CLSID} = “Ask Toolbar BHO” \InProcServer32(Default) = “C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL” [“Ask.com”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}” = “Skladnik rozszerzenia powloki CorelDRAW” -> {HKLM…CLSID} = “CorelDRAW Shell Extension Component” \InProcServer32(Default) = “d:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] “{00F33137-EE26-412F-8D71-F84E4C2C6625}” = (no title provided) -> {HKLM…CLSID} = “Windows Live Photo Gallery Import Autoplay Shim” \InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS] “{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}” = “Windows Live Photo Gallery Viewer Drop Target Shim” -> {HKLM…CLSID} = “Windows Live Photo Gallery Viewer Shim” \InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS] “{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}” = “Windows Live Photo Gallery Editor Drop Target Shim” -> {HKLM…CLSID} = “Windows Live Photo Gallery Editor Shim” \InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS] “{00F30F90-3E96-453B-AFCD-D71989ECC2C7}” = “Windows Live Photo Gallery Autoplay Drop Target Shim” -> {HKLM…CLSID} = “Windows Live Photo Gallery Viewer Autoplay Shim” \InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS] “{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons” -> {HKLM…CLSID} = “NeroCoverEdLiveIcons Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{BB4C402F-882A-4526-8C08-51278EA437C1}” = “hook dll rising” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\afmain0.dll” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}” -> {HKLM…CLSID} = “NeroCoverEdContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- <> HKLM\SOFTWARE\Classes.com(Default) = “ComFile” Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “NoControlPanel” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “NoSetTaskbar” = (REG_DWORD) dword:0x00000000 {Prevent changes to Taskbar and Start Menu Settings} “NoRun” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “NoDispCPL” = (REG_DWORD) dword:0x00000000 {Remove Display in Control Panel} “DisableTaskMgr” = (REG_DWORD) dword:0x00000000 {Remove Task Manager} “DisableRegistryTools” = (REG_DWORD) dword:0x00000000 {Prevent access to registry editing tools} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} “DisableRegistryTools” = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Maciek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ LightScribeOnArrivalAP\ “Provider” = “LightScribe Direct Disc Labeling” “InvokeProgID” = “LightScribe.AutoPlayHandler” “InvokeVerb” = “LabelLightScribeDisc” HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command(Default) = “C:\Program Files\Common Files\LightScribe\LsLauncher.exe” [“Hewlett-Packard Company”] MSLivePhotoAcqHWEventHandler\ “Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10” “ProgID” = “Microsoft.LivePhotoAcqHWEventHandler” HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqHWEventHandler\CLSID(Default) = “{3BD0ACD1-71CA-4475-92CC-E0AA0AAF843F}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe” [MS] MSLivePhotoAcquireDropHandler\ “Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10” “InvokeProgID” = “Microsoft.LivePhotoAcqDTShim.1” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = “{00F33137-EE26-412F-8D71-F84E4C2C6625}” -> {HKLM…CLSID} = “Windows Live Photo Gallery Import Autoplay Shim” \InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS] MSLiveShowPicturesOnArrival\ “Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10” “InvokeProgID” = “Microsoft.Photos.LiveAutoplayShim.1” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = “{00F30F90-3E96-453B-AFCD-D71989ECC2C7}” -> {HKLM…CLSID} = “Windows Live Photo Gallery Viewer Autoplay Shim” \InProcServer32(Default) = “C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll” [MS] MSLiveVideoCameraArrivalCaptureWizard\ “Provider” = “@C:\Program Files\Windows Live\Photo Gallery\regres.dll,-10” “ProgID” = “WLXAutoPlayMgr.WLXHWEventHandler” “InitCmdLine” = “WLXVideoAcquireWizard” HKLM\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\CLSID(Default) = “{9B5C97F6-B3A5-4A6D-8B03-993EC7291A22}” -> {HKLM…CLSID} = “WLXWEventHandler Class” \LocalServer32(Default) = ““C:\Program Files\Windows Live\Photo Gallery\WLXVideoCameraAutoPlayManager.exe”” [MS] NeroAutoPlay7AudioToNeroDigital\ “Provider” = “Nero Burning ROM” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “AudioToNeroDigital_PlayCDAudioOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L” [“Nero AG”] NeroAutoPlay7CDAudio\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “CDAudio_HandleCDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:AudioCD” [“Nero AG”] NeroAutoPlay7CopyCD\ “Provider” = “Nero Burning ROM” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “CopyCD_PlayMusicFilesOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy %L” [“Nero AG”] NeroAutoPlay7DataDisc\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “DataDisc_HandleCDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:ISODisc” [“Nero AG”] NeroAutoPlay7LaunchNeroStartSmart\ “Provider” = “Nero StartSmart” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “LaunchNeroStartSmart_HandleCDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay” [“Nero AG”] NeroAutoPlay7PlayAudioCD\ “Provider” = “Nero ShowTime” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “PlayAudioCD_PlayMusicFilesOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L” [“Nero AG”] NeroAutoPlay7PlayDVD\ “Provider” = “Nero ShowTime” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “PlayDVD_PlayVideoFilesOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L” [“Nero AG”] NeroAutoPlay7RipCD\ “Provider” = “Nero Burning ROM” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “RipCD_PlayCDAudioOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L” [“Nero AG”] NeroAutoPlay7TranscodeVideo\ “Provider” = “Nero Recode” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “TranscodeVideo_PlayDVDMovieOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo” [“Nero AG”] NeroAutoPlay7VideoCapture\ “Provider” = “Nero Vision” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = ““C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe” /New:VideoCapture” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “ShellExecute HW Event Handler” \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] NeroAutoPlay7ViewPhotos\ “Provider” = “Nero PhotoSnap Viewer” “InvokeProgID” = “Nero.AutoPlay7” “InvokeVerb” = “ViewPhotos_ShowPicturesOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command(Default) = “C:\Program Files\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /” [“Nero AG”] RPCDBurningOnArrival\ “Provider” = “RealPlayer” “InvokeProgID” = “RealPlayer.CDBurn.6” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command(Default) = "“d:\Program Files\Real\RealPlayer\RealPlay.exe” /burn “%1"” [“RealNetworks, Inc.”] RPDeviceOnArrival\ “Provider” = “RealPlayer” “ProgID” = “RealPlayer.HWEventHandler” HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID(Default) = “{67E76F1D-BDE2-4052-913C-2752366192D2}” -> {HKLM…CLSID} = “RealNetworks Scheduler” \LocalServer32(Default) = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -autoplay” [“RealNetworks, Inc.”] RPPlayCDAudioOnArrival\ “Provider” = “RealPlayer” “InvokeProgID” = “RealPlayer.AudioCD.6” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command(Default) = "“d:\Program Files\Real\RealPlayer\RealPlay.exe” /play %1 " [“RealNetworks, Inc.”] RPPlayDVDMovieOnArrival\ “Provider” = “RealPlayer” “InvokeProgID” = “RealPlayer.DVD.6” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command(Default) = "“d:\Program Files\Real\RealPlayer\RealPlay.exe” /dvd %1 " [“RealNetworks, Inc.”] RPPlayMediaOnArrival\ “Provider” = “RealPlayer” “InvokeProgID” = “RealPlayer.AutoPlay.6” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command(Default) = "“d:\Program Files\Real\RealPlayer\RealPlay.exe” /autoplay “%1"” [“RealNetworks, Inc.”] Startup items in “Maciek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{3BB63FD4-3C00-44D7-94A9-5DE211900DEF}” -> {HKLM…CLSID} = “AOL Security Toolbar” \InProcServer32(Default) = “C:\Program Files\AOL Security Toolbar\tbuC\AOL_security_toolbar.dll” [null data] “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” -> {HKLM…CLSID} = “Ask Toolbar” \InProcServer32(Default) = “C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL” [“Ask.com”] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ “{3BB63FD4-3C00-44D7-94A9-5DE211900DEF}” = (no title provided) -> {HKLM…CLSID} = “AOL Security Toolbar” \InProcServer32(Default) = “C:\Program Files\AOL Security Toolbar\tbuC\AOL_security_toolbar.dll” [null data] “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” = (no title provided) -> {HKLM…CLSID} = “Ask Toolbar” \InProcServer32(Default) = “C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL” [“Ask.com”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll” [“Sun Microsystems, Inc.”] {219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\ “ButtonText” = “Wpis w blogu” “MenuText” = “&Wpis w blogu w Windows Live Writer” “CLSIDExtension” = “{5F7B1267-94A9-47F5-98DB-E99415F33AEC}” -> {HKLM…CLSID} = “BlogThisToolbarButton Class” \InProcServer32(Default) = “C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll” [MS] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] Memory Check Service, AcerMemUsageCheckService, “C:\Acer\Empowering Technology\ePerformance\MemCheck.exe” [null data] Symantec Core LC, Symantec Core LC, ““C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe”” [“Symantec Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] WTService, WTService, “C:\WINDOWS\system32\atwtusb.exe -s” [null data] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] ---------- (launch time: 2009-01-29 18:11:13) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 47 seconds. ---------- (total run time: 116 seconds)

prosze o pomoc i dziekuje

A_ExtereY · 29 Styczeń 2009 17:22

W HijackThis poniższe wpisy zaznaczasz fajką i klikasz na “Fix checked”:

Daj log z ComboFix -> viewtopic.php?f=16&t=36654 (log wrzucasz na wklejto.pl a w poście dajesz tylko link).

cudaczek61 · 29 Styczeń 2009 17:44

oto link kombofixa http://www.wklejto.pl/24389

huber2t · 29 Styczeń 2009 18:53

Do wyleczenia pendrive z wirusów użyj tych programów

Wklej do notatnika:

File::

C:\gy.exe

C:\w98.com

c:\windows\system32\nmdfgds1.dll

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

c:\windows\AhnRpta.exe


Driver::

Dailrvcrpns


Folder::

C:\FOUND.019

C:\FOUND.021

C:\FOUND.020


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

cudaczek61 · 29 Styczeń 2009 19:45

zrobilem jak pisales oto log:

http://www.wklejto.pl/24416

miedzy czasie zainstalowalem antywirusa bo to nie moj kom jak tak mozna funkcjonowac :o

huber2t · 29 Styczeń 2009 19:50

Wykonaj ponownie to co napisałem

cudaczek61 · 30 Styczeń 2009 06:38

ponowny log

http://www.wklejto.pl/24449

niestety dzisiaj rano wstawiam bo przez noc skanowalo i od groma wywalil robakow

huber2t · 30 Styczeń 2009 06:58

Wklej do notatnika:

File::

c:\windows\system32\SET12E7.tmp

c:\windows\system32\SET12DF.tmp

c:\windows\system32\SET12DE.tmp

c:\windows\system32\SET12DC.tmp

c:\windows\system32\SET12DD.tmp


Folder::

C:\FOUND.017

C:\FOUND.018

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

cudaczek61 · 12 Luty 2009 22:41

ComboFix 09-02-12.03 - Maciek 2009-02-12 23:30:09.6 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.446.104 [GMT 1:00] Uruchomiony z: c:\documents and settings\Maciek\Pulpit\ComboFix.exe Użyto następujących komend :: c:\documents and settings\Maciek\Pulpit\CFScript.txt…txt AV: avast! antivirus 4.8.1201 [VPS 090129-0] *On-access scanning disabled* (Outdated) * Utworzono nowy punkt przywracania FILE :: c:\windows\system32\SET12DC.tmp c:\windows\system32\SET12DD.tmp c:\windows\system32\SET12DE.tmp c:\windows\system32\SET12DF.tmp c:\windows\system32\SET12E7.tmp . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1utbfd.bat C:\2aaxaiy.exe C:\autorun.inf C:\FOUND.017 c:\found.017\FILE0000.CHK C:\FOUND.018 c:\found.018\FILE0000.CHK c:\found.018\FILE0002.CHK c:\found.018\FILE0003.CHK C:\m0vnonh.bat C:\pook.com c:\windows\system32\nmdfgds0.dll c:\windows\system32\nmdfgds1.dll c:\windows\system32\olhrwef.exe c:\windows\system32\SET12DC.tmp c:\windows\system32\SET12DD.tmp c:\windows\system32\SET12DE.tmp c:\windows\system32\SET12DF.tmp c:\windows\system32\SET12E7.tmp D:\1utbfd.bat D:\2aaxaiy.exe D:\Autorun.inf D:\m0vnonh.bat D:\pook.com J:\8.bat J:\autorun.inf J:\uvsqfgwd.cmd . ((((((((((((((((((((((((( Pliki utworzone od 2009-01-12 do 2009-02-12 ))))))))))))))))))))))))))))))) . 2009-02-12 21:50 . 2009-02-12 21:49 108,565 -r-hs---- C:\ur0.com 2009-02-11 17:30 . 1998-09-02 09:02 194,320 --a------ c:\windows\system32\qcut.dll 2009-02-11 17:30 . 1998-08-27 05:51 182,032 --a------ c:\windows\system32\dxtmsft3.dll 2009-02-11 17:30 . 1998-08-20 12:02 140,800 --a------ c:\windows\system32\tm20dec.ax 2009-02-11 17:30 . 1998-09-02 09:28 63,488 --a------ c:\windows\system32\unam4ie.exe 2009-02-11 17:30 . 1998-09-02 09:28 38,160 --a------ c:\windows\system32\LMRTREND.dll 2009-02-11 17:30 . 1998-08-17 10:21 11,776 --a------ c:\windows\system32\mciqtz.drv 2009-02-11 17:30 . 1998-08-17 10:21 10,240 --a------ c:\windows\system32\vidx16.dll 2009-02-11 17:30 . 1998-08-17 10:21 5,672 --a------ c:\windows\system32\quartz.vxd 2009-02-11 17:30 . 2009-02-11 17:30 4,608 --a------ c:\windows\system32\w95inf32.dll 2009-02-11 17:30 . 2009-02-11 17:30 2,272 --a------ c:\windows\system32\w95inf16.dll 2009-02-11 17:23 . 2009-02-11 17:43 9 --a------ c:\windows\Sierra.ini 2009-02-11 17:16 . 2009-02-11 17:16 2009-02-10 20:51 . 2009-02-11 17:13 108,067 -r-hs---- C:\opgde.exe 2009-02-03 10:28 . 2009-02-03 10:28 109,930 -r-hs---- C:\a2h2.com 2009-02-03 09:20 . 2006-06-20 09:56 225,280 --a------ c:\windows\system32\rewire.dll 2009-02-03 09:19 . 2009-02-03 09:19 2009-02-03 09:19 . 2009-02-03 09:19 2009-02-03 09:19 . 2002-07-07 23:14 1,294,336 --a------ c:\windows\system32\vorbis.acm 2009-01-30 15:04 . 2009-01-30 15:04 2009-01-29 19:12 . 2009-01-29 19:12 2009-01-29 17:48 . 2009-01-29 17:48 2009-01-29 17:48 . 2009-01-29 17:48 2009-01-29 17:48 . 2009-01-29 17:48 2009-01-29 17:43 . 2009-01-29 17:43 2009-01-29 17:34 . 2009-01-29 17:34 2009-01-29 17:32 . 2009-01-29 17:32 2009-01-29 17:32 . 2009-01-29 17:32 2009-01-21 14:46 . 2009-01-26 10:14 151 --a------ c:\windows\PhotoSnapViewer.INI 2009-01-17 22:25 . 2009-01-17 22:25 2009-01-17 22:21 . 2009-01-17 22:21 . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-02 10:48 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Nero 2008-12-12 17:03 3,088,896 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-12-22 07:24 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-22 07:24 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-22 07:24 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-22 07:24 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-22 07:24 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2007-10-23 19:54 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys 2007-10-23 19:54 88 --sh–r c:\windows\system32\BB780C9D54.sys . ------- Sigcheck ------- 2007-03-08 17:38 579072 a37a4637f84f8dd771274eaf8d17fa65 c:\windows\system32\user32.dll 2005-03-02 19:21 578560 6a93565be9b8422eb7538c66ac732d76 c:\windows$hf_mig$\KB890859\SP2QFE\user32.dll 2007-03-08 17:51 579584 11abdecc02efc1d2b6a6a0fa46c26594 c:\windows$hf_mig$\KB925902\SP2QFE\user32.dll 2004-08-04 20:00 578560 0c81764f50f32d376e6e4b9e9f4b01a0 c:\windows$NtUninstallKB890859$\user32.dll 2005-03-02 19:18 578560 b7eeb1a1af740306049241ddf61f21ff c:\windows$NtUninstallKB925902$\user32.dll 2007-03-08 17:38 579072 a37a4637f84f8dd771274eaf8d17fa65 c:\windows$NtServicePackUninstall$\user32.dll 2008-04-14 19:20 580096 a435c5c069afd901751ac323ad238793 c:\windows\ServicePackFiles\i386\user32.dll 2007-06-13 15:23 1034752 029a562e81bbee088c61d418bf408f44 c:\windows\explorer.exe 2007-06-13 15:12 1034752 8db0650b211425b9cdb7d1c4a8f6b482 c:\windows$hf_mig$\KB938828\SP2QFE\explorer.exe 2004-08-04 20:00 1033728 379098a96e6c165b659de7e4328010ea c:\windows$NtUninstallKB938828$\explorer.exe 2007-06-13 15:23 1034752 029a562e81bbee088c61d418bf408f44 c:\windows$NtServicePackUninstall$\explorer.exe 2008-04-14 19:21 1035264 c791ed9eac5e76d9525e157b1d7a599a c:\windows\ServicePackFiles\i386\explorer.exe 2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\system32\spoolsv.exe 2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2004-08-04 20:00 57856 bebe8a85954ff460374fd5a0cd21e19b c:\windows$NtUninstallKB896423$\spoolsv.exe 2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows$NtServicePackUninstall$\spoolsv.exe 2008-04-14 19:21 57856 dd69ec597ab942c39b950d9c3ce1375d c:\windows\ServicePackFiles\i386\spoolsv.exe . ((((((((((((((((((((((((((((( snapshot@2009-01-29_18.24.07,64 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE + 2008-05-16 00:24:44 1,152,888 ----a-w c:\windows\system32\aswBoot.exe + 2008-05-16 00:12:36 95,608 ----a-w c:\windows\system32\AvastSS.scr + 2008-04-14 18:20:34 33,792 ----a-w c:\windows\system32\dllcache\lmmib2.dll + 2008-04-14 18:20:44 84,992 ----a-w c:\windows\system32\dllcache\olepro32.dll + 2008-05-16 00:13:26 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys + 2008-05-16 00:16:06 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys + 2008-01-17 17:34:02 93,264 ----a-w c:\windows\system32\drivers\aswmon.sys + 2008-05-16 00:18:34 94,416 ----a-w c:\windows\system32\drivers\aswmon2.sys + 2008-05-16 00:15:30 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys + 2008-05-16 00:20:32 78,416 ----a-w c:\windows\system32\drivers\aswSP.sys + 2008-05-16 00:14:12 42,912 ----a-w c:\windows\system32\drivers\aswTdi.sys + 2008-04-14 18:20:34 33,792 ----a-w c:\windows\system32\lmmib2.dll - 2009-01-29 17:07:22 59,602 ----a-w c:\windows\system32\perfc009.dat + 2009-02-12 21:22:56 59,602 ----a-w c:\windows\system32\perfc009.dat - 2009-01-29 17:07:22 75,394 ----a-w c:\windows\system32\perfc015.dat + 2009-02-12 21:22:56 75,394 ----a-w c:\windows\system32\perfc015.dat - 2009-01-29 17:07:22 393,972 ----a-w c:\windows\system32\perfh009.dat + 2009-02-12 21:22:56 393,972 ----a-w c:\windows\system32\perfh009.dat - 2009-01-29 17:07:22 450,082 ----a-w c:\windows\system32\perfh015.dat + 2009-02-12 21:22:56 450,082 ----a-w c:\windows\system32\perfh015.dat + 2009-02-12 22:33:50 16,384 ----a-w c:\windows\TEMP\Perflib_Perfdata_658.dat + 2009-02-12 22:35:00 16,384 ----a-w c:\windows\TEMP\Perflib_Perfdata_8e0.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2004-08-04 15360] “AdobeUpdater”=“c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe” [2007-10-26 2321600] “LightScribe Control Panel”=“c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe” [2007-08-23 455968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AzMixerSel”=“c:\program files\Realtek\InstallShield\AzMixerSel.exe” [2005-08-24 53248] “IMJPMIG8.1”=“c:\windows\IME\imjp8_1\IMJPMIG.EXE” [2004-08-04 208952] “MSPY2002”=“c:\windows\system32\IME\PINTLGNT\ImScInst.exe” [2004-08-04 59392] “PHIME2002ASync”=“c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE” [2004-08-04 455168] “PHIME2002A”=“c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE” [2004-08-04 455168] “Acer ePresentation HPD”=“c:\acer\Empowering Technology\ePresentation\ePresentation.exe” [2006-03-31 204800] “ePower_DMC”=“c:\acer\Empowering Technology\ePower\ePower_DMC.exe” [2006-04-04 421888] “Boot”=“c:\acer\Empowering Technology\ePower\Boot.exe” [2006-03-15 579584] “eRecoveryService”=“c:\acer\Empowering Technology\eRecovery\eRAgent.exe” [2006-04-28 401408] “ImageItEncrypt”=“c:\windows\system32\ImageItEncrypt.exe” [2005-12-30 40960] “TkBellExe”=“c:\program files\Common Files\Real\Update_OB\realsched.exe” [2007-01-04 185896] “NeroFilterCheck”=“c:\program files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 153136] “SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 132496] “avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-16 79224] “AGRSMMSG”=“AGRSMMSG.exe” [2005-12-12 c:\windows\AGRSMMSG.exe] “RTHDCPL”=“RTHDCPL.EXE” [2006-02-10 c:\windows\RTHDCPL.exe] “MacrokeyManager”=“WTMKM.exe” [2007-09-03 c:\windows\system32\WTMKM.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE” [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programy\Autostart\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-13 113664] c:\documents and settings\All Users\Menu Start\Programy\Autostart\AutorunsDisabled Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048] Adobe Reader Synchronizer.lnk - d:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872] Last.fm Helper.lnk - d:\program files\Last.fm\LastFMHelper.exe [2007-07-29 106496] [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “d:\Program Files\Gadu-Gadu\gg.exe”= “d:\Program Files\Real\RealPlayer\RealPlay.exe”= “d:\Program Files\Last.fm\LastFM.exe”= “d:\Program Files\Vuze\Azureus.exe”= “c:\Program Files\Skype\Phone\Skype.exe”= [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] “8461:TCP”= 8461:TCP:GoD High Port “8462:TCP”= 8462:TCP:GoD Low Port R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-29 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-29 20560] R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?] S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-03-12 23168] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2006-12-16 102712] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\xyw9tmdj.com \Shell\explore\Command - F:\xyw9tmdj.com \Shell\open\Command - F:\xyw9tmdj.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4fedb59e-f44a-11dd-8d4e-00163662fc43}] \Shell\AutoRun\command - F:\pook.com \Shell\open\Command - F:\pook.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e14f2d6a-f1d4-11dd-8d47-00163662fc43}] \Shell\AutoRun\command - F:\pook.com \Shell\open\Command - F:\pook.com [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ec18a1e8-c111-11dd-8ccc-00163662fc43}] \Shell\AutoRun\command - F:\a2h2.com \Shell\open\Command - F:\a2h2.com [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}] “c:\program files\Common Files\LightScribe\LSRunOnce.exe” . Zawartość folderu ‘Zaplanowane zadania’ 2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42] . - - - - USUNIĘTO PUSTE WPISY - - - - HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe . ------- Skan uzupełniający ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.aceradvantage.com/stdreg FF - ProfilePath - c:\documents and settings\Maciek\Dane aplikacji\Mozilla\Firefox\Profiles\x3o6cc9j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-12 23:34:48 Windows 5.1.2600 Dodatek Service Pack 3 FAT NTAPI skanowanie ukrytych procesów … skanowanie ukrytych wpisów autostartu … skanowanie ukrytych plików … skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-3332477278-378396504-1455552419-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Classes\CLSID{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “cd042efbbd7f7af1647644e76e06692b”=hex:c8,28,51,af,b0,29,a3,98,1e,6b,c1,02,44, 0a,e8,28,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “bca643cdc5c2726b20d2ecedcc62c59b”=hex:71,3b,04,66,8b,46,0d,96,e0,4e,97,ee,1d, 8f,0e,1d,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “2c81e34222e8052573023a60d06dd016”=hex:ff,7c,85,e0,43,d4,0e,fe,d4,e9,cc,ce,25, 8c,b5,c4,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “2582ae41fb52324423be06337561aa48”=hex:6b,65,49,6a,7e,99,74,f7,e5,61,c1,8d,21, e8,7c,c5,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “caaeda5fd7a9ed7697d9686d4b818472”=hex:f5,1d,4d,73,a8,13,5c,05,e5,f5,33,d5,17, 3f,c9,cf,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “a4a1bcf2cc2b8bc3716b74b2b4522f5d”=hex:b0,18,ed,a7,3f,8d,37,a4,ff,ad,31,6f,e7, d6,cf,6d,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “4d370831d2c43cd13623e232fed27b7b”=hex:97,20,4e,9a,c7,f1,35,ee,18,c4,f5,15,87, e7,7e,b4,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “1d68fe701cdea33e477eb204b76f993d”=hex:01,3a,48,fc,e8,04,4a,f1,1b,23,1c,4d,33, a3,31,8d,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “1fac81b91d8e3c5aa4b0a51804d844a3”=hex:51,fa,6e,91,28,9e,14,cc,d5,f8,46,b2,dc, b4,66,e8,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “f5f62a6129303efb32fbe080bb27835b”=hex:37,a4,aa,c3,a6,15,56,0a,dc,2b,37,ea,af, 32,77,41,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “fd4e2e1a3940b94dceb5a6a021f2e3c6”=hex:2a,b7,cc,b5,b9,7f,41,e7,04,dd,ea,9a,19, 9e,81,a0,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] “ThreadingModel”=“Apartment” @=“c:\WINDOWS\system32\OLE32.DLL” “8a8aec57dd6508a385616fbc86791ec2”=hex:6c,43,2d,1e,aa,22,2f,9c,e2,62,8a,20,98, 08,87,9e,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\ . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > ‘winlogon.exe’(676) c:\windows\system32\Ati2evxx.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\SYSTEM32\ATI2EVXX.EXE c:\windows\SYSTEM32\ATI2EVXX.EXE c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\atwtusb.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\wbem\unsecapp.exe c:\documents and settings\Maciek\Pulpit\AntiPica-en.exe . ************************************************************************** . Czas ukończenia: 2009-02-12 23:37:21 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-02-12 22:37:16 ComboFix4.txt 2009-01-29 17:40:32 ComboFix5.txt 2009-02-12 22:29:18 ComboFix3.txt 2009-01-29 19:40:32 ComboFix2.txt 2009-01-30 06:32:46 Przed: 22 062 202 880 bajtów wolnych Po: 22,226,796,544 bajtów wolnych 325 — E O F — 2009-01-29 16:54:52

przepraszam ze sie tak dlugo nie odzywalemem ale to nie moj komp.Dalejej mam 77% wykozystanej pamieci ram i co jakis czas znajduje mi rotkita

huber2t · 13 Luty 2009 05:14

Do wyleczenia pendrive z wirusów użyj tych programów

Wklej do notatnika:

File::

C:\ur0.com

D:\ur0.com

J:\ur0.com

C:\opgde.exe

D:\opgde.exe

J:\opgde.exe

C:\a2h2.com

D:\a2h2.com

J:\a2h2.com


Folder::

C:\FOUND.019


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

Agaton · 13 Luty 2009 12:32

cudaczek61 ,

Proszę poprawić pisownię w tytule tematu i w opisie problemu. W celu edycji swojego posta proszę skorzystać z przycisku Edytuj przy poście otwierającym temat.

Zignorowanie zalecenia będzie skutkowało usunięciem tematu do Kosza.

W związku ze zmianą, jaka obowiązuje przy wklejaniu logów w tym dziale, przeczytaj i zastosuj się do Tematu

cudaczek61 · 13 Luty 2009 19:58

http://www.wklej.eu/index.php?id=1ba9110559

Postaram się nie popełniać błędów.

huber2t · 13 Luty 2009 20:05

Do wyleczenia pendrive z wirusów użyj tych programów

otwórz notatnik i wklej

Z menu Notatnika -> Plik -> Zapisz jako -> Zmień rozszerzenie z .txt na wszystkie pliki -> zapisz pod nazwą Fix.reg

Uruchom ten plik, uruchom ponownie komputer

usuń ręcznie folder C:\Qoobox oraz Combofix , usuń instalkę Combofix z dysku.

Przeczyść system Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

cudaczek61 · 14 Luty 2009 14:06

Zrobiłem jak pisałeś ale kaspreski nic nie znalazł wiec nie mam co wklejać raportu.Zainstalowałem programik do czyszczenia pamieci ram i z 512 mb zostaje tylko wolnego jakieś 120mb czyli coś pożera dość dużo,dodam że nadal nie moge uruchomic photo shopa nawet po reinstalacji jest ten sam komunikat że malo pamieci a chodził normalnie