Proszę o sprawdzenie loga, komputer wolno chodzi ;/

Lyha89 · 30 Lipiec 2007 13:24

Witam !

Prosiłbym o sprawdzenie logu Hijackthis

Komputer po włączeniu bardzo wolno chodzi dopiero po jednym dwóch restartach normalnie pracuje.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:21:56, on 2007-07-30 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\PLANET\Common\RaUI.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\OneStepSearch\onestep.exe C:\WINDOWS\System32\wdfmgr.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\OneStepSearch\onestep.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: PLANET WL-8315 Utility.lnk = C:\Program Files\PLANET\Common\RaUI.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_27.cab O16 - DPF: {2A781DED-C22D-4153-9812-CEA98A32981C} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/cardsmakao_2_0_0_28.cab O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) - http://67.15.101.3/g_bin/pl/slots90_2_0_0_35.cab O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_47.cab O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) - http://67.15.101.3/g_bin/pl/slots70_2_0_0_35.cab O16 - DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} (GameDesire Slots 80th) - http://67.15.101.3/g_bin/pl/slots80_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C2} (GameDesire Pool 9) - http://67.15.101.3/g_bin/pl/billard9_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_35.cab O17 - HKLM\System\CCS\Services\Tcpip…{1576C1FC-6E53-43DF-A34D-A86AC104644D}: NameServer = 85.255.115.45,85.255.112.144 O17 - HKLM\System\CCS\Services\Tcpip…{81BF95A7-3D09-4156-85B6-7398644A8871}: NameServer = 85.255.115.45,85.255.112.144 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.45 85.255.112.144 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.45 85.255.112.144 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.45 85.255.112.144 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32.exe (file missing) – End of file - 6186 bytes

jessica · 30 Lipiec 2007 13:49

Te dwa procesy świadczą o tym, że była automatyczna aktualizacja systemu. Aktualizacje te zaczynały się bezpośrednio po starcie systemu, więc miały wpływ na “mulenie”. Możesz sobie ustawić, by komputer sprawdzał, czy są nowe aktualizacje tylko raz w miesiącu, a nie codziennie. Wystarczy w Panelu Sterowania>>System>>zaznaczyć przy “Wyłącz aktualizacje”, a tylko raz w miesiącu usuwać to zaznaczenie, by system mógł się zaktualizować.

Masz też oczywiście infekcje.

Masz ukraińską infekcję czyli Rootkit “Windows Security Center”.

Użyj FixWareout (post nr 4).

Po jego użyciu może zajść potrzeba ustawiania od nowa DNS Twojego dostawcy internetowego.

Po użyciu Fixwareout: Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

>>Start >>> Uruchom >>> wybierz (lub wpisz) cmd >> zastosować te komendy (po każdej wciśnij “ENTER”):

Potem daj tu:

raport z C:\Fixwareout rReport.txt
log z Hijacka
log z ComboFixa -->http://forum.dobreprogramy.pl/viewtopic.php?t=36654 – na samym dole strony z linku.

.

Lyha89 · 30 Lipiec 2007 14:38

Chyba zrobiłem wszystko dobrze.

Log Fixwareout:

Username “Seba” - 2007-07-30 16:13:16 [Fixwareout edited 2007/07/05] »»»»»Prerun check HKLM\SOFTWARE~\Winlogon\ “System”=“cspgw.exe” Service: “Windows Management Service” = C:\WINDOWS\System32\dmlbn.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters “nameserver”=“85.255.115.45 85.255.112.144” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{1576C1FC-6E53-43DF-A34D-A86AC104644D} “nameserver”=“85.255.115.45,85.255.112.144” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{81BF95A7-3D09-4156-85B6-7398644A8871} “nameserver”=“85.255.115.45,85.255.112.144” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{03AC2028-2529-4124-9C1D-E6CC1E4414B3} “DhcpNameServer”=“85.255.115.45,85.255.112.144” HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces{81BF95A7-3D09-4156-85B6-7398644A8871} “DhcpNameServer”=“85.255.115.45,85.255.112.144” Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS. System was rebooted successfully. »»»»» Postrun check HKLM\SOFTWARE~\Winlogon\ “system”="" … HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls “0mdm” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls “1mdm” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls “3mdm” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}0E5D4AF340ED-256A-3944-04F6-65593CAC{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}7501B6C121CE-1558-B6E4-37E0-9FDDEE45{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “ggemd” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “}A436C1170728-9878-A984-1823-84A55BB6{” Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion_r “nblmd” Deleted C:\WINDOWS\System32\ietsf.exe Deleted … »»»»» Misc files. C:\Program Files\SpyVampire Deleted C:\WINDOWS\system32{3C7709D2-9166-44F1-9A4E-E950DD897914}.exe Deleted C:\WINDOWS\System32\kernel32.exe Deleted … »»»»» Checking for older varients. … »»»»» Other C:\WINDOWS\TEMP\cspgw.ren 52780 2007-07-26 C:\WINDOWS\TEMP\dmlbn.ren 63030 2001-10-26 »»»»» Current runs (hklm hkcu “run” Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” “Cmaudio”=“RunDll32 cmicnfg.cpl,CMICtrlWnd” “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” “SunJavaUpdateSched”="“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”" “startdrv”=“C:\WINDOWS\Temp\startdrv.exe” [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “Skype”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" … Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»»

Log HijackThis:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:31:57, on 2007-07-30 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\PLANET\Common\RaUI.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\OneStepSearch\onestep.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\OneStepSearch\onestep.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: PLANET WL-8315 Utility.lnk = C:\Program Files\PLANET\Common\RaUI.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_27.cab O16 - DPF: {2A781DED-C22D-4153-9812-CEA98A32981C} (GameDesire Makao) - http://67.15.101.3/g_bin/pl/cardsmakao_2_0_0_28.cab O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) - http://67.15.101.3/g_bin/pl/slots90_2_0_0_35.cab O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_47.cab O16 - DPF: {A6212120-01D4-11D5-9A39-0080C8D85044} (GameDesire Slots 70th) - http://67.15.101.3/g_bin/pl/slots70_2_0_0_35.cab O16 - DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} (GameDesire Slots 80th) - http://67.15.101.3/g_bin/pl/slots80_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C2} (GameDesire Pool 9) - http://67.15.101.3/g_bin/pl/billard9_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_35.cab O17 - HKLM\System\CCS\Services\Tcpip…{1576C1FC-6E53-43DF-A34D-A86AC104644D}: NameServer = 194.204.159.1,194.204.152.34 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe – End of file - 5395 bytes

Log ComboFix:

ComboFix 07-07-30.2 - “Seba” 2007-07-30 16:28:23.1 [GMT 2:00] - FAT32 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.Prawda * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\5_exception.nls C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\drivers\secdrv.sys C:\WINDOWS\system32\ksys.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NDNET1 -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\NDnet1 -------\runtime ((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 ))))))))))))))))))))))))))))))) 2007-07-30 16:27 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-30 16:13 5,897 --a------ C:\dnsbak.reg 2007-07-30 15:21 2007-07-30 15:19 2007-07-29 22:15 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2007-07-29 22:14 2007-07-29 20:21 2007-07-29 16:52 2007-07-29 16:01 2007-07-29 15:40 2007-07-29 14:20 2007-07-29 14:18 2,018 --a------ C:\WINDOWS\mozver.dat 2007-07-29 14:15 0 --a------ C:\WINDOWS\nsreg.dat 2007-07-29 10:08 2007-07-29 10:06 2007-07-29 10:06 2007-07-29 10:06 2007-07-29 10:06 2007-07-28 22:57 2007-07-28 13:54 2007-07-28 13:52 549,720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-28 13:52 33,624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-28 13:52 325,976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-28 13:52 203,096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-28 13:52 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll 2007-07-28 13:52 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe 2007-07-28 13:52 2007-07-28 13:45 310,272 --a------ C:\WINDOWS\system32\winhttp.dll 2007-07-28 12:39 2007-07-28 10:15 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2007-07-28 10:15 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-07-28 10:15 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-07-28 10:15 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-07-28 10:15 2007-07-27 00:39 2007-07-27 00:39 2007-07-25 12:27 2007-07-25 12:27 2007-07-24 11:33 2007-07-23 12:25 2007-07-23 09:27 2007-07-22 09:18 4,608 --a------ C:\WINDOWS\system32\W95Inf32.DLL 2007-07-22 09:18 2,272 --a------ C:\WINDOWS\system32\W95Inf16.DLL 2007-07-22 09:18 2007-07-21 20:01 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-07-21 20:01 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-07-21 20:01 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-07-21 20:01 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-07-21 19:57 2007-07-20 20:46 2007-07-20 20:45 4 --a------ C:\WINDOWS\system32\proc-385240966.bin 2007-07-20 20:45 2007-07-20 17:58 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2007-07-20 17:12 2007-07-20 16:38 2007-07-20 16:35 2007-07-20 16:34 79,616 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys 2007-07-20 16:34 57,472 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys 2007-07-20 16:34 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys 2007-07-20 16:34 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys 2007-07-20 16:34 5,632 --a------ C:\WINDOWS\system32\drivers\splitter.sys 2007-07-20 16:34 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys 2007-07-20 16:34 159,232 --a------ C:\WINDOWS\system32\drivers\kmixer.sys 2007-07-20 16:34 122,472 --a------ C:\WINDOWS\system32\drivers\aec.sys 2007-07-20 16:33 917,504 -ra------ C:\WINDOWS\system\cmids3d.dll 2007-07-20 16:33 821,760 -ra------ C:\WINDOWS\system32\drivers\cmuda.sys 2007-07-20 16:33 712,704 -ra------ C:\WINDOWS\system32\Audio3D.dll 2007-07-20 16:33 712,704 -ra------ C:\WINDOWS\system32\a3d.dll 2007-07-20 16:33 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys 2007-07-20 16:33 32,768 -ra------ C:\WINDOWS\system32\udaprop.dll 2007-07-20 16:33 28,672 -ra------ C:\WINDOWS\system32\cmirmdrv.dll 2007-07-20 16:33 28,672 --a------ C:\WINDOWS\CMIRmDriver.dll 2007-07-20 16:33 266,240 --a------ C:\WINDOWS\CMIUninstall.exe 2007-07-20 16:33 233,472 -ra------ C:\WINDOWS\system32\cmirmdrv.exe 2007-07-20 16:33 225,280 --a------ C:\WINDOWS\CmiRmRedundDir.exe 2007-07-20 16:33 163,840 -ra------ C:\WINDOWS\system32\cmuda.dll 2007-07-20 16:33 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys 2007-07-20 16:33 1,458,176 -ra------ C:\WINDOWS\system\SmWizard.exe 2007-07-20 16:33 2007-07-20 16:32 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2007-07-20 16:29 2007-07-20 16:29 2007-07-20 16:25 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll 2007-07-20 16:25 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe 2007-07-20 16:25 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys 2007-07-20 16:25 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe 2007-07-20 16:25 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll 2007-07-20 16:25 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll 2007-07-20 16:25 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll 2007-07-20 16:25 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll 2007-07-20 16:25 76,800 --a------ C:\WINDOWS\system32\dmscript.dll 2007-07-20 16:25 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll 2007-07-20 16:25 723,968 --a------ C:\WINDOWS\system32\dpnet.dll 2007-07-20 16:25 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys 2007-07-20 16:25 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll 2007-07-20 16:25 667,648 --a------ C:\WINDOWS\system32\dinput8.dll 2007-07-20 16:25 648,704 --a------ C:\WINDOWS\system32\dinput.dll 2007-07-20 16:25 64,512 --a------ C:\WINDOWS\system32\amstream.dll 2007-07-20 16:25 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll 2007-07-20 16:25 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-20 16:22 49492 --a------ C:\WINDOWS\system32\perfc015.dat 2007-07-20 16:22 355486 --a------ C:\WINDOWS\system32\perfh015.dat --------- C:\Program Files\Usługi online ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-08-25 12:52] “Cmaudio”=“cmicnfg.cpl” [] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-05-15 00:22] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2001-10-26 17:29] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2001-08-02 07:14] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-07-09 09:39] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-07-02 17:10] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ PLANET WL-8315 Utility.lnk - C:\Program Files\PLANET\Common\RaUI.exe [2007-07-20 16:19:07] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26] R2 OneStep Search Service;OneStep Search Service;“C:\Program Files\OneStepSearch\onestep.exe” “C:\Program Files\OneStepSearch\onestep.dll” Service R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\System32\drivers\cmuda.sys R3 sermouse;Sterownik myszy szeregowej;C:\WINDOWS\System32\DRIVERS\sermouse.sys S3 FETNDIS;Sterownik NT karty VIA PCI 10/100Mb Fast Ethernet;C:\WINDOWS\System32\DRIVERS\fetnd5.sys *Newly Created Service* - ALG *Newly Created Service* - IPNAT ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-30 16:30:11 Windows 5.1.2600 FAT NTAPI scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-30 16:30:40 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-07-30 16:30 — E O F —

jessica · 30 Lipiec 2007 15:11

Te usuń ręcznie.

Jeśli nie będą widoczne, to najpierw usuń atrybuty ochronne:

>>Start>>Panel Sterowania>>Opcje Folderów>>Widok>>usuń zaznaczenie przy “Ukryj chronione pliki systemowe”>>zaznacz przy “Pokaż ukryte plik”>>Zastosuj>>OK

Czy to znasz?

Oprócz “ukraińskiego” miałeś jeszcze trzy inne Rootkity - ComboFix usunął.

Napisz, jak teraz sytuacja na kompie.

.

Lyha89 · 30 Lipiec 2007 16:53

Wieeelkie dzięki komputer chodzi już tak jak po formacie śmiga jak trzeba Tylko ta aplikacja: OneStepSearch nie wiem skąd się wzieła ale już ją usunołem jeszczeraz wielkie dzięki za pomoc

Pozdrawiam !