Spowolniona praca kompa


(michaś) #1

Od niedawna mam problem z kompem który strasznie wolno sie załącza, gdy juz go odpale po kilku minutach wyskakują dziwne okienka, najdziwniejsze z nich to komunikat o wirusie ext.exe- pliku który za kazdym razem gdy go usuwam, wraca ;inne dziwne rzeczy to komunikaty o rzekomych wirusach które niby atakują mi kompa:) jest równiez kilka innych rzeczy które wsykakuje mi na pupicie pierwszy raz w zyciu także wklejam dwa logi , pierwszy z Hijack This i drugi z Silent Runners

Logfile of HijackThis v1.99.1

Scan saved at 20:41:59, on 2007-12-08

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\cFosSpeed\spd.exe

C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\cFosSpeed\cFosSpeed.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\VIA\RAID\raid_tool.exe

C:\WINDOWS\system32\LVComS.exe

C:\Program Files\Wanadoo\EspaceWanadoo.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Wanadoo\ComComp.exe

C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Gadu-Gadu\gg.exe

D:\Michał\programy\antywirusy\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Warez] "C:\Program Files\Warez\Warez.exe" /minimized

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [timeNoticeSL001] c:\systift.exe net

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{51FCE2C4-415A-49D9-9895-9D16E2071BBC}: NameServer = 194.204.159.1 217.98.63.164

O23 - Service: Urządzenie alarmowe (Alerter) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Zarządzanie aplikacjami (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Usługa inteligentnego transferu w tle (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Przeglądarka komputera (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)

O23 - Service: Usługi kryptograficzne (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Program uruchamiający proces serwera DCOM (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Klient DHCP (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Menedżer dysków logicznych (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Klient DNS (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: System zdarzeń COM+ (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Zgodność szybkiego przełączania użytkowników (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe

O23 - Service: Pomoc i obsługa techniczna (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Printer Status Server (hpzstatn) - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Serwer (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Stacja robocza (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Pomoc TCP/IP NetBIOS (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Połączenia sieciowe (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Rozpoznawanie lokalizacji w sieci (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Magazyn wymienny (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Menedżer autopołączenia dostępu zdalnego (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Menedżer połączeń usługi Dostęp zdalny (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Rejestr zdalny (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Zdalne wywoływanie procedur (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Schedule - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Logowanie pomocnicze (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Zawiadomienie o zdarzeniu systemowym (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Wykrywanie sprzętu powłoki (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Usługa przywracania systemu (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Telefonia (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Usługi terminalowe (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Kompozycje (Themes) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Klient śledzenia łączy rozproszonych (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Usługa Czas systemu Windows (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Instrumentacja zarządzania Windows (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Usługa numeru seryjnego multimediów przenośnych (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Rozszerzenia sterownika Instrumentacji zarządzania Windows (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Centrum zabezpieczeń (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Aktualizacje automatyczne (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Konfiguracja zerowej sieci bezprzewodowej (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Usługa dostarczania sieci (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Warez" = ""C:\Program Files\Warez\Warez.exe" /minimized" [file not found]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"timeNoticeSL001" = "c:\systift.exe net" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"Anti Trojan Elite" = "C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO" [file not found]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

"cFosSpeed" = "C:\Program Files\cFosSpeed\cFosSpeed.exe" ["cFos Software GmbH"]

"(Default)" = "(empty string)" [file not found]

"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" ["Sony Ericsson Mobile Communications AB"]

"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe" ["Labtec Inc."]

"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Labtec Inc."]

"hpfsched" = "C:\WINDOWS\hpfsched.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar.dll" ["Google Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{E7D3109B-3C05-4895-A556-3F4FACB1BC33}" = "AxCrypt Privacy Wrapper File"

  -> {HKLM...CLSID} = "axcrypt.File"

                   \InProcServer32\(Default) = "C:\Program Files\Axon Data\AxCrypt\1.6.2\AxCrypt.dll" ["Axantum Software AB"]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

  -> {HKLM...CLSID} = "Sony Ericsson File Manager"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {HKLM...CLSID} = "ACDWFTHMBPRXY"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]

"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Labtec Pictures"

  -> {HKLM...CLSID} = "My Labtec Pictures"

                   \InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Labtec Inc."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

axcrypt.File\(Default) = "{E7D3109B-3C05-4895-A556-3F4FACB1BC33}"

  -> {HKLM...CLSID} = "axcrypt.File"

                   \InProcServer32\(Default) = "C:\Program Files\Axon Data\AxCrypt\1.6.2\AxCrypt.dll" ["Axantum Software AB"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

axcrypt.File\(Default) = "{E7D3109B-3C05-4895-A556-3F4FACB1BC33}"

  -> {HKLM...CLSID} = "axcrypt.File"

                   \InProcServer32\(Default) = "C:\Program Files\Axon Data\AxCrypt\1.6.2\AxCrypt.dll" ["Axantum Software AB"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"

<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\DOM\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\FASCIN~1.SCR" (FascinatingSouthPacific.scr) ["Anders und Seim Neue Medien AG"]



Startup items in "DOM" & "All Users" startup folders:

-----------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]

"Przyspieszenie uruchomienia programu AutoCAD" -> shortcut to: "C:\Program Files\Common Files\Autodesk Shared\acstart16.exe" [null data]

"VIA RAID TOOL" -> shortcut to: "C:\Program Files\VIA\RAID\raid_tool.exe" ["VIA Technologies"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar.dll" ["Google Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

cFosSpeed System Service, cFosSpeedS, ""C:\Program Files\cFosSpeed\spd.exe" -service" ["cFos Software GmbH"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Printer Status Server, hpzstatn, "C:\WINDOWS\system32\spool\drivers\w32x86\hpzstatn.exe" ["Hewlett-Packard Company"]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 40 seconds, including 5 seconds for message boxes)

bardzo prosze o sprawdzenie tych logów


(Gutek) #2

znasz to?

Daj log z ComboFix

Pobierz program SDFix

-


(michaś) #3

po uruchomieniu tego programu komp mi sie zawiesza i nic sie nei da zrobic prócz reseta:/


(Gutek) #4

Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz FCI i po tym usuń ten plik który zaznaczyłem na czerwono

po tym sprobuj uruchomić SDFix


(michaś) #5

nie dało sie tak zrobic jak pisałes gdyż nei było tam opcji usuń ,a jedynie uruchom, jednak usunąłem ten plik zaznaczony na czerwono programem HiJack this, potem udało sie uruchomić SDFix i zrobiłęm tak jak pisałęs post wyżej, więc wklejam log z tego programu

SDFix: Version 1.117


Run by DOM on 07-12-09 at 18:59


Microsoft Windows XP [Wersja 5.1.2600]


Running From: C:\SDFix


Safe Mode:

Checking Services: 


Name:

FCI

kprof

poof

protect


Path:

C:\WINDOWS\system32\svchost.exe:ext.exe 

\??\C:\WINDOWS\system32\kprof 

\??\C:\WINDOWS\system32\poof 

System32\drivers\protect.sys 


FCI - Deleted

kprof - Deleted

poof - Deleted

protect - Deleted




Restoring Windows Registry Values

Restoring Windows Default Hosts File


Rebooting...



Normal Mode:

Checking Files: 


Trojan Files Found:


C:\WINDOWS\SYSTEM32\UNDNAME.EXE - Deleted

C:\DOCUME~1\DOM\USTAWI~1\Temp\winlogon.exe - Deleted

C:\WINDOWS\system32\DefLib.sys - Deleted

C:\WINDOWS\system32\koos.exe - Deleted

C:\WINDOWS\system32\kprof - Deleted

C:\WINDOWS\system32\poof - Deleted

C:\WINDOWS\system32\windev-peers.ini - Deleted

C:\WINDOWS\system32\ntos.exe - Deleted

C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

C:\WINDOWS\system32\wsnpoem\video.dll - Deleted




Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files...


ADS Check:


C:\WINDOWS

No streams found. 


C:\WINDOWS\system32

No streams found. 


C:\WINDOWS\system32\svchost.exe

No streams found.


C:\WINDOWS\system32\ntoskrnl.exe

No streams found.




                                 Final Check:


catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-09 19:04:44

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,56,d2,f7,c0,37,72,47,25,f8,49,19,32,d5,a6,c3,fc,1c,89,19,bf,..

"p0"="C:\Program Files\DAEMON Tools\"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:4d,8c,99,45,a2,34,27,90,46,f2,f4,3c,a3,f1,85,5b,47,f0,53,fa,44,..

"a0"=hex:20,01,00,00,28,07,e6,f1,49,b7,0d,51,a0,38,26,b0,cc,0e,7e,bf,2e,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:92,86,26,00,4e,5a,26,ce,e2,84,83,14,16,3c,48,57,ee,e5,e8,86,4e,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:02,02,86,88,c9,1e,9a,7f,3e,01,12,94,de,67,34,96,f9,51,07,cb,22,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,56,d2,f7,c0,37,72,47,25,f8,49,19,32,d5,a6,c3,fc,1c,89,19,bf,..

"p0"="C:\Program Files\DAEMON Tools\"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:4d,8c,99,45,a2,34,27,90,46,f2,f4,3c,a3,f1,85,5b,47,f0,53,fa,44,..

"a0"=hex:20,01,00,00,28,07,e6,f1,49,b7,0d,51,a0,38,26,b0,cc,0e,7e,bf,2e,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:92,86,26,00,4e,5a,26,ce,e2,84,83,14,16,3c,48,57,ee,e5,e8,86,4e,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:02,02,86,88,c9,1e,9a,7f,3e,01,12,94,de,67,34,96,f9,51,07,cb,22,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tonn53]

"Type"=dword:00000001

"Tag"=dword:00000001

"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"

"ErrorControl"=dword:00000001

"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:d1bb7e86

"s2"=dword:09fc6887

"h0"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,56,d2,f7,c0,37,72,47,25,f8,49,19,32,d5,a6,c3,fc,1c,89,19,bf,..

"p0"="C:\Program Files\DAEMON Tools\"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:4d,8c,99,45,a2,34,27,90,46,f2,f4,3c,a3,f1,85,5b,47,f0,53,fa,44,..

"a0"=hex:20,01,00,00,28,07,e6,f1,49,b7,0d,51,a0,38,26,b0,cc,0e,7e,bf,2e,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:5b,4a,58,de,79,24,08,5c,87,4e,e7,59,bf,79,7f,0a,32,ab,02,d2,a2,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:02,02,86,88,c9,1e,9a,7f,3e,01,12,94,de,67,34,96,f9,51,07,cb,22,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tonn53]

"Type"=dword:00000001

"Tag"=dword:00000001

"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"

"ErrorControl"=dword:00000001

"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:a2,56,d2,f7,c0,37,72,47,25,f8,49,19,32,d5,a6,c3,fc,1c,89,19,bf,..

"p0"="C:\Program Files\DAEMON Tools\"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:4d,8c,99,45,a2,34,27,90,46,f2,f4,3c,a3,f1,85,5b,47,f0,53,fa,44,..

"a0"=hex:20,01,00,00,28,07,e6,f1,49,b7,0d,51,a0,38,26,b0,cc,0e,7e,bf,2e,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:5b,4a,58,de,79,24,08,5c,87,4e,e7,59,bf,79,7f,0a,32,ab,02,d2,a2,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:02,02,86,88,c9,1e,9a,7f,3e,01,12,94,de,67,34,96,f9,51,07,cb,22,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tonn53]

"Type"=dword:00000001

"Tag"=dword:00000001

"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"

"ErrorControl"=dword:00000001

"Start"=dword:00000000


scanning hidden registry entries ...


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Ksi\x105\x17cka telefoniczna tel\Z\1l]

"Order"=hex:08,00,00,00,02,00,00,00,40,01,00,00,01,00,00,00,02,00,00,00,b2,..


scanning hidden files ...


C:\WINDOWS\system32\drivers\Tonn53.sys 179200 bytes executable

C:\WINDOWS\system32\drivers\symavc32.sys 179200 bytes executable

C:\WINDOWS\system32\svchost.exe:ext.exe 24064 bytes executable hidden from API


scan completed successfully

hidden processes: 0

hidden services: 1

hidden files: 9



Remaining Services:

------------------




Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:

---------------


File Backups: - C:\SDFix\backups\backups.zip


Files with Hidden Attributes:


Fri 5 May 2006 56 ..SHR --- "C:\WINDOWS\system32\B8284344F8.sys"

Thu 15 Sep 2005 110,592 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\AtiCimUn.exe"

Thu 15 Sep 2005 73,728 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\CheckVer.exe"

Thu 15 Sep 2005 154,624 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\DrvUI64A.exe"

Thu 15 Sep 2005 127,488 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\issetup.exe"

Mon 26 Jan 2004 127,488 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\makensisw.exe"

Thu 15 Sep 2005 18,192 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\psapi.dll"

Thu 15 Sep 2005 65,536 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\Setup.exe"

Mon 20 Oct 2003 73,688 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"

Sat 24 Jan 2004 5,120 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"

Thu 15 Sep 2005 6,656 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\aticd64a.sys"

Thu 15 Sep 2005 368,640 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\aticds10.dll"

Thu 15 Sep 2005 49,152 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\AtiCIM.dll"

Thu 15 Sep 2005 380,928 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\atiicdxx.dll"

Thu 15 Sep 2005 279,040 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\atiicdxx.exe"

Thu 15 Sep 2005 6,144 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\atiicdxx.sys"

Thu 15 Sep 2005 121,344 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\EnumDev.exe"

Thu 15 Sep 2005 125,440 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\BIN\UpdatPnP.exe"

Wed 5 Oct 2005 3,229 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\CPanel\27256_XP.REG"

Thu 15 Sep 2005 94,208 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\CPanel\CPANEL.dll"

Wed 5 Oct 2005 3,229 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\CPanel\CP_XP.REG"

Thu 15 Sep 2005 7,239 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\CPanel\FGL_32.REG"

Thu 15 Sep 2005 46,080 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\CPanel\Setup.exe"

Thu 15 Sep 2005 94,208 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\Driver\Driver.DLL"

Thu 15 Sep 2005 46,080 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\Driver\Setup.exe"

Fri 18 Feb 2005 139,264 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\Setup.exe"

Thu 15 Sep 2005 94,208 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_ALL.dll"

Fri 19 Oct 2007 2,189 ...HR --- "C:\Documents and Settings\DOM\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"

Thu 15 Sep 2005 307,200 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\Driver\2KXP_INF\B_27132\atiiiexx.dll"

Thu 15 Sep 2005 57,856 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinbtxx.SYS"

Thu 15 Sep 2005 75,776 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinesxx.SYS"

Thu 15 Sep 2005 58,880 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atineuxx.SYS"

Thu 15 Sep 2005 166,400 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinevxx.SYS"

Thu 15 Sep 2005 15,360 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinmdxx.SYS"

Thu 15 Sep 2005 14,848 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinpdxx.SYS"

Thu 15 Sep 2005 55,808 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinraxx.SYS"

Thu 15 Sep 2005 28,672 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinsnxx.SYS"

Thu 15 Sep 2005 13,824 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinttxx.SYS"

Thu 15 Sep 2005 31,744 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\atinxbxx.SYS"

Thu 15 Sep 2005 33,280 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_NSP\XP\ativtmxx.DLL"

Wed 4 Aug 2004 57,856 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinbtxx.SYS"

Wed 4 Aug 2004 13,824 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinmdxx.SYS"

Wed 4 Aug 2004 13,824 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinpdxx.SYS"

Wed 4 Aug 2004 53,760 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinraxx.SYS"

Wed 4 Aug 2004 105,984 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinrvxx.SYS"

Wed 4 Aug 2004 28,672 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinsnxx.SYS"

Wed 4 Aug 2004 13,824 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinttxx.SYS"

Wed 4 Aug 2004 78,336 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atintuxx.SYS"

Wed 4 Aug 2004 31,744 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinxbxx.SYS"

Wed 4 Aug 2004 64,512 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\atinxsxx.SYS"

Wed 4 Aug 2004 32,768 A..H. --- "C:\ATI\SUPPORT\5-10_xp-2k_dd_cp_wdm_27256\WDM_ALL\WDM_SP\XP\ativtmxx.DLL"


Finished!

czekam na dalsze instrukcje :slight_smile:


(system) #6

Wykonaj taki log:

HijackThis >>> Open the Misc Tools section >>> Open ADS Spy... >>> odznacz pola wyboru Qick scan i Ignore safe system info strems >>> Kliknij Scan, a potem Save log... i wklej na forum


(michaś) #7

ok wklejam, chociaż niewiem czy są tu jakies pomocne informacje bo z tego co widze to jest to lista zainstalowanych programów i innych dokumentów znajdujących się na moim kompie:)


(Gutek) #8

Daj log z ComboFix


(michaś) #9

ok wklejam log z ComboFix


(Gutek) #10

Wklej do Notatnika:

>>Plik>>Zapisz jako... >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku -->88953CFScript-createdbyMiekiemoes.gif

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: **** Qoobox.

Po tym nowy log z Combo

przeskanuj pliki na http://virusscan.jotti.org/


(michaś) #11

ok zrobiłem tak jak pisałeś i wklejam log

a tamte dwa pliki to okazały się zainfekowane, myśle ze takich plików jest więcej :slight_smile:


(system) #12

Przejdź do C:\WINDOWS\Prefetch i usuń całą zawartość tego folderu.

Tworzysz plik CFScript i jak poprzednio go uruchamiasz

Po tym nowy log z Combo, bo poprzednio plik symavc32.sys nie został usunięty.

Przeskanuj plik na http://www.virustotal.com/pl/


(michaś) #13

ok usunąłem cała zawartoś tego kataloguC:\WINDOWS\Prefetch

te pliku usnąłem

C:\WINDOWS\system32\drivers\Tonn53.sys

C:\WINDOWS\system32\cfosspee.dll

C:\WINDOWS\system32\drivers\symavc32.sys

utworzyłem nowy log z Combofix

przeskanowałem plik svchost.exe ale pisze ze jest czysty, jednak zawsze gdy pokazuje mi sie okienko z zainfekowanym plikiem pisze ścieżka dostępu....system32/svchost.exe/ext.exe

chciałem usunąć ten plik ale pisze że jest używany przez inny proces, no więc nascisnąłem ctrl+alt+del i tam były 4 używane pliki svchost.exe dwa przez system , jeden przz usługe lokalną i jeden przez usługe sieciową, jak klikan na którejś żeby zakończyć proces wyskakuje mi taka ramka w której pisze ze mam minute na wyłaczenie kompa


(Gutek) #14

Pobierz program SDFix

-


(michaś) #15

ok, raport z SDFix


(Gutek) #16

Powinno być ok


(michaś) #17

niby wirusów ani śladu za co tobie wielkie dzięki, ale mam taki problem ze jak włączam neta to po jakims czasie np po godzinie wyświetla mi sie error:

i połączenie z netem jest zrywane, trzeba resetowac kompa, co to za błąd i czym jest spowodowany


(Gutek) #18

Zobacz - http://www.searchengines.pl/index.php?s ... ;st=0&


(michaś) #19

ok dowiedziałem sie z tego że

proces svchost o numerze pid 1132 jest używany przez usługi: DcomLaunch, TermService

--------------||------------------1208 -----------||--------------- RpcSs

--------------||------------------1236 -----------||--------------- AudioSrv, Browser, CryptSvc,Dhpc, dmserver,Ersvc,EventSystem, FastUserSwitchingCompatibility, helpsvc, lanmanservicer, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, Shellhwdetection, srservice, TapiSrv, Themes, TrkWks, W32Time, Wingmt, wscsvc, wuauserv, WZCSVC

proces svchost o numerze pid 1288 jest używany przez usługi: Dnscache

--------------||------------------ 1340 -----------||--------------- Alerter, LmHosts, RemoteRegistry, WebCLient

--------------||------------------ 2028 -----------||--------------- stisvc

wynika z tego co jest napisane w tym linku który podałeś że któryś z tych procesów trzeba wyłączyć ale nie bardzo moge sie doczytac jaki ?