Sprawdzenie loga. Podejrzenie wirusa


(Dj 007) #1

Proszę o sprawdzenie loga, bo mam podejrzenie ze jest wirus.


(Slake1) #2

Plik na czerwono usuń ręcznie w trybie awaryjnym z wyłączonym przywracaniem systemu,a wpisy zafixuj.

Pokaż log z ComboFix.


(Dj 007) #3

A gdzie znaleźć ten program Combo Fix??


(adam9870) #4

ComboFix jest dostępny do pobrania pod adresem http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe


(Dj 007) #5

[qoute]

Oto log z ComboFix

2001-07-30 17:40 24576 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml3a.dll.vir

2007-05-05 12:35 767 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\RAFA~1\Pulpit\Internet Explorer.lnk.vir

2007-07-02 13:44 2702 --a------ C:\Qoobox\Quarantine\Registry_backups\services_gb.reg.cf

2007-07-02 13:44 966 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_GB.reg.cf



Zmienna PATH folderu

Numer seryjny woluminu: 71F5E346 E835:E27D

C:\QOOBOX

\---Quarantine

    +---C

    | +---DOCUME~1

    | | \---RAFA~1

    | | \---Pulpit

    | | Internet Explorer.lnk.vir

    | |               

    | \---WINDOWS

    | \---system32

    | msxml3a.dll.vir

    |               

    \---Registry_backups

            LEGACY_GB.reg.cf

            services_gb.reg.cf

[qoute]


(adam9870) #6

Proszę wkleić zawartość pliku c:\combofix.txt. To właśnie w nim znajduje się utworzony log, o którego pokazanie prosiłem.


(Dj 007) #7

Oto log:

[qoute]

ComboFix 07-06-18.2 - C:\Documents and Settings\Rafa\Moje dokumenty\ComboFix.exe

“Administrator” - 2007-07-02 14:01:45 - Dodatek Service Pack. 1 NTFS [sAFE MODE]

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-07-02 13:39 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-27 13:03

2007-06-24 19:46

2007-06-15 15:23

2007-06-15 15:22

2007-06-13 22:44 68,226 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys

2007-06-07 22:42 707 --a------ C:\WINDOWS\unins000.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl

2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information

2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp

2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead

2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead

2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET

2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage

2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll

2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu

2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat

2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP

2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP

2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard

2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard

2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe

2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE

2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll

2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll

2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll

2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll

2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll

2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll

2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll

2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll

2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS

2007-04-20 16:25:22 0 --sha-r C:\IO.SYS

2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS

2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT

2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat

2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nwiz”=“nwiz.exe” [2003-09-24 13:32 C:\WINDOWS\system32\nwiz.exe]

“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 C:\WINDOWS\SOUNDMAN.EXE]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 20:05]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs

NtmlSvc

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-02 14:09:35

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes …

cmd.exe [1664]

? [1628]

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-02 14:10:08

C:\ComboFix-quarantined-files.txt … 2007-07-02 14:09

— E O F —

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl

2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information

2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp

2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead

2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead

2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET

2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage

2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll

2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu

2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat

2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP

2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP

2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard

2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard

2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe

2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE

2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll

2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll

2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll

2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll

2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll

2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll

2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll

2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll

2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS

2007-04-20 16:25:22 0 --sha-r C:\IO.SYS

2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS

2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT

2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat

2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl

2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information

2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp

2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead

2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead

2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET

2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage

2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll

2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu

2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat

2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP

2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP

2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard

2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard

2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe

2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE

2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll

2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll

2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll

2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll

2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll

2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll

2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll

2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll

2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS

2007-04-20 16:25:22 0 --sha-r C:\IO.SYS

2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS

2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT

2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat

2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nwiz”=“nwiz.exe” [2003-09-24 13:32 C:\WINDOWS\system32\nwiz.exe]

“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 C:\WINDOWS\SOUNDMAN.EXE]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]

“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2003-09-24 13:32]

“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” [2007-03-09 20:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 20:05]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs

NtmlSvc

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-02 14:22:57

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-02 14:23:34

C:\ComboFix-quarantined-files.txt … 2007-07-02 14:23

— E O F —

[qoute]


(adam9870) #8

Start -> uruchom -> regedit -> przejdź do klucza:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

kliknij podwójnie na znajdującą się w prawym okienku wartość netsvcs i w okienku, które się otworzy usuń wpis NtmlSvc pozostałej części nie ruszając.

Po wykonaniu dla pewności możesz wkleić nowy log z ComboFix.


(Dj 007) #9

Oto nowy log z Combo Fix

[qoute]

ComboFix 07-06-18.2 - C:\Documents and Settings\Rafa\Moje dokumenty\ComboFix.exe

“Administrator” - 2007-07-02 14:51:13 - Dodatek Service Pack. 1 NTFS [sAFE MODE]

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-07-02 13:39 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-27 13:03

2007-06-24 19:46

2007-06-15 15:23

2007-06-15 15:22

2007-06-13 22:44 68,226 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys

2007-06-07 22:42 707 --a------ C:\WINDOWS\unins000.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat

2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat

2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl

2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information

2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp

2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead

2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead

2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET

2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage

2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll

2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu

2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat

2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP

2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP

2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard

2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard

2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe

2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE

2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll

2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll

2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll

2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll

2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll

2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll

2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll

2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll

2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS

2007-04-20 16:25:22 0 --sha-r C:\IO.SYS

2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS

2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT

2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat

2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“nwiz”=“nwiz.exe” [2003-09-24 13:32 C:\WINDOWS\system32\nwiz.exe]

“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 C:\WINDOWS\SOUNDMAN.EXE]

“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 20:05]

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-02 14:53:24

Windows 5.1.2600 Dodatek Service Pack. 1 NTFS

scanning hidden processes …

cmd.exe [1620]

? [1684]

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-02 14:53:47

C:\ComboFix-quarantined-files.txt … 2007-07-02 14:53

— E O F —

]qoute]


(adam9870) #10

Już jest Ok.

Drobna kosmetyka:

Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.

Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.

Dodatkowo przejrzyj Optymalizacja i odchudzanie Windowsa XP.


(Dj 007) #11

Nadal coś sie dzieje z kompem. PO tym wszytskim nie pokazuje się ikona połączeń lokalnych podczas uruchamania Windowsa, we właściwościach Daty i Godziny miesiące pozmieniały mi się na j. angielski. Pojawiły się dziwne procesy m.in. alg.exe które uruchamiają podczas logowania.

Jest jeszcze jeden problem. Jak chce zrobić loga z Silenta to pokazuje mi błąd po jakimś czasie i jest tylko częściowy log z Silenta.

Daje te log jakby co.

Logfile of HijackThis v1.99.1

Scan saved at 12:48, on 2007-07-03

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Rafał\Moje dokumenty\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

“CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]

“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”]

“AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”” [“Kaspersky Lab”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{6D0E6651-1CD8-11d6-92C4-0003479E4848}” = “NVIDIA NT4 Multimon Control Panel Extension”

-> {HKLM…CLSID} = “NVIDIA NT4 Multimon Control Panel Extension”

\InProcServer32(Default) = “nvnt4cpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitu”

-> {HKLM…CLSID} = “Eksplorator pulpitu”

\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki ochrony WWW”

-> {HKLM…CLSID} = “Statystyki ochrony WWW”

\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {HKLM…CLSID} = “Microsoft Office Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> klogon\DLLName = “C:\WINDOWS\System32\klogon.dll” [“Kaspersky Lab”]

HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll” [“Kaspersky Lab”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll” [“Kaspersky Lab”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoSaveSettings” = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Desktop|

Don’t save settings at exit}

“ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

“ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\Bąbelki.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\Bąbelki.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssstars.scr” [MS]


(Agatonster) #12

Rafikk

Ważny komunikat dotyczący tytułowania tematów

Przeczytaj wskazany temat uważnie - jest tam m.in. mowa o prawidłowym wklejaniu logów - należy je obejmować tagami


(qrczak13) #13

Zobacz panel sterowania > połączenia sieciowe > prawym na Twoje połączenie > właściwości > czy masz zaznaczone pokaż ikonę…

panel sterowania > opcje regionalne i językowe > zobacz czy masz wszędzie ustawiony na polski

ten proces jest ok, jest od zapory windowsowskiej.

Logi ok.

O problemach z silentem poczytaj:

http://www.searchengines.pl/phpbb203/index.php?showtopic=15989&st=0entry207029