Proszę o sprawdzenie loga, bo mam podejrzenie ze jest wirus.
Plik na czerwono usuń ręcznie w trybie awaryjnym z wyłączonym przywracaniem systemu,a wpisy zafixuj.
Pokaż log z ComboFix.
A gdzie znaleźć ten program Combo Fix??
ComboFix jest dostępny do pobrania pod adresem http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
[qoute]
Oto log z ComboFix
2001-07-30 17:40 24576 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml3a.dll.vir
2007-05-05 12:35 767 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\RAFA~1\Pulpit\Internet Explorer.lnk.vir
2007-07-02 13:44 2702 --a------ C:\Qoobox\Quarantine\Registry_backups\services_gb.reg.cf
2007-07-02 13:44 966 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_GB.reg.cf
Zmienna PATH folderu
Numer seryjny woluminu: 71F5E346 E835:E27D
C:\QOOBOX
\---Quarantine
+---C
| +---DOCUME~1
| | \---RAFA~1
| | \---Pulpit
| | Internet Explorer.lnk.vir
| |
| \---WINDOWS
| \---system32
| msxml3a.dll.vir
|
\---Registry_backups
LEGACY_GB.reg.cf
services_gb.reg.cf
[qoute]
Proszę wkleić zawartość pliku c:\combofix.txt. To właśnie w nim znajduje się utworzony log, o którego pokazanie prosiłem.
Oto log:
[qoute]
ComboFix 07-06-18.2 - C:\Documents and Settings\Rafa\Moje dokumenty\ComboFix.exe
“Administrator” - 2007-07-02 14:01:45 - Dodatek Service Pack. 1 NTFS [sAFE MODE]
((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))
2007-07-02 13:39 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 13:03
2007-06-24 19:46
2007-06-15 15:23
2007-06-15 15:22
2007-06-13 22:44 68,226 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-06-07 22:42 707 --a------ C:\WINDOWS\unins000.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl
2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information
2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp
2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead
2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat
2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP
2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP
2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe
2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll
2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll
2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll
2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll
2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS
2007-04-20 16:25:22 0 --sha-r C:\IO.SYS
2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS
2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT
2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“nwiz”=“nwiz.exe” [2003-09-24 13:32 C:\WINDOWS\system32\nwiz.exe]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 C:\WINDOWS\SOUNDMAN.EXE]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 20:05]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 14:09:35
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
scanning hidden processes …
cmd.exe [1664]
? [1628]
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-02 14:10:08
C:\ComboFix-quarantined-files.txt … 2007-07-02 14:09
— E O F —
((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl
2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information
2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp
2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead
2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat
2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP
2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP
2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe
2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll
2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll
2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll
2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll
2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS
2007-04-20 16:25:22 0 --sha-r C:\IO.SYS
2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS
2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT
2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl
2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information
2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp
2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead
2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat
2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP
2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP
2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe
2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll
2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll
2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll
2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll
2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS
2007-04-20 16:25:22 0 --sha-r C:\IO.SYS
2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS
2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT
2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“nwiz”=“nwiz.exe” [2003-09-24 13:32 C:\WINDOWS\system32\nwiz.exe]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 C:\WINDOWS\SOUNDMAN.EXE]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]
“NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2003-09-24 13:32]
“AVP”=“C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe” [2007-03-09 20:50]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 20:05]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 14:22:57
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-02 14:23:34
C:\ComboFix-quarantined-files.txt … 2007-07-02 14:23
— E O F —
[qoute]
Start -> uruchom -> regedit -> przejdź do klucza:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
kliknij podwójnie na znajdującą się w prawym okienku wartość netsvcs i w okienku, które się otworzy usuń wpis NtmlSvc pozostałej części nie ruszając.
Po wykonaniu dla pewności możesz wkleić nowy log z ComboFix.
Oto nowy log z Combo Fix
[qoute]
ComboFix 07-06-18.2 - C:\Documents and Settings\Rafa\Moje dokumenty\ComboFix.exe
“Administrator” - 2007-07-02 14:51:13 - Dodatek Service Pack. 1 NTFS [sAFE MODE]
((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))
2007-07-02 13:39 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 13:03
2007-06-24 19:46
2007-06-15 15:23
2007-06-15 15:22
2007-06-13 22:44 68,226 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-06-07 22:42 707 --a------ C:\WINDOWS\unins000.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 11:55:51 50,748 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-07-02 11:55:51 358,702 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-07-02 10:15:12 -------- d-----w C:\Program Files\Vl
2007-06-27 13:22:14 -------- d–h--w C:\Program Files\InstallShield Installation Information
2007-06-27 13:20:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-20 17:08:51 -------- d-----w C:\Program Files\Winamp
2007-05-29 13:08:42 -------- d-----w C:\Program Files\Ahead
2007-05-29 13:08:35 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-27 12:24:25 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-27 09:15:10 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-19 08:45:09 464 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-15 16:38:56 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-02 13:52:03 119,767 ----a-w C:\WINDOWS\hpoins11.dat
2007-05-02 13:50:59 -------- d-----w C:\Program Files\Common Files\HP
2007-05-02 13:50:57 -------- d-----w C:\Program Files\HP
2007-05-02 13:34:09 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-02 13:33:14 -------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-04-25 11:23:55 245,760 ------w C:\WINDOWS\Setup1.exe
2007-04-25 11:23:54 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2007-04-21 14:40:52 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
2007-04-21 14:40:41 921,600 ----a-w C:\WINDOWS\system32\vorbisenc.dll
2007-04-21 14:40:11 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
2007-04-21 14:39:56 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
2007-04-21 14:39:54 1,415,680 ----a-w C:\WINDOWS\system32\WMV9VCM.dll
2007-04-21 14:38:58 245,760 ----a-w C:\WINDOWS\system32\mplvpx.dll
2007-04-21 14:38:49 9,216 ----a-w C:\WINDOWS\system32\cpuinf32.dll
2007-04-21 14:38:45 755,200 ----a-w C:\WINDOWS\system32\ir50_32.dll
2007-04-20 16:25:22 0 --sha-r C:\MSDOS.SYS
2007-04-20 16:25:22 0 --sha-r C:\IO.SYS
2007-04-20 16:25:22 0 ----a-w C:\CONFIG.SYS
2007-04-20 16:25:22 0 ----a-w C:\AUTOEXEC.BAT
2007-04-20 16:22:07 21,856 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“nwiz”=“nwiz.exe” [2003-09-24 13:32 C:\WINDOWS\system32\nwiz.exe]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 09:34 C:\WINDOWS\SOUNDMAN.EXE]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 02:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 20:05]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 14:53:24
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
scanning hidden processes …
cmd.exe [1620]
? [1684]
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-02 14:53:47
C:\ComboFix-quarantined-files.txt … 2007-07-02 14:53
— E O F —
]qoute]
Już jest Ok.
Drobna kosmetyka:
Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.
Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.
Dodatkowo przejrzyj Optymalizacja i odchudzanie Windowsa XP.
Nadal coś sie dzieje z kompem. PO tym wszytskim nie pokazuje się ikona połączeń lokalnych podczas uruchamania Windowsa, we właściwościach Daty i Godziny miesiące pozmieniały mi się na j. angielski. Pojawiły się dziwne procesy m.in. alg.exe które uruchamiają podczas logowania.
Jest jeszcze jeden problem. Jak chce zrobić loga z Silenta to pokazuje mi błąd po jakimś czasie i jest tylko częściowy log z Silenta.
Daje te log jakby co.
Logfile of HijackThis v1.99.1
Scan saved at 12:48, on 2007-07-03
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rafał\Moje dokumenty\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]
“CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]
“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]
“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]
“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”]
“AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe”” [“Kaspersky Lab”]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)
\StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{6D0E6651-1CD8-11d6-92C4-0003479E4848}” = “NVIDIA NT4 Multimon Control Panel Extension”
-> {HKLM…CLSID} = “NVIDIA NT4 Multimon Control Panel Extension”
\InProcServer32(Default) = “nvnt4cpl.dll” [“NVIDIA Corporation”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitu”
-> {HKLM…CLSID} = “Eksplorator pulpitu”
\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki ochrony WWW”
-> {HKLM…CLSID} = “Statystyki ochrony WWW”
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-> {HKLM…CLSID} = “Portable Media Devices Menu”
\InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”
-> {HKLM…CLSID} = “Microsoft Office Outlook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> klogon\DLLName = “C:\WINDOWS\System32\klogon.dll” [“Kaspersky Lab”]
HKLM\Software\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll” [“Kaspersky Lab”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll” [“Kaspersky Lab”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoSaveSettings” = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don’t save settings at exit}
“ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
“ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\Bąbelki.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\WINDOWS\Bąbelki.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssstars.scr” [MS]
Rafikk
Ważny komunikat dotyczący tytułowania tematów
Przeczytaj wskazany temat uważnie - jest tam m.in. mowa o prawidłowym wklejaniu logów - należy je obejmować tagami
Zobacz panel sterowania > połączenia sieciowe > prawym na Twoje połączenie > właściwości > czy masz zaznaczone pokaż ikonę…
panel sterowania > opcje regionalne i językowe > zobacz czy masz wszędzie ustawiony na polski
ten proces jest ok, jest od zapory windowsowskiej.
Logi ok.
O problemach z silentem poczytaj:
http://www.searchengines.pl/phpbb203/index.php?showtopic=15989&st=0entry207029