Kageori
(Xellas)
2 Listopad 2008 09:24
#1
Witam chciałabym prosić o sprawdzenie loga, gdyż ostatnio miałam jakiś trojan z pendriva, wykonałam instrukcje co by się go pozbyć, ale mam wrażenie, że jednak komp nie chodzi tak jak powinien, może to już moje przewrażliwienie, ale wolałabym być pewna czy wszystko jest ok.
Problemem jest to, że komputer (laptop) bardzo szybko przechodzi w stan pełnego użycia procesora, wystarczy włączyć jedną grę/program/film, a on już się “gotuje” - nie jest słaby i żadna z tych operacji nie przekracza jego możliwości - Core 2 Duo T7200 2,0GHz, 2GB RAM, karta ATI Radon X1600 512 - także nie wydaje mi się, żeby to było spowodowane przeciążaniem, zresztą zaraz po starcie:/ ?
Tak wiem, że firefox pomaga w tym, ale przy nieużywaniu efekt jest taki sam.
Mogę załączyć log z Combofixa również bo przez maksymalną ilość znaków w poście się nie zmieścił:)
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “AlcoholAutomount” = ““C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe” /automount” [“Alcohol Soft Development Team”] “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] “WITaj!” = “rem – Anulowane uruchamianie programu WITaj! 2000” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “HControl” = “C:\WINDOWS\ATK0100\HControl.exe” [empty string] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “Wireless Console 2” = “C:\Program Files\Wireless Console 2\wcourier.exe” [null data] “IntelZeroConfig” = ““C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”” [“Intel Corporation”] “IntelWireless” = ““C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless” [“Intel Corporation”] “EOUApp” = ““C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe”” [“Intel Corporation”] “Outpost Firewall” = “C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice” [“Agnitum”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “PCTAVApp” = ““C:\Program Files\PC Tools AntiVirus\PCTAV.exe” /MONITORSCAN” [“PC Tools Research Pty Ltd”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {3049C3E9-B461-4BC5-8870-4C09146192CA}(Default) = (no title provided) -> {HKLM…CLSID} = “RealPlayer Download and Record Plugin for Internet Explorer” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll” [“RealPlayer”] {4A368E80-174F-4872-96B5-0B27DDD11DB2}(Default) = “SpywareGuard Download Protection” -> {HKLM…CLSID} = “SpywareGuardDLBLOCK.CBrowserHelper” \InProcServer32(Default) = “C:\Program Files\SpywareGuard\dlprotect.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}(Default) = (no title provided) -> {HKLM…CLSID} = “FDMIECookiesBHO Class” \InProcServer32(Default) = “C:\Program Files\Free Download Manager\iefdm2.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{81559C35-8464-49F7-BB0E-07A383BEF910}” = (no title provided) -> {HKLM…CLSID} = “SpywareGuard.Handler” \InProcServer32(Default) = “C:\Program Files\SpywareGuard\spywareguard.dll” [null data] “{D3796116-94D3-4009-96D7-51578411CC7D}” = “Outpost Shell Extension” -> {HKLM…CLSID} = “oshdlr.ShellHandler” \InProcServer32(Default) = “C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll” [“Agnitum Ltd.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}” = “Bluetooth” -> {HKLM…CLSID} = “Wymiana informacji - Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\TosBtExt.dll” [“TOSHIBA”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{81559C35-8464-49F7-BB0E-07A383BEF910}” = (no title provided) -> {HKLM…CLSID} = “SpywareGuard.Handler” \InProcServer32(Default) = “C:\Program Files\SpywareGuard\spywareguard.dll” [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PCTAVShellExtension(Default) = “{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}” -> {HKLM…CLSID} = “PCTAVShlExt Class” \InProcServer32(Default) = “C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll” [“PC Tools Research Pty Ltd”] tosBtShllExt(Default) = “{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}” -> {HKLM…CLSID} = “Bluetooth File Extenstion” \InProcServer32(Default) = “C:\WINDOWS\system32\TosBtShell.dll” [“TOSHIBA”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ PCTAVShellExtension(Default) = “{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}” -> {HKLM…CLSID} = “PCTAVShlExt Class” \InProcServer32(Default) = “C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll” [“PC Tools Research Pty Ltd”] tosBtShllExt(Default) = “{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}” -> {HKLM…CLSID} = “Bluetooth File Extenstion” \InProcServer32(Default) = “C:\WINDOWS\system32\TosBtShell.dll” [“TOSHIBA”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoDrives” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “HideLegacyLogonScripts” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} “HideLegacyLogonScripts” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “HideLogoffScripts” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “RunLogonScriptSync” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “RunStartupScriptSync” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “HideStartupScripts” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Lapik Xellci\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Lapik Xellci” & “All Users” startup folders: -------------------------------------------------------------- C:\Documents and Settings\Lapik Xellci\Menu Start\Programy\Autostart “CPUCooL” -> shortcut to: “C:\Program Files\CPUCooL\CPUCooL.exe 1” [null data] “SpywareGuard” -> shortcut to: “C:\Program Files\SpywareGuard\sgmain.exe” [null data] “WITaj! 2000 (2)” -> shortcut to: “C:\Program Files\WITaj!\Wit2000.exe” [“Haudek”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Bluetooth Manager” -> shortcut to: “C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe” [null data] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{D0943516-5076-4020-A3B5-AEFAF26AB263}” = “Veoh Video Finder” -> {HKLM…CLSID} = “Veoh Browser Plug-in” \InProcServer32(Default) = “C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll” [“Veoh Networks Inc”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_07” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_07” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll” [“Sun Microsystems, Inc.”] {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ “MenuText” = “Spybot - Search & Destroy Configuration” “CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}” -> {HKLM…CLSID} = “Spybot-S&D IE Protection” \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] CPUCooLServer Service, CPUCooLServer, “C:\Program Files\CPUCooL\CooLSrv.exe” [null data] Intel® PROSet/Wireless Event Log, EvtEng, “C:\Program Files\Intel\Wireless\Bin\EvtEng.exe” [“Intel Corporation”] Intel® PROSet/Wireless Registry Service, RegSrvc, “C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe” [“Intel Corporation”] Intel® PROSet/Wireless Service, S24EventMonitor, “C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe” ["Intel Corporation "] Lavasoft Ad-Aware Service, aawservice, ““C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe”” [“Lavasoft”] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] Outpost Firewall Service, OutpostFirewall, “C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service” [“Agnitum”] PC Tools AntiVirus Engine, PCTAVSvc, ““C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe”” [“PC Tools Research Pty Ltd”] StarWind AE Service, StarWindServiceAE, “C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe” [“Rocket Division Software”] TabletServicePen, TabletServicePen, “C:\WINDOWS\system32\Pen_Tablet.exe” [“Wacom Technology, Corp.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Toshiba Bluetooth Monitor\Driver = “tbtmon.dll” [“Toshiba America Business Solutions, Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 42 seconds, including 18 seconds for message boxes)
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:05:50, on 2008-11-02 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CPUCooL\CooLSrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\PC Tools AntiVirus\PCTAV.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Pen_Tablet.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe C:\WINDOWS\system32\Pen_Tablet.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\CPUCooL\CPUCooL.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=33568 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe O4 - HKLM…\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM…\Run: [intelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” O4 - HKLM…\Run: [intelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless O4 - HKLM…\Run: [EOUApp] “C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe” O4 - HKLM…\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” O4 - HKLM…\Run: [PCTAVApp] “C:\Program Files\PC Tools AntiVirus\PCTAV.exe” /MONITORSCAN O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [AlcoholAutomount] “C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe” /automount O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [WITaj!] rem – Anulowane uruchamianie programu WITaj! 2000 O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: CPUCooL.lnk = C:\Program Files\CPUCooL\CPUCooL.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: WITaj! 2000 (2).lnk = C:\Program Files\WITaj!\Wit2000.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s … wflash.cab O17 - HKLM\System\CCS\Services\Tcpip…{51C9CC6A-A67B-4277-A8FF-B92ED63C5AE6}: NameServer = 192.168.1.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe – End of file - 9531 bytes
Log HJT wygląda na czysty
Jeśli tak to pobierz Combofix przeskanuj system i daj log na forum.
Loga wklej na www.wklejto.pl lub http://www.wklej.org/ a w poście daj tylko linka
Gutek
(Gutek)
2 Listopad 2008 10:23
#3
Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ
Pozdrawiam Gutek2222
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052
Kageori
(Xellas)
2 Listopad 2008 11:14
#4
http://wklej.org/id/14629/
Czyli to już moje przewrażliwienie jest?
Gutek
(Gutek)
2 Listopad 2008 11:22
#5
Wklej do Notatnika:
Driver::
dump_wmimmc
zlportio
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html
Kageori
(Xellas)
2 Listopad 2008 14:44
#6
Nic nie wyskoczyło.
Log po uruchomieniu tego co mi podałeś http://wklej.org/id/14692/
I nie zrozumiałam jeszcze raz mam przeskanować combofixem?
Co miało się usunąć jest usunięte
Log wygląda na czysty.
usuń ręcznie folder C: \Qoobox oraz instalkę Combofix z dysku.
Przeczyść system oraz rejestr CCleaner
Wykonaj optymalizacje Autostartu
Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar Mój komputer Kaspersky Online Scanner Uruchom pod IE daj raport na forum
lub Dr.WEB CureIt!
Kageori
(Xellas)
3 Listopad 2008 09:23
#8
Ale ja na D i H nie mam pliku RECYCLER więc troszkę zakręcona jestem…
RAPORT KASPERSKY ONLINE SCANNER 7.0 poniedziałek, 3 listopad 2008 System operacyjny: Microsoft Windows XP Home Edition Dodatek Service Pack 2 (build 2600) Wersja Kaspersky Online Scanner: 7.0.26.12 Data ostatniej aktualizacji bazy danych: Sunday, November 02, 2008 12:00:23 Liczba wpisów: 1367270 Ustawienia skanowania Typ bazy danych użytej do skanowania rozszerzona Skanuj archiwa tak Skanuj pocztowe bazy danych tak Obszar skanowania Mój komputer C:\ D:\ E:\ F:\ H:\ Statystyki skanowania Przeskanowanych plików 134196 Nazwa zagrożenia 8 Zainfekowanych obiektów 12 Podejrzanych obiektów 0 Czas skanowania 01:52:48 Nazwa pliku Nazwa zagrożenia Liczba zagrożeń C:\Documents and Settings\Lapik Xellci\DoctorWeb\Quarantine\A0070957.exe Zainfekowany: not-a-virus:Client-IRC.Win32.mIRC.62 1 C:\Documents and Settings\Lapik Xellci\DoctorWeb\Quarantine\mirc62.exe Zainfekowany: not-a-virus:Client-IRC.Win32.mIRC.62 1 C:\Program Files\Ashampoo\Ashampoo Magical Optimizer\quit_app.exe Zainfekowany: Trojan-Downloader.Win32.Delf.kao 1 D:\Programy instalki\Bezpieczeństwo\ashampoo_magicaloptimizer122(dobreprogramy.pl).exe Zainfekowany: Trojan-Downloader.Win32.Delf.kao 1 D:\Programy instalki\Bezpieczeństwo\SmitfraudFix.zip Zainfekowany: not-a-virus:RiskTool.Win32.Reboot.f 1 D:\Programy instalki\Nowy folder\netcut.exe Zainfekowany: not-a-virus:NetTool.Win32.Netcut.b 1 D:\Programy instalki\Nowy folder\Netcut.rar Zainfekowany: not-a-virus:NetTool.Win32.Netcut.c 1 D:\Programy instalki\網路剪刀手(NetCut) v1.51完整繁體中文化免安裝版(1).rar Zainfekowany: not-a-virus:NetTool.Win32.Netcut.b 1 D:\Programy instalki\網路剪刀手(NetCut) v1.51完整繁體中文化免安裝版(1).rar Zainfekowany: not-a-virus:NetTool.Win32.Netcut.c 1 D:\RECYCLER\S-1-5-21-602162358-1606980848-682003330-1004\Dd133.zip Zainfekowany: not-a-virus:Downloader.Win32.VDown.a 1 D:\RECYCLER\S-1-5-21-602162358-1606980848-682003330-1004\Dd134.zip Zainfekowany: not-a-virus:Downloader.Win32.VDown.c 1 H:\RECYCLER\S-1-5-21-343818398-790525478-725345543-1004\Dh2.zip Zainfekowany: P2P-Worm.Win32.Polip.a 1 Wybrany obszar został przeskanowany.
Gutek
(Gutek)
3 Listopad 2008 13:17
#9
Opróżnij kosz i usuń zainfekowane pliki i foldery.
Kageori
(Xellas)
6 Listopad 2008 10:52
#10
Dziękuję, trochę to usuwanie trwało, ale pomogło.