"Windows has detected spyware infection" i restart


(Witeck) #1

Witam!

Mam duzy problem... Ostatnio moj komp zainfekowal sie jakims cholernym trojanem, pojawila sie jakas tarcza kolo zegara z czerwonym krzyzykiem i napisem: "Windows has detected spyware infection". Poradzilem sobie z tym problemem za pomoca programu antywirusowego, narzedzi typu "VundoFix", "SmitfraudFix", pousuwalem troche rzeczy w "Hijackthis" i juz nie ma tego cholernego znaczka...

Jednak problem tkwi gdzie indziej... Otoz odkad pojawil sie problem z tym znaczkiem, Windows dziala bardzo niestabilnie, notorycznie wyskakuje niebieski ekran, komp sie restartuje, bez zadnej przyczyny, w roznych momentach, najczesciej jednak podczas korzystania z netu.

Caly czas podczas walki z usunieciem tego znaczka moj antywirus wskazywal na istnienie wirusa w pliku rsvp_2.dll w windows/system32 ale nie mogl go usunac. Usunalem ten plik za pomoca narzedzia "LSPfix". Problem jednak nie zniknal. Prosze bardzo o pomoc, bo juz nie wiem co mam robic a nie chcialbym formatowac kompa...

Wklejam log z hijacka:

Logfile of HijackThis v1.99.1

Scan saved at 22:30:58, on 2007-03-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Damian\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\YDPDict\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -noicon

O4 - HKLM\..\Run: [\\Kuba\EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P30 "\\Kuba\EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [sysxp] c:\windows\bfxtray.exe

O4 - HKLM\..\Run: [sysexec] c:\windows\webal.exe

O4 - HKLM\..\Run: [Svcs] C:\DOCUME~1\Damian\USTAWI~1\Temp\28776\explorer.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV USB 2.0\QuickTV.exe

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.sgnappo.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E74115B-9F0C-46AC-9880-8F1E82769DAD}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E6E8088-D0CA-4723-BD4D-412A8C3E7F23}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS2\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\ccnybdo.dll (file missing)

O21 - SSODL: XLXNrZnWS - {10F9C584-BA53-6F2E-3FC7-0E485212E594} - C:\WINDOWS\system32\oi.dll (file missing)

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Ocpjgg32.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

a


(Gutek) #2

usuń wpisy HJT

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki

c:\windows\bfxtray.exe

c:\windows\webal.exe

i naciskasz X czerwony. Program poprosi o reset kompa ... czyli resetujesz.


(Witeck) #3

Witam ponownie!

Gutek2222 dzieki za odpowiedz, zastosowalem sie do Twoich wskazowek, jednak problem nie zniknal...

Poniezej wklejam nowe logo, czy masz jeszcze jakies sugestie co moze byc nie tak? Z gory dziekuje...

Logfile of HijackThis v1.99.1

Scan saved at 19:25:05, on 2007-03-22

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Documents and Settings\Damian\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\YDPDict\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -noicon

O4 - HKLM\..\Run: [\\Kuba\EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P30 "\\Kuba\EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [Svcs] C:\DOCUME~1\Damian\USTAWI~1\Temp\28776\explorer.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV USB 2.0\QuickTV.exe

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.sgnappo.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E74115B-9F0C-46AC-9880-8F1E82769DAD}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E6E8088-D0CA-4723-BD4D-412A8C3E7F23}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS2\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

(adam9870) #4

Usuń wpis HJT.

Użyj programu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp.

Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners.


(Witeck) #5

Dzieki za podpowiedz! Oczywiscie zrobilem wszystko jak mi poleciles, jednak nie rozwiazalo to problemu... Nadal notorycznie wyskakuje niebieski ekran PAGE_FAULT_IN_NONEPAGED_AREA podczas jakiejkolwiek proby korzystania z windowsa i komp sie restartuje. Pod awaryjnym dziala stabilnie... Dziwne ale nie moge utworzyc loga za pomoca Silenta, wywala mi blad Host skryptow systemu Windows, Dostawca nie moze wykonac tej operacji...

Wrzucam nowy log z Hijacka... Prosze o pomoc bo jestem bliski formatowania :-/

Logfile of HijackThis v1.99.1

Scan saved at 20:55:47, on 2007-03-22

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avant Browser\avant.exe

C:\WINDOWS\System32\WScript.exe

C:\Documents and Settings\Damian\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\YDPDict\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -noicon

O4 - HKLM\..\Run: [\\Kuba\EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P30 "\\Kuba\EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV USB 2.0\QuickTV.exe

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.sgnappo.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E74115B-9F0C-46AC-9880-8F1E82769DAD}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E6E8088-D0CA-4723-BD4D-412A8C3E7F23}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS2\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

(adam9870) #6

Log czysty.

Wklej log z Comboscan plus zawartość pliku minidump:

http://cybertrash.pl/images/tata/ComboS ... oScan.html

http://forum.dobreprogramy.pl/viewtopic ... 977#797977


(Witeck) #7

Log z Comboscan:

ComboScan v20070306.20 run by Damian on 2007-03-22 at 21:20:13

[color=red]Computer is in Safe Mode with Networking.[/color]

--------------------------------------------------------------------------------


-- System Restore --------------------------------------------------------------


Failed to create restore point; computer is in safe mode.



-- Last 5 Restore Point(s) --

51: 2007-03-20 19:28:09 UTC - RP158 - Zainstalowano Windows Installer KB893803v2.

50: 2007-03-19 19:10:55 UTC - RP157 - Punkt kontrolny systemu

49: 2007-03-18 17:34:51 UTC - RP156 - Punkt kontrolny systemu

48: 2007-03-17 16:19:21 UTC - RP155 - Punkt kontrolny systemu

47: 2007-03-15 18:47:56 UTC - RP154 - Punkt kontrolny systemu



-- First Restore Point -- 

1: 2007-01-13 19:59:46 UTC - RP108 - Punkt kontrolny systemu



Performed disk cleanup.



-- HijackThis (run as Damian.exe) ----------------------------------------------


Logfile of HijackThis v1.99.1

Scan saved at 21:20:54, on 2007-03-22

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avant Browser\avant.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Damian\Moje dokumenty\comboscan.exe

C:\DOCUME~1\Damian\Pulpit\HIJACK~1\Damian.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F3 - REG:win.ini: load=C:\YDPDict\watch.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1045 -noicon

O4 - HKLM\..\Run: [\\Kuba\EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P30 "\\Kuba\EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Przyspieszenie uruchomienia programu AutoCAD.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV USB 2.0\QuickTV.exe

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.sgnappo.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{5E74115B-9F0C-46AC-9880-8F1E82769DAD}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E6E8088-D0CA-4723-BD4D-412A8C3E7F23}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS1\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O17 - HKLM\System\CS2\Services\Tcpip\..\{0FCCF15D-4470-48FD-A8C6-86B4A582856C}: NameServer = 62.94.144.232,151.13.150.22

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



-- HijackThis Fixed Entries (C:\DOCUME~1\Damian\Pulpit\HIJACK~1\backups\) ------


backup-20070318-112455-511 O1 - Hosts: 0.0.1 free.xxxcounter.com

backup-20070318-114112-122 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-125 O1 - Hosts: persky-labs.com

backup-20070318-114112-154 O1 - Hosts: porthelp.com

backup-20070318-114112-155 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-158 O1 - Hosts: mt33.mtree.com

backup-20070318-114112-166 O1 - Hosts: porthelp.com

backup-20070318-114112-170 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-171 O1 - Hosts: 127.com

backup-20070318-114112-176 O1 - Hosts: .0.1 st[Marketing Extensions Inc][Adware.AdShooter]om

backup-20070318-114112-186 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-198 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-200 O1 - Hosts: .0.1 st[Marketing Extensions Inc][Adware.AdShooter].adshooter.com

backup-20070318-114112-215 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-228 O1 - Hosts: ee.com

backup-20070318-114112-240 O1 - Hosts: porthelp.com

backup-20070318-114112-262 O1 - Hosts: 127.0..1 counter6.sextracker.com

backup-20070318-114112-269 O1 - Hosts: racker.com

backup-20070318-114112-275 O1 - Hosts: 127.

backup-20070318-114112-298 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-307 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-312 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-319 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-322 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-323 O1 - Hosts: 127.0.07.0.0mtree.com

backup-20070318-114112-326 O1 - Hosts: racker.com

backup-20070318-114112-355 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-358 O1 - Hosts: racker.com

backup-20070318-114112-369 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-373 O1 - Hosts: persky-labs.com

backup-20070318-114112-390 O1 - Hosts: persky-labs.com

backup-20070318-114112-393 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-418 O1 - Hosts: mt33.mtree.com

backup-20070318-114112-422 O1 - Hosts: racker.com

backup-20070318-114112-428 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-431 O1 - Hosts: tree.com

backup-20070318-114112-440 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-442 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-455 O1 - Hosts: .0.1 st[Marketing Extensions Inc][Adware.AdShooter]

backup-20070318-114112-462 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-468 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-474 O1 - Hosts: porthelp.com

backup-20070318-114112-506 O1 - Hosts: 127.0.07.0.0mtree.com

backup-20070318-114112-511 O1 - Hosts: .0.1 st[Marketing Extensions Inc][Adware.AdShooter].adshooter.com

backup-20070318-114112-531 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-533 O1 - Hosts: persky-labs.com

backup-20070318-114112-539 O1 - Hosts: tree.com

backup-20070318-114112-555 O1 - Hosts: porthelp.com

backup-20070318-114112-563 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-570 O1 - Hosts: racker.com

backup-20070318-114112-571 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-572 O1 - Hosts: 127.0.

backup-20070318-114112-575 O1 - Hosts: racker.com

backup-20070318-114112-586 O1 - Hosts: 127.0..1 counter6.sextracker.com

backup-20070318-114112-587 O1 - Hosts: .0.1 st[Marketing Extensions Inc][Adware.AdShooter]

backup-20070318-114112-591 O1 - Hosts: 127.0.07.0.0mtree.com

backup-20070318-114112-602 O1 - Hosts: mt33.mtree.com

backup-20070318-114112-609 O1 - Hosts: porthelp.com

backup-20070318-114112-618 O1 - Hosts: racker.com

backup-20070318-114112-656 O1 - Hosts: porthelp.com

backup-20070318-114112-657 O1 - Hosts: .0.1 st[Marketing Extensions Inc][Adware.AdShooter]om

backup-20070318-114112-660 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-662 O1 - Hosts: racker.com

backup-20070318-114112-679 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-688 O1 - Hosts: racker.com

backup-20070318-114112-692 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-694 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-710 O1 - Hosts: tree.com

backup-20070318-114112-715 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-717 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-730 O1 - Hosts: porthelp.com

backup-20070318-114112-743 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-744 O1 - Hosts: 127.0.

backup-20070318-114112-754 O1 - Hosts: mt33.mtree.com

backup-20070318-114112-768 O1 - Hosts: porthelp.com

backup-20070318-114112-773 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-774 O1 - Hosts: ee.com

backup-20070318-114112-775 O1 - Hosts: porthelp.com

backup-20070318-114112-784 O1 - Hosts: 127.0.07.0.0mtree.com

backup-20070318-114112-791 O1 - Hosts: racker.com

backup-20070318-114112-801 O1 - Hosts: 127.0..1 counter6.sextracker.com

backup-20070318-114112-816 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-817 O1 - Hosts: mt33.mtree.com

backup-20070318-114112-821 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-823 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-837 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-862 O1 - Hosts: racker.com

backup-20070318-114112-863 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-865 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-869 O1 - Hosts: 127.0. mt21.mtree.com

backup-20070318-114112-882 O1 - Hosts: porthelp.com

backup-20070318-114112-892 O1 - Hosts: persky-labs.com

backup-20070318-114112-896 O1 - Hosts: 127.0..1 counter6.sextracker.com

backup-20070318-114112-908 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-909 O1 - Hosts: ee.com

backup-20070318-114112-955 O1 - Hosts: yresponse.symantec.com

backup-20070318-114112-958 O1 - Hosts: 127.0.0e.cf.mtreexxx.net

backup-20070318-114112-962 O1 - Hosts: banners.sextracker.com

backup-20070318-114112-964 O1 - Hosts: porthelp.com

backup-20070318-114112-972 O1 - Hosts: 127.0.07.0.0mtree.com

backup-20070318-114112-989 O1 - Hosts: 127.0.07.0.0mtree.com

backup-20070318-114112-992 O1 - Hosts: yresponse.symantec.com

backup-20070318-114530-159 O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe

backup-20070318-114530-242 O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe

backup-20070318-114530-939 O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe

backup-20070320-211351-130 O1 - Hosts: .com

backup-20070320-211351-258 O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll (file missing)

backup-20070320-211351-264 O1 - Hosts: .com

backup-20070320-211351-273 O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe

backup-20070320-211351-307 O1 - Hosts: .com

backup-20070320-211351-318 O1 - Hosts: .com

backup-20070320-211351-394 O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

backup-20070320-211351-397 O1 - Hosts: .com

backup-20070320-211351-401 O1 - Hosts: .com

backup-20070320-211351-475 O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe

backup-20070320-211351-493 O1 - Hosts: .com

backup-20070320-211351-596 O1 - Hosts: .com

backup-20070320-211351-702 O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe

backup-20070320-211351-749 O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)

backup-20070320-211351-750 O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe

backup-20070322-190357-309 O21 - SSODL: XLXNrZnWS - {10F9C584-BA53-6F2E-3FC7-0E485212E594} - C:\WINDOWS\system32\oi.dll (file missing)

backup-20070322-190357-540 O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\ccnybdo.dll (file missing)

backup-20070322-190357-593 O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Ocpjgg32.dll (file missing)

backup-20070322-190357-761 O4 - HKLM\..\Run: [sysexec] c:\windows\webal.exe

backup-20070322-190357-843 O4 - HKLM\..\Run: [sysxp] c:\windows\bfxtray.exe

backup-20070322-203643-300 O4 - HKLM\..\Run: [Svcs] C:\DOCUME~1\Damian\USTAWI~1\Temp\28776\explorer.exe


-- File Associations -----------------------------------------------------------


.bat - batfile - "%1" %*

.chm - chm.file - "C:\WINDOWS\hh.exe" %1

.cmd - cmdfile - "%1" %*

.com - comfile - "%1" %*

.exe - exefile - "%1" %*

.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1

.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1

.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1

.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*

.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}

.pif - piffile - "%1" %*

.reg - regfile - regedit.exe "%1"

[COLOR=red].scr - AutoCADScriptFile - "C:\WINDOWS\system32\notepad.exe" "%1"[/COLOR]

.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1

.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*



-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------


3S aksusb (Aladdin USB Key) - C:\WINDOWS\system32\drivers\aksusb.sys

3S ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\alcxwdm.sys

0S AmdAcpi (AmdAcpi Bus Filter Driver) - C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys (not found)

1S amdtools (AMD Special Tools Driver) - C:\WINDOWS\system32\DRIVERS\amdtools.sys (not found)

3S ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys

3S AVCamUSB20 (AVerTV USB 2.0) - C:\WINDOWS\system32\drivers\AVTVCsMini20.sys

3S CCDECODE (Dekoder napisów) - C:\WINDOWS\system32\drivers\CCDECODE.sys

3S cportclm - C:\DOCUME~1\Damian\USTAWI~1\Temp\cportclm.sys (not found)

0R d347bus - C:\WINDOWS\system32\drivers\d347bus.sys

0R d347prt - C:\WINDOWS\system32\drivers\d347prt.sys

2S driverpp (Plug and Play Support Driver) - C:\WINDOWS\system32\msdrives\driverpp.sys (not found)

3S ENTECH - C:\WINDOWS\system32\drivers\Entech.sys

3S HidUsb (Sterownik Microsoft klasy HID) - C:\WINDOWS\system32\drivers\hidusb.sys

0S kl1 - C:\WINDOWS\system32\drivers\kl1.sys

3S klif - C:\WINDOWS\system32\drivers\klif.sys

2S MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - C:\WINDOWS\system32\drivers\mdc8021x.sys

3S mouhid (Sterownik myszy HID) - C:\WINDOWS\system32\drivers\mouhid.sys

3S MSTEE (Konwerter strumieni Tee/Sink-to-Sink Microsoft Streaming) - C:\WINDOWS\system32\drivers\MSTEE.sys

3S ms_mpu401 (Sterownik portu MIDI UART Microsoft MPU-401) - C:\WINDOWS\system32\drivers\msmpu401.sys

3R MTsensor (ATK0110 ACPI UTILITY) - C:\WINDOWS\system32\drivers\ASACPI.sys

3S NABTSFEC (Koder-dekoder NABTS/FEC VBI) - C:\WINDOWS\system32\drivers\NABTSFEC.sys

3S NdisIP (Połączenie TV/wideo firmy Microsoft) - C:\WINDOWS\system32\drivers\ndisip.sys

3S NPDriver (Norton Unerase Protection Driver) - C:\WINDOWS\system32\drivers\NPDRIVER.SYS

0R nvata - C:\WINDOWS\system32\drivers\nvata.sys

3S NVENETFD (NVIDIA nForce Networking Controller Driver) - C:\WINDOWS\system32\drivers\NVENETFD.sys

3R nvnetbus (NVIDIA Network Bus Enumerator) - C:\WINDOWS\system32\drivers\nvnetbus.sys

0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys

3R RT2400 (RT2400 Wireless Driver) - C:\WINDOWS\system32\drivers\RT2400.sys

3S SDdriver - C:\WINDOWS\system32\drivers\SdDriver.SYS

0R sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - C:\WINDOWS\system32\drivers\sfsync04.sys

3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\slip.sys

3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\streamip.sys

3S SymEvent - C:\Program Files\Symantec\SYMEVENT.SYS

3S TSP - C:\WINDOWS\system32\drivers\klif.sys

3S Usb20Scan (USB 2.0 Still Image) - C:\WINDOWS\system32\drivers\cresscan.sys

3S usbaudio (Sterownik audio USB (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys

3S usbccgp (Rodzajowy sterownik nadrzędny USB Microsoft) - C:\WINDOWS\system32\drivers\usbccgp.sys

3R usbehci (Sterownik Miniport rozszerzonego kontrolera hosta USB 2.0 Microsoft) - C:\WINDOWS\system32\drivers\usbehci.sys

3R usbohci (Sterownik Miniport otwartego kontrolera hosta USB Microsoft) - C:\WINDOWS\system32\drivers\usbohci.sys

3S usbscan (Sterownik skanera USB) - C:\WINDOWS\system32\drivers\usbscan.sys

3S USBSTOR (Sterownik magazynu masowego USB) - C:\WINDOWS\system32\drivers\usbstor.sys

0R Vax347b - C:\WINDOWS\system32\drivers\Vax347b.sys

0R Vax347s - C:\WINDOWS\system32\drivers\Vax347s.sys

3S WFIOCTL - C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS (not found)

2S wincom32 - C:\WINDOWS\system32\wincom32.sys

1R WS2IFSL (Środowisko wspomagające dostawcę usług innych niż IFS - Windows Socket 2.0) - C:\WINDOWS\system32\drivers\ws2ifsl.sys

3S WSTCODEC (Kodery-dekodery teletekstu w standardzie światowym) - C:\WINDOWS\system32\drivers\WSTCODEC.SYS



-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------


3S aspnet_state (Usługa stanu ASP.NET) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

2S Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe

2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe

3S Autodesk Licensing Service - "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"

2S AVP (Kaspersky Anti-Virus 6.0) - "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r

2S NProtectService (Norton Unerase Protection) - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

3S SCardDrv (Pomocnik karty inteligentnej) - C:\WINDOWS\System32\SCardSvr.exe

2S Speed Disk service - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

2S StarWindService (StarWind iSCSI Service) - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

2S UleadBurningHelper (Ulead Burning Helper) - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

3S UMWdf (Struktura sterowników trybu użytkownika w systemie Windows) - C:\WINDOWS\system32\wdfmgr.exe



-- Scheduled Tasks -------------------------------------------------------------


2007-03-22 21:03:44 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job

2007-03-11 00:00:00 310 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job

2006-12-15 23:14:13 282 --a------ C:\WINDOWS\Tasks\Funkcja One Button Checkup pakietu Norton SystemWorks.job



-- Files created between 2007-02-22 and 2007-03-22 -----------------------------


2007-03-22 19:04:26 0 d-------- C:\!KillBox

2007-03-20 19:55:48 58557 --a------ C:\WINDOWS\system32\via.exe

2007-03-20 19:54:09 46592 --a------ C:\WINDOWS\system32\zlbw.dll

2007-03-20 19:08:04 79360 --a------ C:\WINDOWS\system32\swxcacls.exe

2007-03-20 19:08:04 40960 --a------ C:\WINDOWS\system32\swsc.exe

2007-03-20 19:08:04 135168 --a------ C:\WINDOWS\system32\swreg.exe

2007-03-20 19:08:04 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-03-20 19:08:04 53248 --a------ C:\WINDOWS\system32\Process.exe

2007-03-20 19:08:04 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-03-19 19:40:47 7357 --a------ C:\WINDOWS\system32\dd.exe

2007-03-19 19:40:46 7416 --a------ C:\WINDOWS\system32\adirss.exe

2007-03-19 19:40:45 7357 --a------ C:\WINDOWS\system32\sm.exe

2007-03-19 19:40:10 58616 --a------ C:\WINDOWS\system32\adirka.exe

2007-03-19 19:39:53 55424 --a------ C:\WINDOWS\system32\wincom32.sys

2007-03-18 14:34:39 3374 --a------ C:\WINDOWS\system32\tmp.reg

2007-03-18 00:54:02 0 d-------- C:\VundoFix Backups

2007-03-17 23:36:32 0 d-------- C:\WINDOWS\system32\msdrives

2007-03-17 23:28:04 15136 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-03-17 23:28:04 1399584 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-03-17 23:18:17 7416 --a------ C:\WINDOWS\system32\lnwin.exe

2007-03-17 23:18:06 3 --a------ C:\WINDOWS\system32\sfxzmtwbmail.dll

2007-03-17 23:18:06 3 --a------ C:\WINDOWS\system32\sfxzmtsmtspm.dll

2007-03-17 23:18:06 3 --a------ C:\WINDOWS\system32\sfxzmtsmt.dll

2007-03-17 23:18:06 3 --a------ C:\WINDOWS\system32\sfxzmtforum.dll

2007-03-17 23:18:06 47 --a------ C:\WINDOWS\system32\pfxzmtymsg.dll

2007-03-17 23:18:06 47 --a------ C:\WINDOWS\system32\pfxzmtwbmail.dll

2007-03-17 23:18:06 3 --a------ C:\WINDOWS\system32\pfxzmtsmtspm.dll

2007-03-17 23:18:06 3 --a------ C:\WINDOWS\system32\pfxzmtsmt.dll

2007-03-17 23:18:06 47 --a------ C:\WINDOWS\system32\pfxzmticq.dll

2007-03-17 23:18:06 47 --a------ C:\WINDOWS\system32\pfxzmtgtal.dll

2007-03-17 23:18:06 47 --a------ C:\WINDOWS\system32\pfxzmtforum.dll

2007-03-17 23:18:06 47 --a------ C:\WINDOWS\system32\pfxzmtaim.dll

2007-03-17 23:18:04 58557 --a------ C:\WINDOWS\via.exe

2007-03-17 23:18:01 37565 --a------ C:\WINDOWS\pp.exe

2007-03-17 23:17:57 8704 --a------ C:\WINDOWS\system32\sporder.dll

2007-03-04 21:32:50 0 d-------- C:\Program Files\Scan2CADv7

2007-03-04 21:32:41 0 d-------- C:\WINDOWS\Scan2CAD v7

2007-03-04 17:16:51 17408 --a------ C:\WINDOWS\system32\drivers\aksusb.sys

2007-03-04 17:16:42 0 d-------- C:\Program Files\Integram

2007-03-04 17:13:57 284160 --a------ C:\WINDOWS\unin0415.exe



-- Find3M Report ---------------------------------------------------------------


2007-03-20 21:50:41 0 d-------- C:\Program Files\Deluxe Ski Jump 3

2007-03-20 21:46:58 0 d-------- C:\Program Files\Kaspersky Lab

2007-03-20 21:24:51 0 d-------- C:\Program Files\Mozilla Firefox

2007-03-20 20:46:02 0 d-------- C:\Documents and Settings\Damian\Dane aplikacji\Azureus

2007-03-19 20:45:19 0 d-------- C:\Documents and Settings\Damian\Dane aplikacji\Adobe

2007-03-18 16:13:43 0 d-------- C:\Program Files\GetRight

2007-03-18 16:13:42 0 d-------- C:\Program Files\Morpheus

2007-03-18 16:13:42 0 d-------- C:\Program Files\Messenger

2007-03-18 00:50:15 0 d-------- C:\Documents and Settings\Damian\Dane aplikacji\Webroot

2007-03-18 00:03:46 0 d-------- C:\Program Files\Tweak-XP Pro 4

2007-03-17 23:18:51 0 d---s---- C:\Documents and Settings\Damian\Dane aplikacji\Microsoft

2007-02-26 20:39:30 0 d-------- C:\Program Files\Gadu-Gadu

2007-02-14 20:49:27 0 d-------- C:\Program Files\Test Inteligencji

2007-02-05 21:49:32 0 d-------- C:\Program Files\Słownik

2007-02-01 20:37:41 0 d-------- C:\Program Files\MediMedia



-- Registry Dump ---------------------------------------------------------------



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""

"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\jusched.exe"

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1045 -noicon"

"\\\\Kuba\\EPSON Stylus D88 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIABE.EXE /P30 \"\\\\Kuba\\EPSON Stylus D88 Series\" /O6 \"USB001\" /M \"Stylus D88\""

"SoundMan"="SOUNDMAN.EXE"

"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

@=""

"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\

  65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0

LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService	REG_MULTI_SZ DnsCache\0\0

DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss	REG_MULTI_SZ RpcSs\0\0

imgsvc	REG_MULTI_SZ StiSvc\0\0

termsvcs	REG_MULTI_SZ TermService\0\0



[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]

Shell\AutoRun\command	G:\CDStart.Exe

Shell\Install\Command	G:\navsetup.exe


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20e5d5cf-3e63-11da-aba8-806d6172696f}]

Shell\AutoRun\command	F:\ASUSACPI.exe



-- End of ComboScan: finished at 2007-03-22 at 21:21:20 ------------------------

Za chwile postaram sie wrzucic zawartosc pliku minidump. Moge miec z tym pewne problemy, bo program nie chce sie zainstalowac w trybie awaryjnym, a w trybie normalnym czasami nie potrafie nic zrobic bo od razu mi sie wykaszania...

Podaje jeszcze nr bledu ktory wyskakuje: ***STOP: 0x00000050 (0xE116C00, 0x00000000, 0x80537002, 0x00000001)


(adam9870) #8

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Pobierz Gmer'a.

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

W zakładce Procesy wybierz Gmer awaryjny >>> komputer się zrestartuje i zostanie samo okienko Gmer'a >>> w zakładce Procesy przez ... (trzy kropki) wskaż plik FIX.BAT >>> po chwilce mignie ekran i reset.

Po wykonaniu wklej nowy log z Combo plus dwa logi z Gmer'a wykonane przy takich ustawieniach:

  1. Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

  2. Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.

http://forum.dobreprogramy.pl/viewtopic.php?t=96929


(adam9870) #9

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avengera i skasuj plik backup.zip czyli np. c:\avenger\backup.zip.

Po wykonaniu wklej nowy log z Combo, dwa logi z Gmer'a (uwaga: umieść je jako pliki *.txt w jakimś serwisie hostingowym, a tu tylko do nich zlinkuj) oraz zawartość pliku c:\avenger.txt


(Witeck) #10

Witam ponownie!

Podzialalem Avengerem tak jak mi poleciles... Ponizej linkuje nowe logi z Combo, Gmera oraz Avengera...

http://chatham.republika.pl/avenger.txt

http://www.chatham.republika.pl/ComboScan.txt

http://www.chatham.republika.pl/Nowy1.txt

http://www.chatham.republika.pl/Nowy2.txt

P.S. Po ostatnich dzialaniach, od 15 min system dziala stabilnie:) Nigdy wczesniej tak dlugo mi sie nie udalo, bo zawsze wywalal sie blue screen, wiec wydaje sie ze wszystko jest na dobrej drodze:) Potestuje jeszcze jakis czas i dam znac jak sie komp zachowuje... A na razie WIELKIE DZIEKI! !!


(adam9870) #11

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w lupkę => w okienku, które się otworzy wklej:

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avengera i skasuj plik backup.zip czyli np. c:\avenger\backup.zip.

Po wykonaniu wklej nowe logi.


(Witeck) #12

Witam ponownie!

Podzialalem kolejny raz Avengerem wedlug zalecen i wklejam ponownie wszystkie loga:

http://chatham.republika.pl/avenger.txt

http://www.chatham.republika.pl/ComboScan.txt

http://www.chatham.republika.pl/Gmer1.txt

http://www.chatham.republika.pl/Gmer2.txt

Wszystkie operacje Avengerem jak i generowanie logow tym razem byly juz robione z trybu normalnego systemu.

Od wczoraj system dziala stabilnie, ani razu nie zaliczyl zwiechy, wiec wydaje sie ze wszystko wrocilo do normy:-)

Prosze o ponowne przejrzenie logow i jezeli sa tam jeszcze jakies podejrzane wpisy to prosze o informacje...

A tymczasem jeszcze raz DZIEKI WIELKIE! Uratowalo to moj system przed formatowaniem, a bylem juz bliski zrobienia tego:-)