igorrr
(Mariusz W)
23 Czerwiec 2007 16:49
#1
Witam,
Wczoraj rozpoczął się na moim kompie festiwal trojanów - antywirus NOD32 co chwilę wykrywał próbę połączenia (czy ściągnięcia, już nie pamiętam jak dokładnie to było nazwane) z jakimś trojanem (a dokładniej - co jakieś 10 min, kilka prób w serii). Zbadanie dysku antywirusem pozwoliło usunąć kilka wirusów, jednak problem wciąż się pojawiał. Zrobiłem skan za pomocą HiJack This i znalazłem parę dziwnych rzeczy, które nie wiedziałem z jakiej racji były uruchomione (np. jakieś pliki *.exe z nazwami złożonymi z dziwnych ciągów cyfr i liter, bravesentry itp.) Wywaliłem to wszystko w trybie awaryjnym i problem z łączeniem się z trojanami znikł… ale znikł wraz z tapetą na pulpicie :). Poza tym teraz co chwilę dostaję dymek w dolnej prawej częsci ekranu z tekstem jak w temacie - po jego kliknięciu nic się nie dzieje (jak wlasnie zauważyłem na jakimś innym forum - pewnie jest on generowany przez jakiegoś trojana). Chwilowo nie mam pojęcia, co z tym robić. Proszę o pomoc. Please, help!
Oto log z HijackThis:
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 18:33:40, on 2007-06-23 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32kui.exe C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe C:\Windows\xpupdate.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Documents and Settings\dr A. Kula\Pulpit\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [system] C:\WINDOWS\System32\kernels32.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O17 - HKLM\System\CCS\Services\Tcpip…{13D7BFB9-6579-4F97-92D8-49FDDB653724}: NameServer = 139.163.85.247 O17 - HKLM\System\CCS\Services\Tcpip…{88279020-BBD3-484F-A49A-8D0243E1E51D}: NameServer = 139.163.85.247 O17 - HKLM\System\CS1\Services\Tcpip…{13D7BFB9-6579-4F97-92D8-49FDDB653724}: NameServer = 139.163.85.247 O17 - HKLM\System\CS2\Services\Tcpip…{13D7BFB9-6579-4F97-92D8-49FDDB653724}: NameServer = 139.163.85.247 O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe – End of file - 4352 bytes
arekmalek
(arekmalek)
23 Czerwiec 2007 17:11
#2
w trybie awaryjnym wpisy fix w hjt, pliki zaznaczone na czerwono usunąć też w trybie awaryjnym
slake
(Slake1)
23 Czerwiec 2007 17:38
#3
Pokaż log ze stabilnej wersji Hijacka.
Dorzuć także log z Silent Runners i ComboFix.
igorrr
(Mariusz W)
23 Czerwiec 2007 21:11
#4
arekmalek: dzięki, pomogło na to, co opisałem!
Pozostał teraz taki problem: windows włącza się w ten sposób, że najpierw ładuje się pulpit z ustawioną przeze mnie tapetą, ale bez ikon, komp coś tam ładuje i po jakimś czasie pojawiają się ikony, ale znika tapeta - na jej miejscu pojawia się niebieskie tło. Poza tym mam wrażenie, że wszystko działa wolniej, ale to może autosugestia… Nie wiem, czy to tylko wynik pozmienianych jakoś wpisów w rejestrze - pozostałość po infekcji, czy też ciągle działa mi na komputerze coś brzydkiego.
Oto log, tym razem z Silent Runners.
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO.dll” [“BitComet”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” = “PDFTransformer2ContextMenu” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PDFTransformer2ContextMenu(Default) = “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “Wallpaper” = (REG_SZ) C:\WINDOWS\desktop.html {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Active Desktop Wallpaper|Wallpaper Name:} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\dr A. Kula\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dr A. Kula\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dr A. Kula” & “All Users” startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “Utility Tray” -> shortcut to: “C:\WINDOWS\system32\sistray.exe” [“Silicon Integrated Systems Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 24 %SystemRoot%\system32\mswsock.dll [MS], 06 - 09, 12 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ LightScribeService Direct Disc Labeling Service, LightScribeService, “C:\Program Files\Common Files\LightScribe\LSSrvc.exe” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ doPDF Desktop 5 Monitor\Driver = “dopdfmn5.dll” [“Softland”] PDF-XChange\Driver = “C:\WINDOWS\System32\pxc25pm.dll” [“Tracker Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 374 seconds. ---------- (total run time: 1993 seconds)
Złączono Posta : 23.06.2007 (Sob) 23:13
arekmalek: dzięki, pomogło na to, co opisałem!
Pozostał teraz taki problem: windows włącza się w ten sposób, że najpierw ładuje się pulpit z ustawioną przeze mnie tapetą, ale bez ikon, komp coś tam ładuje i po jakimś czasie pojawiają się ikony, ale znika tapeta - na jej miejscu pojawia się niebieskie tło. Poza tym mam wrażenie, że wszystko działa wolniej, ale to może autosugestia… Nie wiem, czy to tylko wynik pozmienianych jakoś wpisów w rejestrze - pozostałość po infekcji, czy też ciągle działa mi na komputerze coś brzydkiego.
Oto log, tym razem z Silent Runners.
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO.dll” [“BitComet”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” = “PDFTransformer2ContextMenu” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PDFTransformer2ContextMenu(Default) = “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Enable Active Desktop} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “Wallpaper” = (REG_SZ) C:\WINDOWS\desktop.html {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Active Desktop Wallpaper|Wallpaper Name:} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\dr A. Kula\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dr A. Kula\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dr A. Kula” & “All Users” startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “Utility Tray” -> shortcut to: “C:\WINDOWS\system32\sistray.exe” [“Silicon Integrated Systems Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 24 %SystemRoot%\system32\mswsock.dll [MS], 06 - 09, 12 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ LightScribeService Direct Disc Labeling Service, LightScribeService, “C:\Program Files\Common Files\LightScribe\LSSrvc.exe” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ doPDF Desktop 5 Monitor\Driver = “dopdfmn5.dll” [“Softland”] PDF-XChange\Driver = “C:\WINDOWS\System32\pxc25pm.dll” [“Tracker Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 374 seconds. ---------- (total run time: 1993 seconds)
igorrr
(Mariusz W)
27 Czerwiec 2007 17:37
#6
Ok. Wszystko już wygląda w porządku, pozostał tylko jeden problem. O ile komunikatory (GG, czaty) działają normalnie, to cała reszta internetu jakoś nie chce ze mną współpracować. Strony się nie ładują, co chwilę dostaję “nie można odnaleźć serwera”… Czasem strona włącza się za drugim albo trzecim podejściem, ale już po kliknięciu w jakiegokolwiek linka znów “nie można połączyć się z serwerem, sprawdź czy nazwa strony jest poprawna”. Nie widzę innego wyjścia - coś siedzi mi w kompie i antywirus tego najwyraźniej nie widzi. A Wy widzicie? Podaję logi z Silent Runners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO.dll” [“BitComet”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” = “PDFTransformer2ContextMenu” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] PDFTransformer2ContextMenu(Default) = “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\dr A. Kula\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dr A. Kula\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “dr A. Kula” & “All Users” startup folders: ------------------------------------------------------------ C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “Utility Tray” -> shortcut to: “C:\WINDOWS\system32\sistray.exe” [“Silicon Integrated Systems Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 24 %SystemRoot%\system32\mswsock.dll [MS], 06 - 09, 12 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ LightScribeService Direct Disc Labeling Service, LightScribeService, “C:\Program Files\Common Files\LightScribe\LSSrvc.exe” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ doPDF Desktop 5 Monitor\Driver = “dopdfmn5.dll” [“Softland”] PDF-XChange\Driver = “C:\WINDOWS\System32\pxc25pm.dll” [“Tracker Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 354 seconds. ---------- (total run time: 2218 seconds)
I ComboFIx:
“dr A. Kula” - 07-06-27 18:02:35 Dodatek Service Pack. 1 ComboFix 07-04-25.4V - Running from: “C:\ComboFix (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\Program Files\CURITY~1 C:\qoobox\purity\C\Program Files\DOBE~1 C:\qoobox\purity\C\Program Files\MCROSO~1 C:\qoobox\purity\C\Program Files\SSTEM3~1 C:\qoobox\purity\C\Program Files\YSTEM~1 C:\qoobox\purity\C\Program Files\Common Files\ASEMBL~1 C:\qoobox\purity\C\Program Files\Common Files\CROSOF~1.NET C:\qoobox\purity\C\Program Files\Common Files\DOBE~1 C:\qoobox\purity\C\Program Files\Common Files\ICROSO~1 C:\qoobox\purity\C\Program Files\Common Files\ICROSO~1.NET C:\qoobox\purity\C\Program Files\Common Files\RACLE~1 C:\qoobox\purity\C\Program Files\Common Files\TSKS~1 C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1 C:\qoobox\purity\C\WINDOWS\CROSOF~1 C:\qoobox\purity\C\WINDOWS\ICROSO~1 C:\qoobox\purity\C\WINDOWS\MANTEC~1 C:\qoobox\purity\C\WINDOWS\RACLE~1 C:\qoobox\purity\C\WINDOWS\RACLE~2 C:\qoobox\purity\C\WINDOWS\YSTEM~1 C:\qoobox\purity\C\WINDOWS\system32\ASKS~1 C:\qoobox\purity\C\WINDOWS\system32\ASKS~2 C:\qoobox\purity\C\WINDOWS\system32\CURITY~1 C:\qoobox\purity\C\WINDOWS\system32\FNTS~1 C:\qoobox\purity\C\WINDOWS\system32\ICROSO~1.NET C:\qoobox\purity\C\WINDOWS\system32\PPATCH~1 C:\qoobox\purity\C\WINDOWS\system32\PPPATC~1 C:\qoobox\purity\C\WINDOWS\system32\WNSXS~1 ((((((((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))))) 2007-06-23 19:58 347,253 --a------ C:\Silent Runners.vbs 2007-06-13 22:01 2007-06-13 12:52 16 --a------ C:\WINDOWS\system32\msvcsv60.dll 2007-06-13 12:52 16 --a------ C:\WINDOWS\msocreg32.dat 2007-06-13 12:32 2007-06-13 12:32 2007-06-03 15:50 2007-05-31 18:11 774,144 --a------ C:\WINDOWS\MTUn1636.exe 2007-05-31 18:11 2007-05-31 11:58 2007-05-31 11:57 2007-05-30 18:14 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-13 22:35 -------- d-------- C:\Program Files\alien connections 2007-06-13 12:33 -------- d–h----- C:\Program Files\installshield installation information 2007-06-13 12:33 -------- d-------- C:\Program Files\vstplugins 2007-05-30 20:40 -------- d-------- C:\Program Files\mirc 2007-05-21 18:38 133751 --a------ C:\WINDOWS\system32\alt.exe 2007-05-16 14:38 -------- d-------- C:\Program Files\audio wav to mp3 converter 2007-05-05 20:05 49910 --a------ C:\WINDOWS\system32\perfc015.dat 2007-05-05 20:05 356068 --a------ C:\WINDOWS\system32\perfh015.dat 2007-05-05 00:01 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-05-05 00:01 298104 --a------ C:\WINDOWS\system32\imon.dll 2007-05-05 00:01 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-05-04 20:51 -------- d-------- C:\Program Files\winamp 2007-05-04 20:39 -------- d-------- C:\Program Files\foobar2000 2007-04-18 11:47 21656 --a------ C:\WINDOWS\system32\dopdfmn5.dll 2007-04-18 11:47 17048 --a------ C:\WINDOWS\system32\dopdfmi5.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Program Files\BitComet\tools\BitCometBHO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “nod32kui”=”“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “Gadu-Gadu”="“C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe” /tray" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-27 18:05:59 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-06-27 18:06:52 C:\ComboFix-quarantined-files.txt … 07-06-27 18:06
adam9870
(adam9870)
27 Czerwiec 2007 18:02
#7
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT i uruchom go w trybie awaryjnym.
Przeskanuj system skanerem antyvirusowym on-line dostępnym na stronie http://www.ewido.net/de/onlinescan/
Po wykonaniu możesz dla pewności wkleić nowy log z ComboFix.
igorrr
(Mariusz W)
28 Czerwiec 2007 07:12
#8
Dzięki, za próbę, ale niestety - nie pomogło. Ten skaner wprawdzie wykrył i usunał kilka infekcji, których NOD32 nie widział, ale wciąż strony www się nie ładują albo ładują dopiero przy drugiej-trzeciej próbie… Drugi komp na tym samym routerze nie ma tego problemu, więc to musi być coś u mnie.
Log z ComboFix.
“dr A. Kula” - 07-06-28 8:36:23 Dodatek Service Pack. 1 ComboFix 07-04-25.4V - Running from: “C:\ComboFix” ((((((((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))))) 2007-06-27 20:39 154 --a------ C:\poprawka.bat 2007-06-23 19:58 347,253 --a------ C:\Silent Runners.vbs 2007-06-13 22:01 2007-06-13 12:52 16 --a------ C:\WINDOWS\system32\msvcsv60.dll 2007-06-13 12:52 16 --a------ C:\WINDOWS\msocreg32.dat 2007-06-13 12:32 2007-06-13 12:32 2007-06-03 15:50 2007-05-31 18:11 2007-05-31 11:58 2007-05-31 11:57 2007-05-30 18:14 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-13 22:35 -------- d-------- C:\Program Files\alien connections 2007-06-13 12:33 -------- d–h----- C:\Program Files\installshield installation information 2007-06-13 12:33 -------- d-------- C:\Program Files\vstplugins 2007-05-30 20:40 -------- d-------- C:\Program Files\mirc 2007-05-16 14:38 -------- d-------- C:\Program Files\audio wav to mp3 converter 2007-05-05 20:05 49910 --a------ C:\WINDOWS\system32\perfc015.dat 2007-05-05 20:05 356068 --a------ C:\WINDOWS\system32\perfh015.dat 2007-05-05 00:01 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-05-05 00:01 298104 --a------ C:\WINDOWS\system32\imon.dll 2007-05-05 00:01 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-05-04 20:51 -------- d-------- C:\Program Files\winamp 2007-05-04 20:39 -------- d-------- C:\Program Files\foobar2000 2007-04-18 11:47 21656 --a------ C:\WINDOWS\system32\dopdfmn5.dll 2007-04-18 11:47 17048 --a------ C:\WINDOWS\system32\dopdfmi5.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Program Files\BitComet\tools\BitCometBHO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “nod32kui”="“C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “Gadu-Gadu”="“C:\Documents and Settings\dr A. Kula\Pulpit\gg zapas\Gadu-Gadu\gg.exe” /tray" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-28 09:02:21 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-06-28 9:03:39 C:\ComboFix-quarantined-files.txt … 07-06-28 09:03 C:\ComboFix2.txt … 07-06-27 18:17
qrczak13
(qrczak13)
28 Czerwiec 2007 18:14
#9
Pobierz Windows Worms Doors Cleaner , ustaw znaczki na zielono, Netbios może być na żółto.
Po użyciu narzędzia wymagany jest restart.
Log ok.
Przeskanuj Skanerami Online